[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP_OPERATIONS_ERROR instead of LDAP_INSUFFICIENT_ACCESS (ITS#1987)

To: openldap-its@OpenLDAP.org
Subject: Re: LDAP_OPERATIONS_ERROR instead of LDAP_INSUFFICIENT_ACCESS (ITS#1987)
From: Kurt@OpenLDAP.org
Date: Fri, 26 Jul 2002 02:00:19 GMT

At 05:40 PM 2002-07-25, michael@stroeder.com wrote:
>Full_Name: 
>Version: REL_ENG_2_1
>OS: SuSE Linux 8.0
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (217.1.21.54)
>
>
>What's the rationale behind changing the error code returned if a write access
>to the directory with anonymous bind fails?

2.1 includes operations error checks which previous versions
didn't.

>In OpenLDAP 2.0.x and any other LDAP server I know of LDAP_INSUFFICIENT_ACCESS
>is returned if the add or modify operation fails.

insufficientAccess indicates that the operation failed
due to violation of the access control policy.

>But OpenLDAP 2.1.x returns LDAP_OPERATIONS_ERROR with info field saying
>"modifications require authentication".

operationsError indicates that the client has attempted an
operation before some other required operation and/or without
other pending operations to complete.  In this case, it
indicates that the client has failed to authenticate to the
directory (using the bind operation) prior to attempting
to modify the directory (using the modify operation).

>This is bad since LDAP_OPERATIONS_ERROR can be anything

No!  The operationsError resultCode indicates an operations error,
which has specific meaning in LDAP (except, due to a bug in RFC 2251,
when returned in a Bind response).  The operationsError should
not be confused with result codes which can mean pretty much
"anything" (e.g., otherError).

Prev by Date: LDAP_OPERATIONS_ERROR instead of LDAP_INSUFFICIENT_ACCESS (ITS#1987)
Next by Date: Re: LDAP_OPERATIONS_ERROR instead of LDAP_INSUFFICIENT_ACCESS (ITS#1987)
Index(es):
- Chronological
- Thread