httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 37814] New: - auth_ldap built with the Microsoft LDAP SDK will not work at all with Openldap 2.2.x.
Date Tue, 06 Dec 2005 22:36:17 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37814>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37814

           Summary: auth_ldap built with the Microsoft LDAP SDK will not
                    work at all with Openldap 2.2.x.
           Product: Apache httpd-2
           Version: 2.0.55
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_auth_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: dopey@moonteeth.com


OpenLDAP 2.2.x strictly enforces the sizelimit on a search.  The size limit in
the LDAP RFC is limited to a maximum of (2^31)-1 (i.e. a signed int).  The max
sizelimit with Microsoft's SDK is (2^32) -1  which is out of spec and openldap
2.2.x will error out when an unlimited search request comes in.
The size limit for MS's LDAP library is documented here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/session_options.asp

I tried to modify util_ldap to do a ldap_set_option to set the sizelimit on
windows to a more sane value and unfortunately it doesn't work.  The reason is
that the util_ldap code uses ldap_search_ext_s and it accepts a SizeLimit
argument which overrides the session options.  This is documented at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_search_ext_s.asp

I can only theorize that Microsoft is defaulting to some library default rather
than the session value (which openldap defaults to).

I have a couple of ideas to solve the problem programmatically (rather than
rebuilding with the iplanet SDK, which may have distribution restrictions, or
the openldap sdk, which may have other complexities involed as i don't know that
it was ever intended for windows deployment).

All of apache's usage of ldap_search_ext_s passes in NULL's for the arguments
that above and beyond ldap_search_s' arguments.  Why not just use ldap_search_s?
 This will use the session limit.  The other option is to use a wrapper search
function which uses #if clauses to pass in a sane SizeLimit on windows, and keep
the normal behavior with other SDKs.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message