[Date Prev][Date Next] [Chronological] [Thread] [Top]

proposed semantics change in access control

To: <openldap-devel@OpenLDAP.org>
Subject: proposed semantics change in access control
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Fri, 16 May 2003 11:18:03 +0200 (CEST)
Importance: Normal

I suggest changing the default for the "by"
clause in access control from "regex" to "exact",
maybe with the possibility to preserve the
old behavior at compile time (but I strongly
discourage this solution because it would require
everybody to specify every time what flavour
of ACL conf they're using).  As a good programming
habit I usually explicitly set the dn "style"
in ACLs, and in general I do not like "smart"
defaults.

In fact, problems like the one recently addressed
by Kiran Bacche keep occurring very often,
so I think a rule that implies lots of volume
on the mailing list and security issues should
require to be **explicitly** set to its most
dangerous form.

Any thoughts?

Ando.
-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- RE: proposed semantics change in access control
  - From: "Howard Chu" <hyc@highlandsun.com>
- Re: proposed semantics change in access control
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: Want "deref=" in Statslog for searches
Next by Date: Bugfix: ldap_result() fails on large results
Index(es):
- Chronological
- Thread