[Date Prev][Date Next] [Chronological] [Thread] [Top]


Aaron Richton wrote:
I've found a situation similar to what I believe inspired "disclose" ACLs, in which giving out the return value of LDAP_SIZELIMIT_EXCEEDED is telling clients something that I don't want them to know (i.e. "keep digging.") I'd like to just throw away the code and change it to LDAP_SUCCESS. Can anybody think of a way to do this (slapo-retcode comes to mind, but I can't see how it would work on these very non-dynamic entries) or should I just write an eight line overlay?

Is this something that enough people want that there should be, say, a "silent" option to the limits directive?

This seems like a pointless option. If I do a search for (cn>=a) and get 500 entries returned, and another search for (cn>=b) and still get 500 entries returned, then it's obvious there are more entries out there even if you mask the result code. The "disclose" feature of ACLs is a real security measure, because it prevents you from seeing that which you could not see by any means. What you're proposing here is not; the information you're hiding can still be discovered by other legitimate mechanisms. It is easily circumvented and it's contrary to the specification of the Directory System models.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  Chief Architect, OpenLDAP     http://www.openldap.org/project/