Re: authTimestamp and relax rules control

[Michael Ströder <michael@stroeder.com>]

Kurt Zeilenga wrote:
> 
> On Mar 17, 2011, at 11:49 AM, Michael Ströder wrote:
>> I'm using slapo-lastbind with 2.4.24 found under contrib/ which writes the
>> operational attribute authTimestamp to an entry. Now I have a use-case where a
>> LDAP client (connector continously pumping data from another non-OpenLDAP
>> directory server) should write this attribute to the OpenLDAP server. But even
>> when using the relax rules control this does not seem to be allowed.
>>
>> Section 3.6. of draft-zeilenga-ldap-relax-03 says:
>>
>>  The subsections of this section discuss modification of various
>>  operational attributes where their NO-USER-MODIFICATION constraint may
>>  be relaxed.  Future documents may specify where NO-USER-MODIFICATION
>>  constraints on other operational attribute may be relaxed.  In absence
>>  of a document detailing that the NO-USER-MODIFICATION constraint on a
>>  particular operational attribute may be relaxed, implementors SHOULD
>>  assume relaxation of the constraint is not appropriate for that
>>  attribute.
>>
>> Hmm, since there's no formal spec for authTimestamp I'm lost here?
> 
> The SHOULD here simply means "think before relax".

So after thinking I'd vote for allowing authTimestamp to be set by a client
when relax rules control is in effect => ITS#6873

Ciaio, Michael.