Re: result code for a deleted identity on a connection

["Vijay KN" <KNVIJAY@novell.com>]

Hallvard,

I am not very clear how a server can continue to serve requests on the
connection. If new objects are created on the connection after the user
object deletion, then what is the user-id assigned by the server as the
creator/owner for such objects (since the user object has been deleted)
?  Audit logs would show that objects were created by the user, after
the user object had been deleted. Isn't this a problem ?

Vijay

>>> Hallvard B Furuseth <h.b.furuseth@usit.uio.no> 4/30/2003 5:43:53 PM
>>>
Vithalprasad Gaitonde writes:
> If a client does a bind with an identity and then while the bound
> connection is still open, the object which has bound gets deleted,
what
> is the expected server behaviour when the client tries to make the
next
> request on that connection?
> Should the connection revert to anonymous ? - This seems
inappropriate
> as the client would not know why he is suddenly not getting access
to
> some objects which he had access to earlier.

Right.

> The appropriate behaviour should probably be to send a result code
back
> and close the connection (as if there had been an unbind).

I suspect it might be a lot of work for servers to keep track of this.
So I think the server should have that option, but it should also have
the option not to notice this condition and keep serving requests as
if
nothing happened.

> None of the current result codes defined in
>
http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-protocol-13.txt

> seem to be apprpriate for this. The closest is insufficient access.
> We should probably have a result code like invalidIdentity

How about invalidCredentials?

> which is sent back with a notice of disconnection (section 4.4.1
> protocol draft) followed by a closing of the connection by the
server.

-- 
Hallvard