[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: strict ldif check

To: Howard Chu <hyc@symas.com>
Subject: Re: strict ldif check
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 24 Nov 2007 14:38:08 +0100
Cc: openldap-software@openldap.org, Michael Ströder <michael@stroeder.com>
In-reply-to: <47397F58.8070300@symas.com>
References: <001f01c822e1$e8e42170$7602630a@amarkov.datafort.ru> <hbf.20071109qz53@bombur.uio.no> <002e01c822e7$ee70aa90$7602630a@amarkov.datafort.ru> <47375CB4.808@OpenLDAP.org> <1162302023.20071111234802@tic-tac.ru> <47379CF9.50203@symas.com> <47397AC3.6000506@stroeder.com> <47397F58.8070300@symas.com>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Howard Chu wrote:

>> But IMO it's worth thinking about how to deal in slapd with the wording
>> "MAY or MAY NOT include the RDN attribute(s)" found in RFC4511 today.
> 
> Ultimately, there's nothing to think about. RFC2251 is now obsolete and
> RFC4511 is the spec, so we'll have to change to comply. It's just a
> question of someone who feels strongly enough getting motivated to write
> the patch.

The more I re-read that sentence, the more I think OpenLDAP's slapd
still behaves correctly (or, the spec is ambiguous).  In fact, according
to RFC 4511, now a request that is missing any naming attributes or
distinguished values would be legitimate, from a client's perspective,
but the server has to ensure that entries conform to user and system
schema.  So, unless the meaning of "ensure" requires the server to
proactively modify the request to "ensure" it complies, simply analyzing
it and returning an error code if it doesn't comply, IMHO, complies with
the spec.  In other words:

		CLIENT

		 |
		 |
		 |
		 v

		ADD REQUEST (missing naming attrs/distinguished vals)

		- here the request is still valid

		-----------------------------------------------------

		- here it is no longer valid

		\|/
		 x
		/|\
		 v

		SERVER

So I'd interpret it in the sense that it's not the client's duty to
check if the request complies, but a non-compliant request remains invalid.

	--- o --- o ---

The issue about OpenLDAP's slapd being able to proactively modify a
non-compliant add request in order to make it compliant is a completely
different business; this could be easily be accomplished by an overlay,
much like slapo-addpartial.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: strict ldif check
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- strict ldif check
  - From: "1" <proforg@tic-tac.ru>
- Re: strict ldif check
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: strict ldif check
  - From: "1" <proforg@tic-tac.ru>
- Re: strict ldif check
  - From: Gavin Henry <ghenry@OpenLDAP.org>
- Re[2]: strict ldif check
  - From: Alexander Markov <proforg@tic-tac.ru>
- Re: strict ldif check
  - From: Howard Chu <hyc@symas.com>
- Re: strict ldif check
  - From: Michael Ströder <michael@stroeder.com>
- Re: strict ldif check
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: slapd questions
Next by Date: Syncrepl, dumb question
Index(es):
- Chronological
- Thread