[Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded
Jan Cholasta
jcholast at redhat.com
Mon Mar 21 11:25:20 UTC 2016
On 21.3.2016 10:17, Petr Spacek wrote:
> On 18.3.2016 13:49, Rob Crittenden wrote:
>> Martin Babinsky wrote:
>>> These patches implement behavior agreed upon during discussion of
>>> https://fedorahosted.org/freeipa/ticket/5677
>>>
>>> However I'm not sure if we want to push them into 4-3 branch (the ticket
>>> is triaged into 4.3.2 milestone) since they modify the framework
>>> behavior quite a bit.
>>>
>>> If there is no need to have it there (CC'ing Milan since he is the
>>> reporter), I would retriage it into 4.4 milestone.
>>
>>
>> + desc="while getting entries (search base: '{}',"
>> + "filter: {})".format(base_dn, filter))
>>
>> This is going to expose parts of the DIT in an error message to users. We have
>> tried in the past to hide the implementation. I'd propose logging the error
>> and making the exception less verbose.
I agree with Rob here, we shouldn't expose internal stuff in error
messages for users.
In this particular case, even if we included internal stuff in the error
message, it should be the error message returned by the server rather
than this ad-hoc message.
>
> IMHO it actually helps to print the DN. At very least the user can see if the
> error is happening always with the same DN or if it keeps changing.
>
> In other words, for user it is not that important to understand meaning of the
> DN but it might be important to see if it is the same or not.
I can't imagine a situation where it would actually be useful for the
user (as opposed to the admin, who has access to logs) to know the base
DN of some arbitrary LDAP search operation. Could you give an example?
--
Jan Cholasta
More information about the Freeipa-devel
mailing list