httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Kaluza <jkal...@redhat.com>
Subject Re: [PATCH] Fix "LDAPReferrals off"
Date Fri, 21 Jun 2013 06:59:41 GMT
----- Original Message -----
> On Thu, Jun 20, 2013 at 8:49 AM, Jan Kaluža <jkaluza@redhat.com> wrote:
> > On 06/20/2013 02:41 PM, Eric Covener wrote:
> >>
> >> On Thu, Jun 20, 2013 at 8:33 AM, Jan Kaluža <jkaluza@redhat.com> wrote:
> >>>
> >>> On 06/20/2013 02:25 PM, Eric Covener wrote:
> >>>>
> >>>>
> >>>> Do you think we should tolerate an error turning referrals off?
> >>>
> >>>
> >>>
> >>> That's good point.
> >>>
> >>> I'm not ldap expert, but I would say we should not tolerate that. Admin
> >>> has
> >>> to explicitly disable referrals and if he does that, he probably has some
> >>> reason why to do it.
> >>>
> >>> But if someone more experienced thinks we should tolerate that error, I'm
> >>> not against.
> >>
> >>
> >> I'm only concerned with someone who was getting by with LDAPReferrals
> >> OFF because the default gave their SDK an error.  Now OFF would be
> >> fatal too.
> >>
> >> But it's not so easy to do a separate "default" option because other
> >> parts of the code need to know if referrals are being chased.
> >>
> >
> > In this case I think we could change the patch to not call ldap_set_option
> > for referrals at all unless the admin specifies the value in config file. I
> > mean to define AP_LDAP_CHASEREFERRALS_UNSET and if the ldc->chaseReferrals
> > == AP_LDAP_CHASEREFERRALS_UNSET, then do nothing. I can submit patch like
> > that tomorrow.
> >
> > This should be good for everyone, right?
> 
> I don't know what that means for other and/or older LDAP SDKs, so I
> would rather not flip that.
> 

Hm, I think the only way how to get out of this without taking a risk of
breaking the current behaviour is to allow setting something like
"LDAPReferrals default" (probably not good name, but I'm not sure I can
come up with better one right now).

By default, LDAPReferrals would still be set to "on". If you would like to 
not set referrals option, you would use the "default" value. "off" value
would try to turn the referrals off.

Of course it would be better to patch apr_ldap_option.c for SDKs where
referrals option can't be set, but I don't have the knowledge to do that.

Regards,
Jan Kaluza

Mime
View raw message