[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: proposed semantics change in access control

To: <ando@sys-net.it>, <openldap-devel@OpenLDAP.org>
Subject: RE: proposed semantics change in access control
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 16 May 2003 14:44:18 -0700
Importance: Normal
In-reply-to: <61390.81.72.89.40.1053076683.squirrel@webmail.sys-net.it>

I'm hesitant to make this kind of change, but I agree that defaulting to
"exact" makes a lot more sense...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Pierangelo
> Masarati
> Sent: Friday, May 16, 2003 2:18 AM
> To: openldap-devel@OpenLDAP.org
> Subject: proposed semantics change in access control
>
>
> I suggest changing the default for the "by"
> clause in access control from "regex" to "exact",
> maybe with the possibility to preserve the
> old behavior at compile time (but I strongly
> discourage this solution because it would require
> everybody to specify every time what flavour
> of ACL conf they're using).  As a good programming
> habit I usually explicitly set the dn "style"
> in ACLs, and in general I do not like "smart"
> defaults.
>
> In fact, problems like the one recently addressed
> by Kiran Bacche keep occurring very often,
> so I think a rule that implies lots of volume
> on the mailing list and security issues should
> require to be **explicitly** set to its most
> dangerous form.
>
> Any thoughts?
>
> Ando.
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it
>
>
>

References:
- proposed semantics change in access control
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: RE: Bugfix: ldap_result() fails on large results
Next by Date: Re: proposed semantics change in access control
Index(es):
- Chronological
- Thread