[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sizelimit evaluated before ACLs?

Eric Irrgang wrote:
I'm sorry if this has already been discussed, but I can't seem to find
such a thread in the archives...

With OL 2.2.29 it looks to me like the sizelimit specified by a client
search is evaluated after the ACLs on the server side, so that if a client
specifies a sizelimit of 10 and receives 8 results, it may be obvious that
2 entries matched the filter but failed the ACL check, disclosing perhaps
more information than the directory maintainers would like.

Is this expected/intended behavior?

It is the as-designed behavior. But you're right, the design is broken here. Currently all sizelimit checking is done in the individual backends, while the search ACLs are checked in the frontend. Checking in the backends means there's a lot of redundant code; it should all be moved into the frontend.

Such a change would break the pagedResults implementation in back-bdb. But that's probably OK, since the pagedResults feature properly belongs in the frontend as well.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/