[Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded

[Petr Vobornik]

On 03/21/2016 12:25 PM, Jan Cholasta wrote:
> On 21.3.2016 10:17, Petr Spacek wrote:
>> On 18.3.2016 13:49, Rob Crittenden wrote:
>>> Martin Babinsky wrote:
>>>> These patches implement behavior agreed upon during discussion of
>>>> https://fedorahosted.org/freeipa/ticket/5677
>>>>
>>>> However I'm not sure if we want to push them into 4-3 branch (the
>>>> ticket
>>>> is triaged into 4.3.2 milestone) since they modify the framework
>>>> behavior quite a bit.
>>>>
>>>> If there is no need to have it there (CC'ing Milan since he is the
>>>> reporter), I would retriage it into 4.4 milestone.
>>>
>>>
>>> + desc="while getting entries (search base: '{}',"
>>> + "filter: {})".format(base_dn, filter))
>>>
>>> This is going to expose parts of the DIT in an error message to
>>> users. We have
>>> tried in the past to hide the implementation. I'd propose logging the
>>> error
>>> and making the exception less verbose.
>
> I agree with Rob here, we shouldn't expose internal stuff in error
> messages for users.
>
> In this particular case, even if we included internal stuff in the error
> message, it should be the error message returned by the server rather
> than this ad-hoc message.
>
>>
>> IMHO it actually helps to print the DN. At very least the user can see
>> if the
>> error is happening always with the same DN or if it keeps changing.
>>
>> In other words, for user it is not that important to understand
>> meaning of the
>> DN but it might be important to see if it is the same or not.
>
> I can't imagine a situation where it would actually be useful for the
> user (as opposed to the admin, who has access to logs) to know the base
> DN of some arbitrary LDAP search operation. Could you give an example?
>

+1 for the internal info to be only in logs.
-- 
Petr Vobornik