[Date Prev][Date Next]
Re: LDAP_OPERATIONS_ERROR instead of LDAP_INSUFFICIENT_ACCESS (ITS#1987)
Kurt D. Zeilenga wrote:
>> strongAuthRequired (8)
>> Except when returned in a Notice of Disconnect (see section
>> 4.4.1), this indicates that the server requires the client to
>> authentication using a strong(er) mechanism.
> I note that the Bind section should be clarified... the intent
> is simply that a strong(er) mechanism should be used.
Following your explanation strongAuthRequired would be more
helpful for the application than operationsError.
> I think the message is clear enough to indicate to the user
> that it should establish its identity before attempting a
> modification. But, if you like, I'll change the message to:
> "modifications require establish of client's identity"
> But I suspect that would confuse most users.
The exact info message is not that important to me. My application
takes the error code to determine whether to display a login form
>>>I think it odd that you attempt an update operation while
>>Why? It's very user-friendly. The user can browse anonymously and,
> if required, bind with higher-privileged Bind-DN.
> I think it would be better (security wise) for the client to
> track its authentication/security layer state and not attempt
> operations when inadequate authentication/security layers
> are not present.
> That is, I think it would be better (and very user friendly)
> for the client to be proactive, not reactive, about security.
When implementing applications in a self-designed directory
project I would treat the user to login first. web2ldap is a
generic client which does not do any assumptions about a given
directory at all. Hence it also does not assume that anonymous
writes are not allowed. It tries to aid the user to choose the
next reasonable step though.