OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/7493
Full headers

From: michael@stroeder.com
Subject: slapo-allowed: allowed* attrs are replicated
Compose comment
Download message
State:
0 replies:
14 followups: 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 15 Jan 2013 12:18:59 +0000
From: michael@stroeder.com
To: openldap-its@OpenLDAP.org
Subject: slapo-allowed: allowed* attrs are replicated
Full_Name: 
Version: RE24 6f33e2c
OS: 
URL: 
Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)


It seems that operational attributes generated by slapo-allowed are replicated.

Syslog shows: 
mods check (allowedAttributes: value #0 invalid per syntax)

Followup 1

Download message
Date: Tue, 15 Jan 2013 04:56:30 -0800
From: hyc@symas.com
To: michael@stroeder.com
Cc: openldap-its@openldap.org
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael@stroeder.com wrote:
> Full_Name: 
> Version: RE24 6f33e2c
> OS: 
> URL: 
> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
> 
> 
> It seems that operational attributes generated by slapo-allowed are
replicated.

Works as designed. These attributes are directoryOperation, not DSA-specific.
Closing this ITS.

> Syslog shows: 
> mods check (allowedAttributes: value #0 invalid per syntax)
> 



Followup 2

Download message
Date: Tue, 15 Jan 2013 14:34:29 +0100
From: Pierangelo Masarati <masarati@aero.polimi.it>
To: hyc@symas.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
On 01/15/2013 01:56 PM, hyc@symas.com wrote:
> On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael@stroeder.com wrote:
>> Full_Name:
>> Version: RE24 6f33e2c
>> OS:
>> URL:
>> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
>>
>>
>> It seems that operational attributes generated by slapo-allowed are
replicated.
>
> Works as designed. These attributes are directoryOperation, not
DSA-specific.

I see the point; since they're generated by the overlay in response to 
search operations, either they should not be replicated, or replication 
should accept them.

Their value depends on ACLs, so in order to reflect ACLs on a specific 
DSA they should be generated; however, I concur ACLs should not depend 
on the specific DSA of a replication setup.

I'm open to suggestions about how to fix this.

p.

-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano



Followup 3

Download message
To: openldap-its@openldap.org, <hyc@symas.com>
From: "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" <michael@stroeder.com>
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
Date: Tue, 15 Jan 2013 14:38:18 +0100
On Tue, 15 Jan 2013 12:56:35 GMT hyc@symas.com wrote
> > It seems that operational attributes generated by slapo-allowed are
> > replicated. 
>
> Works as designed. These attributes are directoryOperation, not
DSA-specific.
> Closing this ITS.

The fact that slapo-allowed in contrib/ does not declare the attribute types as
DSA-specific does not mean that they are not DSA-specific. I guess MS AD does
not care about subschema DSA-specific or not so we have to apply common sense
here.

The allowed* attr values are supposed to be generated based on the local access
control configuration. Since with OpenLDAP local configuration and therefore
local ACLs can differ on different replicas these attrs MUST NOT be replicated.

Please re-open the ITS.

Ciao, Michael.




Followup 4

Download message
To: openldap-its@openldap.org, <masarati@aero.polimi.it>
From: "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" <michael@stroeder.com>
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
Date: Tue, 15 Jan 2013 14:49:52 +0100
On Tue, 15 Jan 2013 13:37:06 GMT masarati@aero.polimi.it wrote

> On 01/15/2013 01:56 PM, hyc@symas.com wrote:
> > On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael@stroeder.com wrote:
> >> Full_Name:
> >> Version: RE24 6f33e2c
> >> OS:
> >> URL:
> >> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
> >>
> >>
> >> It seems that operational attributes generated by slapo-allowed
are
> >> replicated. >
> > Works as designed. These attributes are directoryOperation, not
> > DSA-specific. 
>
> I see the point; since they're generated by the overlay in response to 
> search operations, either they should not be replicated, or replication 
> should accept them.
> 
> Their value depends on ACLs, so in order to reflect ACLs on a specific 
> DSA they should be generated; however, I concur ACLs should not depend 
> on the specific DSA of a replication setup.

The values depend on local ACLs *and* current authz-DN.

=> These attributes MUST NOT be replicated.

Ciao, Michael.




Followup 5

Download message
To: openldap-its@openldap.org, <masarati@aero.polimi.it>
From: "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" <michael@stroeder.com>
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
Date: Tue, 15 Jan 2013 14:51:33 +0100
On Tue, 15 Jan 2013 13:37:06 GMT masarati@aero.polimi.it wrote
> Their value depends on ACLs, so in order to reflect ACLs on a specific 
> DSA they should be generated; however, I concur ACLs should not depend 
> on the specific DSA of a replication setup.

BTW: It does make sense to have different ACLs on different replicas!
Think of a master with fine-grained ACLs for entry management and read-only
consumers with simpler ACLs for better performance.

Ciao, Michael.




Followup 6

Download message
Date: Tue, 15 Jan 2013 19:40:00 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
This is a cryptographically signed message in MIME format.

--------------ms020008020506010505010302
Content-Type: multipart/mixed;
 boundary="------------080000060105060705050402"

This is a multi-part message in MIME format.
--------------080000060105060705050402
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Please consider the attached patch which sets allowed
"USAGE dSAOperation". This seems to be the most appropriate USAGE compara=
ble
to what's set for entryTTL in slapo-dds.

I, Michael Str=F6der, hereby place the attached modifications to OpenLDAP=

Software (and only these modifications) into the public domain. Hence, th=
ese
modifications may be freely used and/or redistributed for any purpose wit=
h or
without attribution and/or other notice.

Ciao, Michael.

--------------080000060105060705050402
Content-Type: text/x-patch;
 name="openldap_its7493.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="openldap_its7493.patch"

diff --git a/contrib/slapd-modules/allowed/allowed.c b/contrib/slapd-modu=
les/allowed/allowed.c
index b44461a..0099b70 100644
--- a/contrib/slapd-modules/allowed/allowed.c
+++ b/contrib/slapd-modules/allowed/allowed.c
@@ -73,7 +73,7 @@ static struct {
 		/* added by me :) */
 		"DESC 'Child classes allowed for a given object' "
 		"NO-USER-MODIFICATION "
-		"USAGE directoryOperation )", &ad_allowedChildClasses },
+		"USAGE dSAOperation )", &ad_allowedChildClasses },
 	{ "( " AA_SCHEMA_AT ".912 "
 		"NAME 'allowedChildClassesEffective' "
 		"EQUALITY objectIdentifierMatch "
@@ -81,7 +81,7 @@ static struct {
 		/* added by me :) */
 		"DESC 'Child classes allowed for a given object according to ACLs' "
 		"NO-USER-MODIFICATION "
-		"USAGE directoryOperation )", &ad_allowedChildClassesEffective },
+		"USAGE dSAOperation )", &ad_allowedChildClassesEffective },
 	{ "( " AA_SCHEMA_AT ".913 "
 		"NAME 'allowedAttributes' "
 		"EQUALITY objectIdentifierMatch "
@@ -89,7 +89,7 @@ static struct {
 		/* added by me :) */
 		"DESC 'Attributes allowed for a given object' "
 		"NO-USER-MODIFICATION "
-		"USAGE directoryOperation )", &ad_allowedAttributes },
+		"USAGE dSAOperation )", &ad_allowedAttributes },
 	{ "( " AA_SCHEMA_AT ".914 "
 		"NAME 'allowedAttributesEffective' "
 		"EQUALITY objectIdentifierMatch "
@@ -97,7 +97,7 @@ static struct {
 		/* added by me :) */
 		"DESC 'Attributes allowed for a given object according to ACLs' "
 		"NO-USER-MODIFICATION "
-		"USAGE directoryOperation )", &ad_allowedAttributesEffective },
+		"USAGE dSAOperation )", &ad_allowedAttributesEffective },
=20
 	/* TODO: add objectClass stuff? */
=20

--------------080000060105060705050402--

--------------ms020008020506010505010302
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC
BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG
EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD
ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM
MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF
MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M
VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K
b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/
kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB
1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC
EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0
Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw
QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1
c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/
BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3
LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2
KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj
Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M
MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK
KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR
GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4
B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ
FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx
QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw
ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF
MRwwGgYDVQQKExNUQyBUcnVzdENlb

Message of length 8296 truncated


Followup 7

Download message
Date: Tue, 15 Jan 2013 20:00:11 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated (re-sent)
This is a multi-part message in MIME format.
--------------090002030703010005000105
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

(Re-sent without S/MIME signature to make ITS software happy)

Please consider the attached patch which sets allowed
"USAGE dSAOperation". This seems to be the most appropriate USAGE comparable
to what's set for entryTTL in slapo-dds.

I, Michael Str.der, hereby place the attached modifications to OpenLDAP
Software (and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.

Ciao, Michael.


--------------090002030703010005000105
Content-Type: text/x-patch;
 name="openldap_its7493.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="openldap_its7493.patch"

diff --git a/contrib/slapd-modules/allowed/allowed.c
b/contrib/slapd-modules/allowed/allowed.c
index b44461a..0099b70 100644
--- a/contrib/slapd-modules/allowed/allowed.c
+++ b/contrib/slapd-modules/allowed/allowed.c
@@ -73,7 +73,7 @@ static struct {
 		/* added by me :) */
 		"DESC 'Child classes allowed for a given object' "
 		"NO-USER-MODIFICATION "
-		"USAGE directoryOperation )", &ad_allowedChildClasses },
+		"USAGE dSAOperation )", &ad_allowedChildClasses },
 	{ "( " AA_SCHEMA_AT ".912 "
 		"NAME 'allowedChildClassesEffective' "
 		"EQUALITY objectIdentifierMatch "
@@ -81,7 +81,7 @@ static struct {
 		/* added by me :) */
 		"DESC 'Child classes allowed for a given object according to ACLs' "
 		"NO-USER-MODIFICATION "
-		"USAGE directoryOperation )", &ad_allowedChildClassesEffective },
+		"USAGE dSAOperation )", &ad_allowedChildClassesEffective },
 	{ "( " AA_SCHEMA_AT ".913 "
 		"NAME 'allowedAttributes' "
 		"EQUALITY objectIdentifierMatch "
@@ -89,7 +89,7 @@ static struct {
 		/* added by me :) */
 		"DESC 'Attributes allowed for a given object' "
 		"NO-USER-MODIFICATION "
-		"USAGE directoryOperation )", &ad_allowedAttributes },
+		"USAGE dSAOperation )", &ad_allowedAttributes },
 	{ "( " AA_SCHEMA_AT ".914 "
 		"NAME 'allowedAttributesEffective' "
 		"EQUALITY objectIdentifierMatch "
@@ -97,7 +97,7 @@ static struct {
 		/* added by me :) */
 		"DESC 'Attributes allowed for a given object according to ACLs' "
 		"NO-USER-MODIFICATION "
-		"USAGE directoryOperation )", &ad_allowedAttributesEffective },
+		"USAGE dSAOperation )", &ad_allowedAttributesEffective },
 
 	/* TODO: add objectClass stuff? */
 


--------------090002030703010005000105--



Followup 8

Download message
Date: Wed, 16 Jan 2013 09:07:38 +0100
From: Pierangelo Masarati <masarati@aero.polimi.it>
To: michael@stroeder.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
On 01/15/2013 07:40 PM, michael@stroeder.com wrote:

> Please consider the attached patch which sets allowed
> "USAGE dSAOperation". This seems to be the most appropriate USAGE compara=
> ble
> to what's set for entryTTL in slapo-dds.

No objection with this patch, since those properties were "arbitrarily" 
assigned to attributes defined by others to provide software 
interoperability.  Unless anyone has objections, I'd commit it.

Thanks, p.

-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano



Followup 9

Download message
Date: Wed, 16 Jan 2013 05:08:36 -0800
From: Howard Chu <hyc@symas.com>
To: masarati@aero.polimi.it, openldap-its@openldap.org
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
masarati@aero.polimi.it wrote:
> On 01/15/2013 07:40 PM, michael@stroeder.com wrote:
>
>> Please consider the attached patch which sets allowed
>> "USAGE dSAOperation". This seems to be the most appropriate USAGE
compara=
>> ble
>> to what's set for entryTTL in slapo-dds.
>
> No objection with this patch, since those properties were "arbitrarily"
> assigned to attributes defined by others to provide software
> interoperability.  Unless anyone has objections, I'd commit it.

Go ahead. Please add a comment about the origin of the schema definitions and 
these interoperability concerns.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 10

Download message
Date: Wed, 16 Jan 2013 19:09:49 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: hyc@symas.com
CC: openldap-its@openldap.org, masarati@aero.polimi.it
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
hyc@symas.com wrote:
> masarati@aero.polimi.it wrote:
>> On 01/15/2013 07:40 PM, michael@stroeder.com wrote:
>>
>>> Please consider the attached patch which sets allowed
>>> "USAGE dSAOperation". This seems to be the most appropriate USAGE
compara=
>>> ble
>>> to what's set for entryTTL in slapo-dds.
>>
>> No objection with this patch, since those properties were "arbitrarily"
>> assigned to attributes defined by others to provide software
>> interoperability.  Unless anyone has objections, I'd commit it.
> 
> Go ahead. Please add a comment about the origin of the schema definitions
and 
> these interoperability concerns.

These attribute type descriptions were roughly taken from MS AD.

Today I've checked the subschema of a W2K8R2 AD server:
I did not find a single attribute type description with USAGE although there
were attribute types formally defined in RFCs. One example is 'entryTTL'
defined with "USAGE dSAOperation" in RFC 2589 which in fact was co-authored by
Microsoft employees.

The official Microsoft documentation is here [MS-ADA1]:

http://msdn.microsoft.com/en-us/library/cc219752.aspx

Ciao, Michael.



Followup 11

Download message
Date: Wed, 16 Jan 2013 20:10:12 +0000
From: Howard Chu <hyc@symas.com>
To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
CC: openldap-its@openldap.org, masarati@aero.polimi.it
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
Michael Str.der wrote:
> hyc@symas.com wrote:
>> masarati@aero.polimi.it wrote:
>>> On 01/15/2013 07:40 PM, michael@stroeder.com wrote:
>>>
>>>> Please consider the attached patch which sets allowed
>>>> "USAGE dSAOperation". This seems to be the most appropriate
USAGE compara=
>>>> ble
>>>> to what's set for entryTTL in slapo-dds.
>>>
>>> No objection with this patch, since those properties were
"arbitrarily"
>>> assigned to attributes defined by others to provide software
>>> interoperability.  Unless anyone has objections, I'd commit it.
>>
>> Go ahead. Please add a comment about the origin of the schema
definitions and
>> these interoperability concerns.
>
> These attribute type descriptions were roughly taken from MS AD.

I meant, please add a comment *in the patch* so it will remain in the source
code.

> Today I've checked the subschema of a W2K8R2 AD server:
> I did not find a single attribute type description with USAGE although
there
> were attribute types formally defined in RFCs. One example is 'entryTTL'
> defined with "USAGE dSAOperation" in RFC 2589 which in fact was co-authored
by
> Microsoft employees.
>
> The official Microsoft documentation is here [MS-ADA1]:
>
> http://msdn.microsoft.com/en-us/library/cc219752.aspx
>
> Ciao, Michael.
>



Followup 12

Download message
Date: Wed, 16 Jan 2013 21:14:26 +0100
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
From: "Pierangelo Masarati" <masarati@aero.polimi.it>
To: "Howard Chu" <hyc@symas.com>
Cc: =?iso-8859-15?Q?=22Michael_Str=F6der=22?= <michael@stroeder.com>,
        openldap-its@openldap.org
> Michael Str.der wrote:
>> hyc@symas.com wrote:
>>> masarati@aero.polimi.it wrote:
>>>> On 01/15/2013 07:40 PM, michael@stroeder.com wrote:
>>>>
>>>>> Please consider the attached patch which sets allowed
>>>>> "USAGE dSAOperation". This seems to be the most appropriate
USAGE
>>>>> compara=
>>>>> ble
>>>>> to what's set for entryTTL in slapo-dds.
>>>>
>>>> No objection with this patch, since those properties were
>>>> "arbitrarily"
>>>> assigned to attributes defined by others to provide software
>>>> interoperability.  Unless anyone has objections, I'd commit it.
>>>
>>> Go ahead. Please add a comment about the origin of the schema
>>> definitions and
>>> these interoperability concerns.
>>
>> These attribute type descriptions were roughly taken from MS AD.
>
> I meant, please add a comment *in the patch* so it will remain in the
> source code.

There's already a detailed comment to this end in the related README,
which links the attribute definitions on <http://msdn.microsoft.com/>.

p.

>> Today I've checked the subschema of a W2K8R2 AD server:
>> I did not find a single attribute type description with USAGE although
>> there
>> were attribute types formally defined in RFCs. One example is
'entryTTL'
>> defined with "USAGE dSAOperation" in RFC 2589 which in fact was
>> co-authored by
>> Microsoft employees.
>>
>> The official Microsoft documentation is here [MS-ADA1]:
>>
>> http://msdn.microsoft.com/en-us/library/cc219752.aspx
>>
>> Ciao, Michael.
>>
>
>
>
>


-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano



Followup 13

Download message
Date: Wed, 16 Jan 2013 20:30:00 +0000
From: Howard Chu <hyc@symas.com>
To: masarati@aero.polimi.it, openldap-its@openldap.org
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
masarati@aero.polimi.it wrote:
>> Michael Str.der wrote:
>>> hyc@symas.com wrote:
>>>> masarati@aero.polimi.it wrote:
>>>>> On 01/15/2013 07:40 PM, michael@stroeder.com wrote:
>>>>>
>>>>>> Please consider the attached patch which sets allowed
>>>>>> "USAGE dSAOperation". This seems to be the most
appropriate USAGE
>>>>>> compara=
>>>>>> ble
>>>>>> to what's set for entryTTL in slapo-dds.
>>>>>
>>>>> No objection with this patch, since those properties were
>>>>> "arbitrarily"
>>>>> assigned to attributes defined by others to provide
software
>>>>> interoperability.  Unless anyone has objections, I'd commit
it.
>>>>
>>>> Go ahead. Please add a comment about the origin of the schema
>>>> definitions and
>>>> these interoperability concerns.
>>>
>>> These attribute type descriptions were roughly taken from MS AD.
>>
>> I meant, please add a comment *in the patch* so it will remain in the
>> source code.
>
> There's already a detailed comment to this end in the related README,
> which links the attribute definitions on
<http://msdn.microsoft.com/>.

As already noted, those links don't provide actual schema definitions, nor do 
they define the USAGE. We're making a judgement call here with no 
documentation to support it. We should document why we're defining it this way 
so we don't have to repeat this conversation again down the road.
>
> p.
>
>>> Today I've checked the subschema of a W2K8R2 AD server:
>>> I did not find a single attribute type description with USAGE
although
>>> there
>>> were attribute types formally defined in RFCs. One example is
'entryTTL'
>>> defined with "USAGE dSAOperation" in RFC 2589 which in fact was
>>> co-authored by
>>> Microsoft employees.
>>>
>>> The official Microsoft documentation is here [MS-ADA1]:
>>>
>>> http://msdn.microsoft.com/en-us/library/cc219752.aspx
>>>
>>> Ciao, Michael.
>>>
>>
>>
>>
>>
>
>



Followup 14

Download message
Date: Sat, 26 Jan 2013 14:30:59 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
Any chance to see this patch appear in 2.4.34?

Ciao, Michael.


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org