[Date Prev][Date Next]
Re: (ITS#3472) return code should be 32 when no access to object
Kurt D. Zeilenga wrote:
A (minor?) side-effect is that to achieve the current behavior, all
configurations should add a trailing "by * disclose" rule, or other
minor tweaks as those I had to add to test006 script, conf and data.
This will generate a headache in terms of email traffic of the type "it
used to work up to 2.2, it doesn't work any more", regardless of how
well the change is highlighted in the docs. I think we should design a
very good transition strategy, e.g. provide a backwards compatibility
option (maybe at configure time), or so.
[Redirected to -devel for discussion]
At present, "none" implies "disclose on error". It really should
be "don't disclose on error". We should have another level,
"disclose", which means "disclose on error".
access to *
by self read
by users disclose
by anonymous none
First and second "by" clause as is now. Third means that users
who attempt to access some object will be told "access denied",
with a matchedDN, etc.. (That is, just like today's "none").
Last means "don't disclose on error", hence noSuchObject is
returned even if the entry exists, and matchedDN will be empty,
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497