[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3472) return code should be 32 when no access to object

Pierangelo Masarati writes:
>Kurt D. Zeilenga wrote:
>> At present, "none" implies "disclose on error".  It really should
>> be "don't disclose on error".  We should have another level,
>> "disclose", which means "disclose on error".
>> (...)
> I think we should design a very good transition strategy, e.g. provide
> a backwards compatibility option (maybe at configure time), or so.

Not configure time, that will just add to the confusion.  People have
trouble enough with access statement already, they should at least get
the same behaviour when they copy access statements from someone with
the same OpenLDAP version.

Maybe a slapd.conf statement
  access default <disclose/none/read/...>
Without this statement, the default would be 'disclose' for the time
being, to be changed to 'none' later.  However, insert 'access default
none' in the distributed slapd.conf, and maybe make slapd warn if a
database has neither 'access to * by * ...' nor 'access default ...'.