httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 46698] New: invalid default sizelimit in ldap searches
Date Wed, 11 Feb 2009 21:08:03 GMT

           Summary: invalid default sizelimit in ldap searches
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: mod_auth_ldap

mod_auth_ldap on OpenVMS won't authenticate users against a modern OpenLDAP

I am using the Apple Open Directory implementation of OpenLDAP from Mac OSX
Server 10.5.6

The function for LDAP authentication is uldap_cache_getuserdn which in turn
uses the function ldap_search_ext_s to do the uid search portion.

In modules/ldap/util_ldap.c, ldap_search_ext_s is called as follows: (revision
737582 ( ) from 2.3-HEAD)

    result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
                               "(objectclass=*)", NULL, 1,
                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);

and from the top of util_ldap.c:

        #ifndef APR_LDAP_SIZELIMIT
        #define APR_LDAP_SIZELIMIT -1

Older revisions (httpd 2.2.5 and before) use a static -1 in place of

>From ldap.h (OpenLDAP), here is the parameters for ldap_search_ext_s:

    ldap_search_ext_s LDAP_P((
            LDAP                    *ld,
            LDAP_CONST char *base,
            int                             scope,
            LDAP_CONST char *filter,
            char                    **attrs,
            int                             attrsonly,
            LDAPControl             **serverctrls,
            LDAPControl             **clientctrls,
            struct timeval  *timeout,
            int                             sizelimit,
            LDAPMessage             **res ));

So the value '-1' is passsed as the sizeLimit parameter from the client
(mod_auth_ldap) to the server (OpenLDAP).

This seems to work for a lot of client / server combinations, however it is not
working here.

According to RFC 4511 (section 4.5.1 ),  sizelimit is an unsigned integer
between 0 and maxInt.  A value of zero indicates no size limit.

Would it make sense to change the default APR_LDAP_SIZELIMIT to 0?  I welcome
any other feedback...



Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message