https://bugs.openldap.org/show_bug.cgi?id=5813
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- Putting email discussion in for posterity:
Hallvard B Furuseth wrote:
hallvard@OpenLDAP.org writes:
limits.c 1.83 -> 1.84 More ITS#5734: Handle empty o_req_ndn. (...)
This gets somewhat inconsistent:
dn.this.<subtree or exact>="" now matches target DN "". However, to preserve backwards compatibility, dn.<subtree or exact>="" does not match anonymous binding.
OTOH, limits dn.<anything>=* becomes limits *, again preserving backwards compatibility. However dn.<onelevel or children>=* should not match empty target DN/anonymous connections.
Should we leave it as it is? Or change the old behavior? And if so, does an anonymous connection have a DN so it should match "", or not?
"" is a valid DN, but not a valid entry name (AFAIK). That's why we use it for anonymous. ACLs and limits use the notion of DN to indicate two different things: the target and the user. Of course, although "" is a valid target, it is not a valid user (or, it indicates the empty user, and thus anonymous). I'm not sure I entirely got the point and whether this helps or not, but the semantics should be clear.
Or we could make them errors to avoid admins seeing unexpected behavior for a config which slapd accepts. These cases seem fairly useless, but could arise from something like an auto-generated config files when the admin inputs suffix "".
In any case, I'd prefer the original behavior be preserved as much as possible, and I'd prefer to avoid introducing pitfalls that easily trick admins (and wannabe admins) in persevering making the same errors over and over.
p.