On Fri, Jan 16, 2009 at 3:02 PM, Graham Leggett <firstname.lastname@example.org> wrote:
I suspect the right way to fix this is for APR to be honest about the support for LDAP_OPT_REFHOPLIMIT - if the compile time test determines that REFHOPLIMIT is either truly unsupported or broken, the attempt should return APR_ENOTIMPL.
Jeff Trawick wrote:
With Ubuntu's packaging of OpenLDAP 2.4.9 and whatever OpenLDAP is in Leopard.latest, LDAP_OPT_REFHOPLIMIT is defined in ldap.h but the library returns an error when trying to set it to 5 (httpd LDAP's default value). This is apparently a wide-spread issue (http://article.gmane.org/gmane.network.openldap.devel/3619).
The intent in apr_ldap_set_option() is apparently to ignore lack of support for LDAP_OPT_REFHOPLIMIT, but that is implemented with this compile-time check:
#if !defined(LDAP_OPT_REFHOPLIMIT) || APR_HAS_NOVELL_LDAPSDK
How to handle... Ignore failures and return success if LDAP_OPT_REFHOPLIMIT defined but the set fails?
(As an aside, this busts httpd trunk's LDAP auth with these libraries until you set LDAPReferrals Off.)
Since OpenLDAP defines the option but (at least in common levels) fails the option at run-time, I guess you mean a configure test instead of a compile test, using a test program that sets proceeds far enough along with the LDAP setup to see if LDAP_OPT_REFHOPLIMIT works?
At some point a run-time check has to decide that LDAP_OPT_ERR from ldap_set_option(..,LDAP_OPT_REFHOPLIMIT...) means not-implemented. Alternatively, many apps should just decide that a failure of that option is not important.