> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'd like to reopen the discussion on this issue. We're hitting this same > problem with the SSSD when dealing with ActiveDirectory. It really > doesn't make sense to me that every consumer of the OpenLDAP libraries > should be required to reimplement this (admittedly incorrect) extension > to ActiveDirectory. > > As Petter suggested in his comment from April 21, 2008, ActiveDirectory > provides a server control to identify that the feature is in play. > > I feel that it would be beneficial to OpenLDAP's library consumers if > they handled range lookups automatically and internally, similar to the > way that referrals are chased. > > Consumers of the OpenLDAP API should be able to reliably assume that if > they ask for the set of values for an attribute of a completed request, > that they will get back all of the values. > > Please reconsider adding this support into OpenLDAP.
The complexity of handling this nonsense in libldap seems not worth the effort; I think we might consider working this around in proxy backends (much like we did for unsolicited paged results response in back-meta, ITS#6664, which could be added to back-ldap as well). I don't think implementing something that requires a theoretically unbounded number of nested search requests for each attribute value that contains a range in each SearchResultEntry message makes sense. The parallel with referrals is not appropriate, since referrals are part of LDAP specification; also, please note that automatic referral chasing is strongly discouraged unless the transport layer is protected (Section 6 of RFC 4511). p.
