https://bugs.openldap.org/show_bug.cgi?id=5813
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org ---
hallvard@OpenLDAP.org writes:
limits.c 1.83 -> 1.84 More ITS#5734: Handle empty o_req_ndn. (...)
This gets somewhat inconsistent:
dn.this.<subtree or exact>="" now matches target DN "". However, to preserve backwards compatibility, dn.<subtree or exact>="" does not match anonymous binding.
OTOH, limits dn.<anything>=* becomes limits *, again preserving backwards compatibility. However dn.<onelevel or children>=* should not match empty target DN/anonymous connections.
Should we leave it as it is? Or change the old behavior? And if so, does an anonymous connection have a DN so it should match "", or not?
Or we could make them errors to avoid admins seeing unexpected behavior for a config which slapd accepts. These cases seem fairly useless, but could arise from something like an auto-generated config files when the admin inputs suffix "".