[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3472) return code should be 32 when no access to object

Kurt D. Zeilenga wrote:

[Redirected to -devel for discussion]

At present, "none" implies "disclose on error".  It really should
be "don't disclose on error".  We should have another level,
"disclose", which means "disclose on error".

 access to *
       by dn=cn=Manager
       by self read
       by users disclose
       by anonymous none

First and second "by" clause as is now. Third means that users who attempt to access some object will be told "access denied",
with a matchedDN, etc.. (That is, just like today's "none").
Last means "don't disclose on error", hence noSuchObject is
returned even if the entry exists, and matchedDN will be empty,

A (minor?) side-effect is that to achieve the current behavior, all configurations should add a trailing "by * disclose" rule, or other minor tweaks as those I had to add to test006 script, conf and data. This will generate a headache in terms of email traffic of the type "it used to work up to 2.2, it doesn't work any more", regardless of how well the change is highlighted in the docs. I think we should design a very good transition strategy, e.g. provide a backwards compatibility option (maybe at configure time), or so.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497