[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: other restrictions (RE: root dse search)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: RE: other restrictions (RE: root dse search)
From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Date: Fri, 16 Mar 2001 12:11:23 +1100
Cc: ietf-ldapbis@OpenLDAP.org

Kurt,

I have no problem with treating operational attributes in the root DSE the
same as operational attributes in other entries. I note that there is an
issue of interoperability as indicated by Mark Smith.

Other replies in-line, see [Ron].

Ron.

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Thursday, 15 March 2001 18:54
To: Ramsay, Ron
Cc: ietf-ldapbis@OpenLDAP.org
Subject: other restrictions (RE: root dse search)

I'm going to break my reply in two as to separate two issues:
        - the filter
        - other restrictions
with the root dse.  This message responds to the other restrictions
portion of your reply.

Do you think the any of these "other" restrictions apply to
the root DSE?
  - administrative limits,
  - applicability to client's context (certain SASL mechanisms,
    controls, and extensions may only be visible when available), and
  - restrictions imposed by search controls.

[Ron] I think it would be difficult to argue for administrative limits.
ObjectClasses and attributeTypes may return many values but, if you require
clients to ask for operational attributes by name, then I don't see that you
can refuse to send them when asked for them. On the next point, I think the
STARTTLS RFC actually says that available SASL mechanisms may be different
if the connection has been secured. I have no comment on the last matter,
except to say that, if the rootDSE can only be retrieved with a 'read',
search controls would make no sense. You refer elsewhere to attributes whose
values are difficult for a server to compute - these could presumably be
restricted with access control?

I would think "there may be extremely large number of values
for certain operational attributes" (4.5.1) as the stated rational
for restricting the return of operational attributes clearly
applies to the root DSE.

At 03:56 PM 3/15/01 +1100, Ramsay, Ron wrote:
>I think that the 4.5.1 statement regarding the return of operational
>attributes was itself overridden in the case of the root DSE.

What in the TS leads you to this conclusion?
Is there something specific in the "core" RFC, X.501, or X.511
I've missed?

[Ron] As I said, I believe that Mark Wahl was categorical in a message on
one of the LDAP lists.

I believe one must take into account all relevant purposes of
the TS when interpreting a particular aspect of the TS.  I believe
section 4.5.1 is clearly relevant to search of the root DSE.
Without a specific statement in TS overriding these semantics
as it applies to section 3.4, I believe no requirement of 4.5.1
is overridden.

Kurt

Prev by Date: Re: root dse search
Next by Date: Re: root dse search
Index(es):
- Chronological
- Thread