[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: proposed semantics change in access control

I'm hesitant to make this kind of change, but I agree that defaulting to
"exact" makes a lot more sense...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Pierangelo
> Masarati
> Sent: Friday, May 16, 2003 2:18 AM
> To: openldap-devel@OpenLDAP.org
> Subject: proposed semantics change in access control
> I suggest changing the default for the "by"
> clause in access control from "regex" to "exact",
> maybe with the possibility to preserve the
> old behavior at compile time (but I strongly
> discourage this solution because it would require
> everybody to specify every time what flavour
> of ACL conf they're using).  As a good programming
> habit I usually explicitly set the dn "style"
> in ACLs, and in general I do not like "smart"
> defaults.
> In fact, problems like the one recently addressed
> by Kiran Bacche keep occurring very often,
> so I think a rule that implies lots of volume
> on the mailing list and security issues should
> require to be **explicitly** set to its most
> dangerous form.
> Any thoughts?
> Ando.
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it