On Fri, Jan 16, 2009 at 3:02 PM, Graham Leggett <minfrin@sharp.fm> wrote:
Jeff Trawick wrote:

With Ubuntu's packaging of OpenLDAP 2.4.9 and whatever OpenLDAP is in Leopard.latest, LDAP_OPT_REFHOPLIMIT is defined in ldap.h but the library returns an error when trying to set it to 5 (httpd LDAP's default value).  This is apparently a wide-spread issue (http://article.gmane.org/gmane.network.openldap.devel/3619).

The intent in apr_ldap_set_option() is apparently to ignore lack of support for LDAP_OPT_REFHOPLIMIT, but that is implemented with this compile-time check:

#if !defined(LDAP_OPT_REFHOPLIMIT) || APR_HAS_NOVELL_LDAPSDK

How to handle...  Ignore failures and return success if LDAP_OPT_REFHOPLIMIT defined but the set fails?

(As an aside, this busts httpd trunk's LDAP auth with these libraries until you set LDAPReferrals Off.)

I suspect the right way to fix this is for APR to be honest about the support for LDAP_OPT_REFHOPLIMIT - if the compile time test determines that REFHOPLIMIT is either truly unsupported or broken, the attempt should return APR_ENOTIMPL.

Since OpenLDAP defines the option but (at least in common levels) fails the option at run-time, I guess you mean a configure test instead of a compile test, using a test program that sets proceeds far enough along with the LDAP setup to see if LDAP_OPT_REFHOPLIMIT works?

At some point a run-time check has to decide that LDAP_OPT_ERR from ldap_set_option(..,LDAP_OPT_REFHOPLIMIT...) means not-implemented.  Alternatively, many apps should just decide that a failure of that option is not important.