From 25dfb62595f73d1ca3d1170abe5853c4253d7c42 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Thu, 14 Aug 2014 11:14:39 +0200 Subject: Revert "SDAP: Deref needn't be treated as critical" This reverts commit fc8d98c9f0bb26de7be732c3e542b85c8abdba53. The reason why the control was marked critical is that we expect to get it back on reply, or it should fail. We should rather leave the criticality bit and handle the error (by downgrading to not use deref controls) if the server fails. In other words, we should not workaround bugs in any LDAP server. If server claim it support deref control, it should work with critical flag. sh-4.2$ ldapsearch -LLL -h 172.17.0.9 -x -b "" -s base supportedControl dn: supportedControl: 1.3.6.1.4.1.4203.666.5.16 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 sh-4.2$ grep "1.3.6.1.4.1.4203.666.5.16" /usr/include/ldap.h #define LDAP_CONTROL_X_DEREF "1.3.6.1.4.1.4203.666.5.16" sh-4.2$ ldapsearch -x -LLL -h 172.17.0.9 -b 'dc=example,dc=com' \ -E '!deref=member:cn,uid' \ cn=ref_grp1 cn,uid Critical extension is unavailable (12) Additional information: critical control unavailable in context Reviewed-by: Jakub Hrozek --- src/providers/ldap/sdap_async.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 3c58f751..4100f6d1 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -1736,7 +1736,7 @@ static int sdap_x_deref_create_control(struct sdap_handle *sh, } ret = sdap_control_create(sh, LDAP_CONTROL_X_DEREF, - 0, &derefval, 1, ctrl); + 1, &derefval, 1, ctrl); ldap_memfree(derefval.bv_val); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed\n"); -- cgit