[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3472) return code should be 32 when no access to object



>> I think we should design a very good transition strategy, e.g. provide
>> a backwards compatibility option (maybe at configure time), or so.
>
> Not configure time, that will just add to the confusion.  People have
> trouble enough with access statement already, they should at least get
> the same behaviour when they copy access statements from someone with
> the same OpenLDAP version.
>
> Maybe a slapd.conf statement
>   access default <disclose/none/read/...>
> Without this statement, the default would be 'disclose' for the time
> being, to be changed to 'none' later.  However, insert 'access default
> none' in the distributed slapd.conf, and maybe make slapd warn if a
> database has neither 'access to * by * ...' nor 'access default ...'.

Hallvard,

I think your suggestions make a lot of sense; I have no preferences at the
moment, (I don't like the name "access default" because it seems to make a
bit of confuzion about its purpose; i'd rather use something like
"access-fallthru-level", which is horrible but that's what I mean for it).
In any case it should be clearly marked as transitional in the docs, to be
set to "disclose" for backwards compatibility, and defaulting to "none". 
I don't agree in changing the default at some point, this is really going
to add confusion; I favor printing a message if it's not defined until the
transition can be considered complete.  My expectation is that new users
don't need to use it to have the __new__ behavior while old users need a
warning if they're not using it and they expect the __old__ behavior.  I
think a change in the default behavior of ACLs between 2.2 and 2.3 is
acceptable if appropriately documented, and the possibility of selecting
the default fallthru level should give a wide range of choices to
administrators.

One comment is that I have the sensation that we should define what we
intend for default behavior, and how to enforce it, as soon as possible,
because it might influence how its implementation will be done, unless we
want to hide everything behind #define LDAP_DEVEL...

Ciao, p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497