[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3472) return code should be 32 when no access to object



At 11:15 AM 1/11/2005, Pierangelo Masarati wrote:
>Kurt D. Zeilenga wrote:
>
>>[Redirected to -devel for discussion]
>>
>>At present, "none" implies "disclose on error".  It really should
>>be "don't disclose on error".  We should have another level,
>>"disclose", which means "disclose on error".
>>
>>So,
>> access to *
>>       by dn=cn=Manager
>>       by self read
>>       by users disclose
>>       by anonymous none
>>
>>First and second "by" clause as is now.  Third means that users who attempt to access some object will be told "access denied",
>>with a matchedDN, etc.. (That is, just like today's "none").
>>Last means "don't disclose on error", hence noSuchObject is
>>returned even if the entry exists, and matchedDN will be empty,
>>etc..
>> 
>A (minor?) side-effect is that to achieve the current behavior, all configurations should add a trailing "by * disclose" rule, or other minor tweaks as those I had to add to test006 script, conf and data. This will generate a headache in terms of email traffic of the type "it used to work up to 2.2, it doesn't work any more", regardless of how well the change is highlighted in the docs.  I think we should design a very good transition strategy, e.g. provide a backwards compatibility option (maybe at configure time), or so.

Well, we could just do it (as we did with "auth")...
or we could add some funky configuration directive (yuk)...
or: 
        "none" -> disclose on error
        "no-disclose" -> don't disclose on error

That is, add the new level under "none".

Though I would normally prefer the latter approach, I think
it odd to call a level which grants some permission (disclose
on error) "none".

So, personally, I think we should just do it.

Kurt