Re: appropriateness of combination of controls (new suggestion)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 08:02 AM 5/15/2004, Jim Sermersheim wrote:
>>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 5/15/04 7:54:50 AM >>>
>>At 10:32 PM 5/14/2004, Jim Sermersheim wrote:
>>>It disallows combinations of other controls (like VLV and PSearch)
>and returns an error if these are combined. I don't have code available
>right now or I could tell you what >the error is (I assume it's
>unwillingToPerform). 
>>
>>Question: if both VLV and Psearch were marked critical, would
>>the error you returned be different? 
>
>No, the routine that checks for known/appropriate controls is different
>from the routine(s) which will return errors for invalid combinations.
>We kept the former very simple (do we understand this control, and is it
>appropriate for this operation).  At this point of checking, we don't
>even know if there are more controls in the message.

Do you also handle a message with two critical manageDsaIT
controls in the same fashion?

Do you also handle a message with two (different) critical
Psearch controls in the same fashion?

>It would be good to know what other implementations do. I know there
>are some others that support VLV and PSearch. I wonder how they handle
>the combination?

Well, I checked our code and, to my surpise, it wasn't as
I previously described.  OpenLDAP slapd(8) response of say:
        search+ManageDsaIT+manageDsaIT
        search+subentries+subentries

would be to return protocolError.  Given this, I retract my
suggested text.

If we're going to recommend returning an error here, I think
we should specifically recommend return of protocolError over
a code like unwillingToPerform.

unwillingToPerform implies that the operation can be performed,
but that this particular server is unwilling or unable to perform
the operation (at this time).  protocolError more accurately
reflects that the server cannot make sense of the request.

Kurt