I'm developing a Java application against Novell eDirectory 8.8 SP6 with
LDAP and seeing some differences between the Novell LDAP SDK
Documentation and the actual LDAP implementation inside eDirectory for
LDAP. The problem is that compare(java.lang.String dn, LDAPAttribute
attr) method of com.novell.ldap.LDAPConnection is not working as
described. I've noticed two strange issues:


1) LDAP COMPARE THROWS AN ERROR WHEN IT SHOULD NOT
According to the documentation ( the value FALSE should be returned when
the entry does not have the value or the attribute. However, eDirectory
return a -603 LDAP error when yo do a compare on an entry which does not
have the attribute (it does exist in the schema though).

In example:

Compare on User John Doe without any value for myauxattr:
ldapcompare -x -H ldap://ldapserver.test.com -D cn=admin,o=org -w
<password> cn=jdoe,ou=users,o=org myauxattr:testfornomatch
COMPARE RESULT: NO SUCH ATTRIBUTE (16)
ADDITIONAL INFO: NDS ERROR: NO SUCH ATTRIBUTE (-603)
UNDEFINED[/B] --> INCORRECT RESPONSE

COMPARE ON USER JOHN DOE WITH VALUE 'TESTFORNOMATCH' FOR MYAUXATTR:
LDAPCOMPARE -X -H LDAP://LDAPSERVER.TEST.COM -D CN=ADMIN,O=ORG -W
<PASSWORD> CN=JDOE,OU=USERS,O=ORG MYAUXATTR:TESTFORNOMATCH
TRUE

COMPARE ON USER JOHN DOE WITH VALUE 'OTHERVALUE' FOR MYAUXATTR:
LDAPCOMPARE -X -H LDAP://LDAPSERVER.TEST.COM -D CN=ADMIN,O=ORG -W
<PASSWORD> CN=JDOE,OU=USERS,O=ORG MYAUXATTR:TESTFORNOMATCH
FALSE

*1) LDAP COMPARE DOES NOT THROW AN ERROR WHEN IT SHOULD
Moreover, if you don't have the Compare Rights to that attribute,
eDirectory always returns FALSE on a LDAP compare, which I beleive is
not correct. A return value of FALSE implicitly states that the compare
could be done, but no match is found. However, insufficient rights
prevent the compare, so eDirectory should throw an error. Something like
LDAP: error code 50 INSUFFICIENT_ACCESS_RIGHTS.

In example:

Compare on User John Doe without any value for myauxattr and no compare
rights:
ldapcompare -x -H ldap://ldapserver.test.com -D cn=limiteduser,o=org -w
<password> cn=jdoe,ou=users,o=org myauxattr:testfornomatch
[B]FALSE* --> incorrect response

Compare on User John Doe with value 'testfornomatch' for myauxattr and
no compare rights:
ldapcompare -x -H ldap://ldapserver.test.com -D cn=limiteduser,o=org -w
<password> cn=jdoe,ou=users,o=org myauxattr:testfornomatch
*FALSE* --> incorrect response

Compare on User John Doe with value 'othervalue' for myauxattr and no
compare rights:
ldapcompare -x -H ldap://ldapserver.test.com -D cn=limiteduser,o=org -w
<password> cn=jdoe,ou=users,o=org myauxattr:testfornomatch
*FALSE* --> incorrect response


My question is: should I file this as a bug or is the LDAP SDK
documentation invalid?


--
sveldhuisen
------------------------------------------------------------------------
sveldhuisen's Profile: https://forums.netiq.com/member.php?userid=1813
View this thread: https://forums.netiq.com/showthread.php?t=48106