[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: appropriateness of combination of controls (new suggestion)

To: "Vithalprasad Gaitonde" <GVithalprasad@novell.com>, <Kurt@OpenLDAP.org>
Subject: Re: appropriateness of combination of controls (new suggestion)
From: "Jim Sermersheim" <jimse@novell.com>
Date: Fri, 14 May 2004 23:32:23 -0600
Cc: <ietf-ldapbis@OpenLDAP.org>
Content-disposition: inline

Here's what I can offer regarding Novell's interpretation and behavior:

Novell's eDirectory/NDS only considers the operation when evaluating whether a given control is appropriate.

It allows some combinations of controls where that combination is unspecified yet makes sense (manageDSAIT + SSS)

It disallows combinations of other controls (like VLV and PSearch) and returns an error if these are combined. I don't have code available right now or I could tell you what the error is (I assume it's unwillingToPerform). directory implements a very strict interpretation of the criticality language in RFC 2251 * it only talks about a control being appropriate for an operation, not an operation while also considering controls.

I also think until now, most other people interpreted 'appropriate for the operation' as being only concerned with the operation (disregarding fields (including controls) of the operation). I'm not aware of any current control definitions that say a control is considered inappropriate if combined with this other control, so I assume no one else has interpreted it this way. But I could be wrong.

Jim

>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 5/14/04 9:04:20 PM >>>
The semantics of most combinations of controls are unspecified.
While I would agree that existing implementations do implement
some combinations of controls whose semantics are unspecified, I
hope they have done so only after fully considering the implications.
In particular, I would hope servers only viewed a control
appropriate for the operation if the semantics of the operation
(as extended by that and other controls) were clear to the
implementors of the server and the clients the server was intended
to interact with.

I believe that existing implementations, when faced with a
combination of two non-critical controls they believe to have
mutually-exclusive semantics, will ignore one or both of the
controls instead of failing the operation. It's my view this is
what RFC 2251 intended servers to do when it repeatedly used the
language "appropriate for the operation". (If you know of servers
which behave differently, I'd be interested in details.)

My view is that the most reasonable answer to:
When is a control "appropriate for the operation"?
is:
When the specification of the control states that it is.

The question as to whether a particular specification is clear
enough and/or explicit enough it this statement, or otherwise
adheres to current practices, should be discussed in review of
document detailing it... and possibly as part of a review of
a document detailing best current practices in this area.
(And where we find existing specifications not to be up to
snuff here, we should revise them.)

At 09:56 AM 5/14/2004, Jim Sermersheim wrote:
>I think we're getting overly wordy with all this.

Though you said this in a particular context, I believe it applies
generally here. I'm going to try to produce a less wordy text.

Follow-Ups:
- Re: appropriateness of combination of controls (new suggestion)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: appropriateness of combination of controls (new suggestion)
Next by Date: Re: appropriateness of combination of controls (new suggestion)
Index(es):
- Chronological
- Thread