Re: Critical controls

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:33 PM 11/22/00 -0500, Mark Smith wrote:
>Jim Sermersheim wrote:
>
>>  RFC 2251 states in section 4.1.12"If the server does not recognize
>> the control type and the criticality field is TRUE, the server MUST
>> NOT perform the operation, and MUST instead return the resultCode
>> unavailableCriticalExtension."and"If the control is not appropriate
>> for the operation and criticality field is TRUE, the server MUST NOT
>> perform the operation, and MUST instead return the resultCode
>> unavailableCriticalExtension." There is a problem in that LDAP doesn't
>> define an unbindResponse or an abandonResponse, thus can't return
>> unavailableCriticalExtension. When an unbind or abandon operation is
>> paired with an unrecognized or inappropriate critical control, is it
>> best to not perform the operation, or ignore the control? Jim
>
>Good question.  Maybe we say that clients MUST NOT send critical
>controls with abandon or unbind requests.  We could specify that servers
>SHOULD treat all controls that are marked critical that arrive with an
>abandonRequest or unbindRequest as not critical.  Not very clean, but we
>have to make a choice.

I suggest different handling for abandon then unbind.

  A abandon request with an unrecognized or inappropriate critical
  control should be ignored by the server.

  A unbind request with an unrecognized or inappropriate critical
  control should be processed by the server as if the control was
  not critical.

Kurt