diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2014-08-14 11:14:39 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-08-19 14:38:39 +0200 |
| commit | 25dfb62595f73d1ca3d1170abe5853c4253d7c42 (patch) | |
| tree | 3e247458259130e54e0631566dcb9f4682975e2a | |
| parent | 82347f452febe3cbffc36b0a3308ffb462515442 (diff) | |
| download | sssd-25dfb62595f73d1ca3d1170abe5853c4253d7c42.tar.gz sssd-25dfb62595f73d1ca3d1170abe5853c4253d7c42.tar.xz sssd-25dfb62595f73d1ca3d1170abe5853c4253d7c42.zip | |
Revert "SDAP: Deref needn't be treated as critical"
This reverts commit fc8d98c9f0bb26de7be732c3e542b85c8abdba53.
The reason why the control was marked critical is that we expect
to get it back on reply, or it should fail. We should rather leave
the criticality bit and handle the error (by downgrading to not use
deref controls) if the server fails.
In other words, we should not workaround bugs in any LDAP server.
If server claim it support deref control, it should work with critical flag.
sh-4.2$ ldapsearch -LLL -h 172.17.0.9 -x -b "" -s base supportedControl
dn:
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
sh-4.2$ grep "1.3.6.1.4.1.4203.666.5.16" /usr/include/ldap.h
#define LDAP_CONTROL_X_DEREF "1.3.6.1.4.1.4203.666.5.16"
sh-4.2$ ldapsearch -x -LLL -h 172.17.0.9 -b 'dc=example,dc=com' \
-E '!deref=member:cn,uid' \
cn=ref_grp1 cn,uid
Critical extension is unavailable (12)
Additional information: critical control unavailable in context
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
| -rw-r--r-- | src/providers/ldap/sdap_async.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 3c58f7518..4100f6d14 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -1736,7 +1736,7 @@ static int sdap_x_deref_create_control(struct sdap_handle *sh, } ret = sdap_control_create(sh, LDAP_CONTROL_X_DEREF, - 0, &derefval, 1, ctrl); + 1, &derefval, 1, ctrl); ldap_memfree(derefval.bv_val); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed\n"); |