[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Attribute Name Length Bounds

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>
Subject: RE: Attribute Name Length Bounds
From: "Chris Apple" <capple@dsi-consulting.net>
Date: Tue, 17 Jun 2003 01:19:19 -0400
Cc: <ietf-ldapbis@OpenLDAP.org>
Importance: Normal
In-reply-to: <5.2.0.9.0.20030616213251.01c9ae00@127.0.0.1>
Organization: DSI-Consulting, Inc.

That's an accurate example of what I observed.

The implementer is aware of the issue.

I do see your point that this might be considered
a bug.

I also think that the fact that this bug can exist
is a result of an ambiguity in the LDAPv3 proposed
standard specs.

Based on one way of reading the specs, the two attributes
are actually the same from the perspective of the
implementation. This is based on there not being any
minimally supported length requirement. In this case,
from a protocol perspective, the attributes really are
the same and therefore should not be distinguishable
Because the implementer chose to give precedence to the
allowance of unbounded attribute types over the requirement
to distinguish unique attribute type names based on their
unique octet string representations.

Based on another way of reading the spec, the two attributes
are different because they were intended by the folks deploying
the implementation in question to be different. This interpretation
requires that an implementer prioritize the requirement that two
attribute type names be considered equivalent iff they are
represented by the same character string over the implicit
allowance that attribute type names are to be unbounded
with respect to length.

Either interpretation is arguably correct given the state of
the currently published proposed standards documents for
LDAPv3. Thus implementers choosing either strategy are correct
when they claim compliance with the specs.

I believe the best way to address this problem is by clarifying
a minimally supported length as it would remove the ambiguity.

Chris Apple - Principal Architect

DSI Consulting, Inc.

mailto:capple@dsi-consulting.net

http://www.dsi-consulting.com

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] 
Sent: Tuesday, June 17, 2003 12:46 AM
To: capple@dsi-consulting.net
Cc: ietf-ldapbis@OpenLDAP.org
Subject: Re: Attribute Name Length Bounds

In re-reading the top of this thread, I have a comment which are
covered well in other follow-ups.

At 12:28 AM 6/13/2003, Chris Apple wrote:
>I have encountered a problem while attempting to extend the basic schema
>of several different LDAPv3 server implementations. Specifically, some of
>them place restrictions on the length of attribute names. In one case,
>the attribute name length restriction is rather short, too short to
>make it possible for it to distinguish between two different attribute
>names with the same character string as a prefix.

Are you saying that a server is treating two different short
names (descriptors) as being equivalent because the first few
characters of the name happen to be the same?

That is, an implementation is ignoring the difference in
  'x-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-1'
and
  'x-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-2'.

If yes, I would consider that to be an implementation bug.  I
suggest you report this to the implementor.  Two names should
only be considered equivalent if they contain the same set of
characters (ignoring case).

Kurt

Follow-Ups:
- RE: Attribute Name Length Bounds
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Re: Attribute Name Length Bounds
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Attribute Name Length Bounds
Next by Date: RE: Attribute Name Length Bounds
Index(es):
- Chronological
- Thread