[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: When to not deref aliases
Under the guidance provided by RFC 2119, Section 6 for use
of Imperatives, I do not believe there is sufficient reason to
use a "MUST NOT" here.
Kurt
At 05:26 PM 1/31/01 -0700, Jim Sermersheim wrote:
>>>> "Salter, Thomas A" <Thomas.Salter@unisys.com> 1/30/01 9:04:29 AM >>>
>>I finally found a definitive statement in X.511, 8.1.2 Directory Bind
>>arguments: "If simple is used, it consists of a name (always the
>>distinguished name of an object), ... "
>>
>>Since aliases are entries but not objects they are explicitly excluded from
>>use in the Bind.
>>
>>I guess we are now all in agreement that an alias cannot be used as the DN
>>of a simple bind.
>
>This was pointed out in http://www.OpenLDAP.org/lists/ietf-ldapbis/200101/msg00018.html, http://www.OpenLDAP.org/lists/ietf-ldapbis/200101/msg00035.html, http://www.OpenLDAP.org/lists/ietf-ldapbis/200101/msg00109.html and another subthread.
>
>Through all of this, we _haven't_ been in agreement.
>
>After looking at this long-winded thread, I noticed that four people have settled on the SHOULD NOT proposal (kz, lp, hv, rr). While another four (th, rh, ts, js) now think it should be a MUST NOT. Let me know if your opinion is being mis-read.
>
>I believe that most people in the SHOULD NOT camp agree that the specification (X.511, 8.1.2) clearly disallows the name of an alias to be passed in a simple bind, but are settling on SHOULD NOT for interoperability reasons. I note that implementations that currently dereference during a bind have always been at odds with the specification (given one agrees with RFC 2251, 3.3 and Thomas's assesment of X.511, 8.1.2). And thus, I'm not sure why special considerations are being made. So far, I've only heard of two servers that do this (and it's optional on one of those).
>
>I also believe most people in the MUST NOT camp will reluctantly say they don't mind it being a SHOULD NOT.