Re: sizelimit evaluated before ACLs?

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

I think the general assumption was that if the client
has some search permission (check by test_filter
prior to calling send_search_entry), it has read on
"entry".  Now, with overlays and other things happening,
having send_search_result indicate whether or not an entry
was actually sent (or possibly the number of entries
sent?) would be a good idea.

At 03:14 PM 11/23/2005, Howard Chu wrote:
>Eric Irrgang wrote:
>>I'm sorry if this has already been discussed, but I can't seem to find
>>such a thread in the archives...
>>
>>With OL 2.2.29 it looks to me like the sizelimit specified by a client
>>search is evaluated after the ACLs on the server side, so that if a client
>>specifies a sizelimit of 10 and receives 8 results, it may be obvious that
>>2 entries matched the filter but failed the ACL check, disclosing perhaps
>>more information than the directory maintainers would like.
>>
>>Is this expected/intended behavior?
>>
>>  
>It is the as-designed behavior. But you're right, the design is broken here. Currently all sizelimit checking is done in the individual backends, while the search ACLs are checked in the frontend. Checking in the backends means there's a lot of redundant code; it should all be moved into the frontend.
>
>Such a change would break the pagedResults implementation in back-bdb. But that's probably OK, since the pagedResults feature properly belongs in the frontend as well.
>
>-- 
> -- Howard Chu
> Chief Architect, Symas Corp.  http://www.symas.com
> Director, Highland Sun        http://highlandsun.com/hyc
> OpenLDAP Core Team            http://www.openldap.org/project/