[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd limits.c

Hallvard B Furuseth wrote:
hallvard@OpenLDAP.org writes: 
	limits.c  1.83 -> 1.84
More ITS#5734: Handle empty o_req_ndn.  (...)


This gets somewhat inconsistent:

dn.this.<subtree or exact>="" now matches target DN "".  However, to
preserve backwards compatibility, dn.<subtree or exact>="" does not
match anonymous binding.

OTOH, limits dn.<anything>=* becomes limits *, again preserving
backwards compatibility.  However dn.<onelevel or children>=*
should not match empty target DN/anonymous connections.

Should we leave it as it is?  Or change the old behavior?  And if so,
does an anonymous connection have a DN so it should match "", or not?

"" is a valid DN, but not a valid entry name (AFAIK). That's why we use it for anonymous. ACLs and limits use the notion of DN to indicate two different things: the target and the user. Of course, although "" is a valid target, it is not a valid user (or, it indicates the empty user, and thus anonymous). I'm not sure I entirely got the point and whether this helps or not, but the semantics should be clear.

Or we could make them errors to avoid admins seeing unexpected behavior
for a config which slapd accepts.  These cases seem fairly useless, but
could arise from something like an auto-generated config files when the
admin inputs suffix "".

In any case, I'd prefer the original behavior be preserved as much as possible, and I'd prefer to avoid introducing pitfalls that easily trick admins (and wannabe admins) in persevering making the same errors over and over.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------