[Date Prev][Date Next]
Re: masking LDAP_SIZELIMIT_EXCEEDED
Aaron Richton wrote:
I've found a situation similar to what I believe inspired "disclose"
ACLs, in which giving out the return value of LDAP_SIZELIMIT_EXCEEDED is
telling clients something that I don't want them to know (i.e. "keep
digging.") I'd like to just throw away the code and change it to
LDAP_SUCCESS. Can anybody think of a way to do this (slapo-retcode comes
to mind, but I can't see how it would work on these very non-dynamic
entries) or should I just write an eight line overlay?
Is this something that enough people want that there should be, say, a
"silent" option to the limits directive?
This seems like a pointless option. If I do a search for (cn>=a) and get
500 entries returned, and another search for (cn>=b) and still get 500
entries returned, then it's obvious there are more entries out there
even if you mask the result code. The "disclose" feature of ACLs is a
real security measure, because it prevents you from seeing that which
you could not see by any means. What you're proposing here is not; the
information you're hiding can still be discovered by other legitimate
mechanisms. It is easily circumvented and it's contrary to the
specification of the Directory System models.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/