Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

Win32 Apache and ldap size limit problem.

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


awang at ptc

Nov 14, 2005, 1:31 PM

Post #1 of 6 (884 views)
Permalink
Win32 Apache and ldap size limit problem.
I noticed that with OpenLDAP 2.2.x, auth_ldap from apache on windows
fails. The actual error ends up being a invalid size limit on the
openldap end of things. After doing some research, it looks like the
Microsoft SDK defaults the sizelimit to (2^32)-1 (4294967295 or
basically an unsigned 32-bit int). OpenLDAP 2.2.x restricts the
sizelimit to (2^(32-1)) -1 (2147483647 or a signed 32-bit int).

I have no idea how to report this to microsoft, as it's the microsoft
SDK that's out of spec. RFC 2251 (http://www.ietf.org/rfc/rfc2251.txt)
declares the max of a size limit to be the openldap value.

As far as I can tell, none of the other ldap servers care and openldap
2.1.x didn't care either, but unfortunately, 2.2.x does care.

Anyone else run into this problem and have any ideas or know how ot
report this to MS? I was thinking of filing an Apache bug/enhancement
requesting that apache be able to pass a size limit to the ldap query.
In theory, you could override this MS SDK problem by explicitly setting
the size limit to a proper value, or patch openldap to ignore it.

Thanks,
Andy


wrowe at rowe-clan

Nov 14, 2005, 2:15 PM

Post #2 of 6 (869 views)
Permalink
Re: Win32 Apache and ldap size limit problem. [In reply to]
Andy Wang wrote:
> I noticed that with OpenLDAP 2.2.x, auth_ldap from apache on windows
> fails. The actual error ends up being a invalid size limit on the
> openldap end of things.

Please clarify, this is the win32 WLDAP32.dll client to OpenLDAP 2.2
backend ldap server (e.g. on unix or whatever), ssl/tls is not involved?


awang at ptc

Nov 14, 2005, 2:36 PM

Post #3 of 6 (858 views)
Permalink
Re: Win32 Apache and ldap size limit problem. [In reply to]
William A. Rowe, Jr. wrote:

> Andy Wang wrote:
>
>> I noticed that with OpenLDAP 2.2.x, auth_ldap from apache on windows
>> fails. The actual error ends up being a invalid size limit on the
>> openldap end of things.
>
>
> Please clarify, this is the win32 WLDAP32.dll client to OpenLDAP 2.2
> backend ldap server (e.g. on unix or whatever), ssl/tls is not involved?
>
Honestly,
I don't know. I'm a unix guy. The windows Apache is sorta outside of
my area of expertise (but we have customers and users that insist on
windows). Is WLDAP32.dll the dll that the Microsoft SDK links against?
If so, then yeah, you've got it right. OpenLDAP 2.2 backend LDAP server
running on whatever platform, I imagine ssl/tls is irrelevant, as the
size limit parameter should be independent of that.

Andy


awang at ptc

Dec 5, 2005, 2:43 PM

Post #4 of 6 (866 views)
Permalink
Re: Win32 Apache and ldap size limit problem. [In reply to]
William A. Rowe, Jr. wrote:

>
> Please clarify, this is the win32 WLDAP32.dll client to OpenLDAP 2.2
> backend ldap server (e.g. on unix or whatever), ssl/tls is not involved?
>
We tried the following code just to see if it's possible to override
sizelimit. It works fine with openldap as the SDK (on Unix) but it
doesn't work for Windows.
Is there something goofy that needs to be done with the Microsoft LDAP
library to set this option? Even with it set, on Windows it attempts to
send a size limit of 4294967295 instead of 10.

Andy


--- util_ldap.c.orig 2005-04-11 10:49:57.000000000 -0500
+++ util_ldap.c 2005-11-30 16:46:41.000000000 -0600
@@ -240,6 +240,7 @@
{
int result = 0;
int failures = 0;
+ int sizelimit = 10;
int version = LDAP_VERSION3;

util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(
@@ -311,6 +312,10 @@
return(-1);
}

+// #if APR_HAS_MICROSOFT_LDAPSDK
+ ldap_set_option (ldc->ldap, LDAP_OPT_SIZELIMIT, (void
*)&sizelimit);
+ // #endif
+
/* Set the alias dereferencing option */
ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));


awang at ptc

Dec 6, 2005, 2:38 PM

Post #5 of 6 (839 views)
Permalink
Re: Win32 Apache and ldap size limit problem. [In reply to]
Filed bug: http://issues.apache.org/bugzilla/show_bug.cgi?id=37814

Made a couple of suggestions
1) use #if's to determine if it's windows and pass in the appropriate
sizelimit to ldap_search_ext_s on windows
2) use ldap_search_s instead of ldap_search_ext_s. It doesn't look like
util_ldap.c is even using any of the extended features of
ldap_search_ext_s so why bother using it.

I'd be more than willing to create the patch if someone wants to comment
on which solution they like more.

Andy


Andy Wang wrote:

> William A. Rowe, Jr. wrote:
>
>>
>> Please clarify, this is the win32 WLDAP32.dll client to OpenLDAP 2.2
>> backend ldap server (e.g. on unix or whatever), ssl/tls is not involved?
>>
> We tried the following code just to see if it's possible to override
> sizelimit. It works fine with openldap as the SDK (on Unix) but it
> doesn't work for Windows.
> Is there something goofy that needs to be done with the Microsoft LDAP
> library to set this option? Even with it set, on Windows it attempts
> to send a size limit of 4294967295 instead of 10.
>
> Andy
>
>
> --- util_ldap.c.orig 2005-04-11 10:49:57.000000000 -0500
> +++ util_ldap.c 2005-11-30 16:46:41.000000000 -0600
> @@ -240,6 +240,7 @@
> {
> int result = 0;
> int failures = 0;
> + int sizelimit = 10;
> int version = LDAP_VERSION3;
>
> util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(
> @@ -311,6 +312,10 @@
> return(-1);
> }
>
> +// #if APR_HAS_MICROSOFT_LDAPSDK
> + ldap_set_option (ldc->ldap, LDAP_OPT_SIZELIMIT, (void
> *)&sizelimit);
> + // #endif
> +
> /* Set the alias dereferencing option */
> ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));
>


awang at ptc

Feb 2, 2006, 1:43 PM

Post #6 of 6 (817 views)
Permalink
Re: Win32 Apache and ldap size limit problem. [In reply to]
FYI,
I posted a patch to http://issues.apache.org/bugzilla/show_bug.cgi?id=37814

I took the easy route and just added a #if block to util_ldap to set a
sizelimit of 2147483647 if the microsoft ldap sdk was in use or
otherwise -1 and use this sizelimit define in ldap_search_ext_s calls.

Ideally sizelimit could be configureable via a module directive, but
since we'll be maintaining our own build with this patch I didn't want
to do anything too heavyweight.

Andy


Andy Wang wrote:
> I noticed that with OpenLDAP 2.2.x, auth_ldap from apache on windows
> fails. The actual error ends up being a invalid size limit on the
> openldap end of things. After doing some research, it looks like the
> Microsoft SDK defaults the sizelimit to (2^32)-1 (4294967295 or
> basically an unsigned 32-bit int). OpenLDAP 2.2.x restricts the
> sizelimit to (2^(32-1)) -1 (2147483647 or a signed 32-bit int).
>
> I have no idea how to report this to microsoft, as it's the microsoft
> SDK that's out of spec. RFC 2251
> (http://www.ietf.org/rfc/rfc2251.txt) declares the max of a size limit
> to be the openldap value.
>
> As far as I can tell, none of the other ldap servers care and openldap
> 2.1.x didn't care either, but unfortunately, 2.2.x does care.
>
> Anyone else run into this problem and have any ideas or know how ot
> report this to MS? I was thinking of filing an Apache bug/enhancement
> requesting that apache be able to pass a size limit to the ldap
> query. In theory, you could override this MS SDK problem by
> explicitly setting the size limit to a proper value, or patch openldap
> to ignore it.
>
> Thanks,
> Andy
>

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.