Re: LDAP_OPERATIONS_ERROR instead of LDAP_INSUFFICIENT_ACCESS (ITS#1987)

[Kurt@OpenLDAP.org]

At 10:19 AM 2002-07-26, Michael Ströder wrote:
>Kurt D. Zeilenga wrote:
>>>      strongAuthRequired (8)
>>>   
>>>         Except when returned in a Notice of Disconnect (see section          4.4.1), this indicates that the server requires the client to
>>>         authentication using a strong(er) mechanism.
>>
>>I note that the Bind section should be clarified... the intent
>>is simply that a strong(er) mechanism should be used.
>
>Following your explanation strongAuthRequired would be more helpful for the application than operationsError.

I've already committed a change...

>> [..]
>> That is, I think it would be better (and very user friendly)
>> for the client to be proactive, not reactive, about security.
>
>When implementing applications in a self-designed directory project I would treat the user to login first. web2ldap is a generic client which does not do any assumptions about a given directory at all. Hence it also does not assume that anonymous writes are not allowed. It tries to aid the user to choose the next reasonable step though.

Your client can be proactive, not reactive, without making
assumptions.  It could have a checkbox to enable anonymous
write on update form.  It could allow login form to be
bypassed.

Actually, what would be nice would be to present the user
with a security policy form BEFORE even connecting to the
LDAP server which allowed the USER to mandate the minimum
level of security required to perform an operation.

Anyways, we can take this off-line... it's not terrible
relevant to the issue at hand.

Kurt