[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd limits.c

To: OpenLDAP Commit <openldap-commit2devel@openldap.org>
Subject: Re: commit: ldap/servers/slapd limits.c
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Fri, 24 Oct 2008 18:44:39 +0200
In-reply-to: <200810241616.m9OGGhIZ024395@cantor.openldap.org>
References: <200810241616.m9OGGhIZ024395@cantor.openldap.org>

hallvard@OpenLDAP.org writes:
> 	limits.c  1.83 -> 1.84
> More ITS#5734: Handle empty o_req_ndn.  (...)

This gets somewhat inconsistent:

dn.this.<subtree or exact>="" now matches target DN "".  However, to
preserve backwards compatibility, dn.<subtree or exact>="" does not
match anonymous binding.

OTOH, limits dn.<anything>=* becomes limits *, again preserving
backwards compatibility.  However dn.<onelevel or children>=*
should not match empty target DN/anonymous connections.

Should we leave it as it is?  Or change the old behavior?  And if so,
does an anonymous connection have a DN so it should match "", or not?

Or we could make them errors to avoid admins seeing unexpected behavior
for a config which slapd accepts.  These cases seem fairly useless, but
could arise from something like an auto-generated config files when the
admin inputs suffix "".

-- 
Hallvard

Follow-Ups:
- Re: commit: ldap/servers/slapd limits.c
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: commit: ldap/include portable.hin ldap.h
Next by Date: Re: commit: ldap/servers/slapd limits.c
Index(es):
- Chronological
- Thread