Re: LDAP_OPERATIONS_ERROR instead of LDAP_INSUFFICIENT_ACCESS (ITS#1987)

[michael@stroeder.com]

Kurt D. Zeilenga wrote:
> 
 >>What's the rationale behind changing the error code returned if
 >>a write access
 >>to the directory with anonymous bind fails?
 >
 > 2.1 includes operations error checks which previous versions
 > didn't.

Can you elaborate on this? Which checks.

>>In OpenLDAP 2.0.x and any other LDAP server I know of LDAP_INSUFFICIENT_ACCESS
>>is returned if the add or modify operation fails.
> 
> insufficientAccess indicates that the operation failed
> due to violation of the access control policy.

Which makes sense in that case either. Doesn't it?

>>But OpenLDAP 2.1.x returns LDAP_OPERATIONS_ERROR with info field saying
>>"modifications require authentication".
> 
> operationsError indicates that the client has attempted an
> operation before some other required operation and/or without
> other pending operations to complete.  In this case, it
> indicates that the client has failed to authenticate to the
> directory (using the bind operation) prior to attempting
> to modify the directory (using the modify operation).

Well, this is a matter of interpretation. The new way in OpenLDAP 
2.1.x does not allow write operations for anonymous bind at all? 
Note that my client does the anonymous bind explicitly before any 
other operation (except StartTLS extended operation) for probing 
LDAPv3 vs. LDAPv2.

>>This is bad since LDAP_OPERATIONS_ERROR can be anything
> 
> No!  The operationsError resultCode indicates an operations error,
> which has specific meaning in LDAP

Fact is that it's a common practice with LDAP servers to return 
LDAP_INSUFFICIENT_ACCESS and that it's pretty convenient for the 
user getting a login form instead of generic operations error 
message. The new way in OpenLDAP 2.1.x makes the life of LDAP 
application programmers even more miserable than it already is.

Or do you suggest that the client application should look at the 
info field?

Ciao, Michael.