[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root dse search

To: <ietf-ldapbis@OpenLDAP.org>, <Kurt@OpenLDAP.org>
Subject: Re: root dse search
From: "Jim Sermersheim" <JIMSE@novell.com>
Date: Wed, 14 Mar 2001 20:59:21 -0700
Content-disposition: inline

I agree with these suggestions. I think that:

1 (subject to access control and other restrictions)
and 
3 (servers will not return operational attributes unless...)

are in accordance with the original intent. I don't know about the other two--I don't see any problems jumping out of them though.

Jim

>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 3/14/01 4:19:47 PM >>>
The RFC 2251, 3.4 statement:
   These attributes are retrievable if a client performs a base
   object search of the root with filter "(objectClass=*)", however
   they are subject to access control restrictions.

has been interpreted by some that the these attributes are not
subject to other restrictions.  It is clear that there are quite
a few other restrictions which are or may be placed upon these
attributes, including:
  - administrative limits,
  - applicability to client's context (certain SASL mechanisms,
    controls, and extensions may only be visible when available),
  - restrictions imposed by search controls, and
  - basic attribute usage semantics (including restrictions upon
    the return of operational attributes).

A simple clarifying replacement would be:
   These attributes are retrievable if a client performs a base
   object search of the root with filter "(objectClass=*)", however
   they are subject to access control and other restrictions.

However, I have also noticed that this statement has also been
interpreted by some that no other filters may not be used.  Some
implementations appear to ignore the filter completely
(returning the root DSE even when the filter clear doesn't
match).

Hence, I suggest this statement be replaced with:
   These attributes are retrievable if a client performs a base
   object search of the root DSE with a matching filter such as
   (objectClass=*).  These attributes, like other attributes,
   are subject to access control and other restrictions.

It might also be appropriate to reinterate the 4.5.1 statement
in regards to semantics of operational attributes as well:
  Furthermore, servers will not return operational attributes
  unless they are listed by name (see Section 4.5.1).

I also note that implementations may support operations upon
the Root DSE, so the additional of the following might be
appropriate as well:
  Implementations may support additional operations (e.g.
  compare, modify) upon the root DSE.

Kurt

Prev by Date: Re: ;binary and (supertypes of an attribute description)
Next by Date: RE: root dse search
Index(es):
- Chronological
- Thread