On Thu, Oct 27, 2011 at 04:25:07PM -0700, Quanah Gibson-Mount wrote:
> >Therefore, I propose the following Postfix fix/work-around which
> >is required for anyone running Postfix 2.3 or later, linked with
> >OpenLDAP 2.4 or later (perhaps even late 2.3.x releases, I just
> >compared OpenLDAP 2.3.4 with 2.4.23).
>
> Hi Victor,
>
> Your patch didn't change the behavior. I did some debugging and
> fixed the problem with the following patch (I kept your patch in
> place in case it does anything).
If ldap_result() is not enough to detect the error, then we may
need to call ldap_parse_result (which should detect the error)
before calling ldap_parse_sasl_bind_result() (which decodes server
credentials, but no longer detects errors).
> As far as the API change, the
> OpenLDAP primary developer responded with: "The old API was garbage
> because it didn't disclose whether an error occurred locally (in the
> API) or remotely (from the server). An application's
> recovery/response procedures need to be able to differentiate the
> two.
That's what different error codes are for, and changing semantics
of an under-documented long-standing API for cosmetic reasons is
folly.
> -#define FREE_RESULT 1
> - return (ldap_parse_sasl_bind_result(dict_ldap->ld, res, 0,
> FREE_RESULT));
> +#define FREE_RESULT 0
> + if ((rc = ldap_parse_sasl_bind_result(dict_ldap->ld, res, 0,
> FREE_RESULT)) != LDAP_SUCCESS)
> + return (rc);
> +
> + return(ldap_result2error( dict_ldap->ld, res, 1 ));
> }
This almost certainly leaks memory by not freeing the message,
and the ldap_result2error() function has the following comment
above in the OpenLDAP source code:
/* deprecated */
int
ldap_result2error( LDAP *ld, LDAPMessage *r, int freeit )
{
int rc, err;
rc = ldap_parse_result( ld, r, &err,
NULL, NULL, NULL, NULL, freeit );
return err != LDAP_SUCCESS ? err : rc;
}
A better solution is required, I'll post an updated proposal
tomorrow.
--
Viktor.
