[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5872) slapo-cloak
Kurt Zeilenga wrote:
>
> On Dec 27, 2008, at 2:46 AM, ando@sys-net.it wrote:
>
>> empty or "*" ; all user, except attrs that need to be explicitly req.
>> "+" ; all operational
>> <all including attrs that need to be explicitly requested>
>> <...>
>
> I note that the specification of '+' does allow a server not to provide
> all operational attributes. That is, a server is allowed to only return
> some operational attributes when requested by name.
... based on how expensive their computation is. In fact, we do not
exploit this too much in slapd(8), where '+' usually triggers
operational all attributes evaluation. Probably, we should add the
possibility to configure whether the most expensive are computed or not
when not explicitly requested.
> This is not so with '*' (or empty list).
well, according to RFC4511, Section 4.5.1.8.:
Client implementors should note that even if all user attributes are
requested, some attributes and/or attribute values of the entry may
not be included in Search results due to access controls or other
restrictions.
The restrictions we're discussing may well fit into this.
> However, that said, I see no
> particular issue with a server choosing to return a particular user
> applications attribute only when requested by name. I see this simply
> as an administrative restriction... and those are always allowed.
Exactly.
> (I also note that use of '*' (or empty list) and '+' should generally be
> limited to requests formed by a human. It is bad (but all to common)
> practice for application-specific directory clients to ask for
> everything. They should really only ask for what they are prepared to
> make use of.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------