[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: NOT filter question

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, "John McMeeking" <jmcmeek@us.ibm.com>
Subject: RE: NOT filter question
From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Date: Mon, 6 Sep 2004 11:44:22 +1000
Cc: <ietf-ldapbis@OpenLDAP.org>
Content-class: urn:content-classes:message
Thread-index: AcSSoAJ74EOCF1YkSba2aIwS3SG0TwBEefvg
Thread-topic: NOT filter question

Kurt,

I think I must differ from you here.

Firstly, AVA evaluation is misleading as, for example, a compare request can return an attribute error. Therefore, there is no need in a section on AVA evaluation to mention the case where the attribute is not present in the entry. The appropriate place is in X.511 under filter evaluation.

Secondly, the new text on the 2000 edition relating to filters seems to be a clarification and so must be taken into account when reading the 1993 edition.

I admit that most LDAP servers behave as you say, but this would be because one server did originally. If you want all LDAP servers to behave like this to be conformant, then you are going to have to put specific words to this effect in the protocol document. I don't think X.500, 1993 or otherwise, supports your arguments. (I note that one X.500/LDAP server conformas to X.511.)

Ron

-----Original Message-----
From: owner-ietf-ldapbis@OpenLDAP.org
[mailto:owner-ietf-ldapbis@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
Sent: Sunday, 5 September 2004 02:52
To: John McMeeking
Cc: ietf-ldapbis@OpenLDAP.org
Subject: RE: NOT filter question

At 09:49 AM 9/2/2004, John McMeeking wrote:
>Is this something that should be clarified in the LDAP standards?

IMO, yes.  We should make it clear in [Protocol] that AVA evaluation
is a specified in X.501(1993), providing a summary of these
semantics.

>It seems like this is an area where, arguably, we are departing from X.500.
>The 1993 edition is unclear to me on this matter and the position that an
>assertion about an attributetype that is not contained in the entry is
>FALSE seems to be based on the X.501 and X.511 text not mentioning the
>case.  Later editions appear to address this case, which seems to be a
>clarification rather than a change.

I think X.501(1993) is quite clear.  We have not, and should not,
depart from X.501(1993).  [Protocol] should make this clear.

>Some disagreement on the correct behavior has been expressed in these notes
>and past discussions I found in the archives.

I don't think there is any argument as to the behavior X.501(1993)
specifies, nor any argument that LDAP servers are to act in
accordance with X.501(1993) in this regard.

>There does seem to be
>agreement that current practice is (cn=bob) evaluates to FALSE if there is
>no cn attribute in the entry.

I agree that implementations seems to have gotten it right
(right as defined by the applicable technical specifications).

>John  McMeeking
>
>
>"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote on 09/01/2004 09:37:16 PM:
>
>> At 06:14 PM 9/1/2004, Ramsay, Ron wrote:
>> >It was changed in X.500:2000.
>>
>> Well, since we reference X.500(1993), we can and should
>> ignore the change. -- Kurt
>>

Prev by Date: RE: NOT filter question
Next by Date: Password Policy for LDAP Directories
Index(es):
- Chronological
- Thread