Jeff Trawick wrote:
With Ubuntu's packaging of OpenLDAP 2.4.9 and whatever OpenLDAP is in Leopard.latest, LDAP_OPT_REFHOPLIMIT is defined in ldap.h but the library returns an error when trying to set it to 5 (httpd LDAP's default value). This is apparently a wide-spread issue (http://article.gmane.org/gmane.network.openldap.devel/3619).The intent in apr_ldap_set_option() is apparently to ignore lack of support for LDAP_OPT_REFHOPLIMIT, but that is implemented with this compile-time check:#if !defined(LDAP_OPT_REFHOPLIMIT) || APR_HAS_NOVELL_LDAPSDKHow to handle... Ignore failures and return success if LDAP_OPT_REFHOPLIMIT defined but the set fails?(As an aside, this busts httpd trunk's LDAP auth with these libraries until you set LDAPReferrals Off.)
I suspect the right way to fix this is for APR to be honest about the support for LDAP_OPT_REFHOPLIMIT - if the compile time test determines that REFHOPLIMIT is either truly unsupported or broken, the attempt should return APR_ENOTIMPL.
If it succeeds, it should return APR_SUCCESS, and if it fails it should return a corresponding error message.
Clients in turn (starting with mod_authnz_ldap) should then behave intelligently to the success/notimpl/fail as would make sense for the app.
So in other words, if it succeeds, all well and good. If it fails, return an error. If unimplemented, shrug shoulders and silently ignore the call.
This makes sure that we don't lose the ability to detect a legitimate failure.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
