[Date Prev][Date Next]
Re: sizelimit evaluated before ACLs?
Eric Irrgang wrote:
It is the as-designed behavior. But you're right, the design is broken
here. Currently all sizelimit checking is done in the individual
backends, while the search ACLs are checked in the frontend. Checking in
the backends means there's a lot of redundant code; it should all be
moved into the frontend.
I'm sorry if this has already been discussed, but I can't seem to find
such a thread in the archives...
With OL 2.2.29 it looks to me like the sizelimit specified by a client
search is evaluated after the ACLs on the server side, so that if a client
specifies a sizelimit of 10 and receives 8 results, it may be obvious that
2 entries matched the filter but failed the ACL check, disclosing perhaps
more information than the directory maintainers would like.
Is this expected/intended behavior?
Such a change would break the pagedResults implementation in back-bdb.
But that's probably OK, since the pagedResults feature properly belongs
in the frontend as well.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/