[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd limits.c

hallvard@OpenLDAP.org writes:
> 	limits.c  1.83 -> 1.84
> More ITS#5734: Handle empty o_req_ndn.  (...)

This gets somewhat inconsistent:

dn.this.<subtree or exact>="" now matches target DN "".  However, to
preserve backwards compatibility, dn.<subtree or exact>="" does not
match anonymous binding.

OTOH, limits dn.<anything>=* becomes limits *, again preserving
backwards compatibility.  However dn.<onelevel or children>=*
should not match empty target DN/anonymous connections.

Should we leave it as it is?  Or change the old behavior?  And if so,
does an anonymous connection have a DN so it should match "", or not?

Or we could make them errors to avoid admins seeing unexpected behavior
for a config which slapd accepts.  These cases seem fairly useless, but
could arise from something like an auto-generated config files when the
admin inputs suffix "".