My "not being a programmer" problem has reared its head again, and I need some help debugging a (possibly esoteric) problem in 4.86 onwards (I haven't checked before that).
Long and short of it (code in lookups/ldap.c):
At work (courtesy of some sterling work by Mike Cardwell some time ago), we have a method of looking up the MS Exchange blocked/safe senders via LDAP and comparing sender addresses against them - this can avoid us backscattering by moving the rejection "up the stack" to our border MX farm.
However, someone has recently raised a case with us that email sent by a sender which has been added to their blocked senders list is still being delivered. Here's where the problem lies - this user has hundreds of addresses in their blocked (and safe) senders list, which in turn is exposed as a multi-line (note NOT multi-value, nor multi-instance) attribute by the LDAP query. Mine, however, is very short and returns a single line attribute.
In my case, Exim looks it up and all is well. This is the expected behaviour.
In the multiline case, we get an empty result despite being able to see the data on the wire/in strace. This, self-evidently, is not what I expect to happen!
Using ltrace, the issue appears to be with the call to ldap_get_values, which I suspect is not being handed the full response (or is being handed a response with newlines in and doesn't like that) and subsequently returns a value of 0.