I think the general assumption was that if the client has some search permission (check by test_filter prior to calling send_search_entry), it has read on "entry". Now, with overlays and other things happening, having send_search_result indicate whether or not an entry was actually sent (or possibly the number of entries sent?) would be a good idea.
At 03:14 PM 11/23/2005, Howard Chu wrote: >Eric Irrgang wrote: >>I'm sorry if this has already been discussed, but I can't seem to find >>such a thread in the archives... >> >>With OL 2.2.29 it looks to me like the sizelimit specified by a client >>search is evaluated after the ACLs on the server side, so that if a client >>specifies a sizelimit of 10 and receives 8 results, it may be obvious that >>2 entries matched the filter but failed the ACL check, disclosing perhaps >>more information than the directory maintainers would like. >> >>Is this expected/intended behavior? >> >> >It is the as-designed behavior. But you're right, the design is broken here. >Currently all sizelimit checking is done in the individual backends, while the >search ACLs are checked in the frontend. Checking in the backends means >there's a lot of redundant code; it should all be moved into the frontend. > >Such a change would break the pagedResults implementation in back-bdb. But >that's probably OK, since the pagedResults feature properly belongs in the >frontend as well. > >-- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc > OpenLDAP Core Team http://www.openldap.org/project/
