Re: LDAP_OPERATIONS_ERROR instead of LDAP_INSUFFICIENT_ACCESS (ITS#1987)

[michael@stroeder.com]

Kurt D. Zeilenga wrote:
>>       strongAuthRequired (8)
>>    
>>          Except when returned in a Notice of Disconnect (see section 
>>          4.4.1), this indicates that the server requires the client to
>>          authentication using a strong(er) mechanism.
> 
> 
> I note that the Bind section should be clarified... the intent
> is simply that a strong(er) mechanism should be used.

Following your explanation strongAuthRequired would be more 
helpful for the application than operationsError.

> I think the message is clear enough to indicate to the user
> that it should establish its identity before attempting a
> modification.  But, if you like, I'll change the message to:
>         "modifications require establish of client's identity"
> 
> But I suspect that would confuse most users.

The exact info message is not that important to me. My application 
takes the error code to determine whether to display a login form 
or not.

>>>I think it odd that you attempt an update operation while
>>>anonymous.
>>
>>Why? It's very user-friendly. The user can browse anonymously and,
 > if required, bind with higher-privileged Bind-DN.
> 
> I think it would be better (security wise) for the client to
> track its authentication/security layer state and not attempt
> operations when inadequate authentication/security layers
> are not present.
 > [..]
 > That is, I think it would be better (and very user friendly)
 > for the client to be proactive, not reactive, about security.

When implementing applications in a self-designed directory 
project I would treat the user to login first. web2ldap is a 
generic client which does not do any assumptions about a given 
directory at all. Hence it also does not assume that anonymous 
writes are not allowed. It tries to aid the user to choose the 
next reasonable step though.

Ciao, Michael.