[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Lifetime of associations

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, "Hallvard B Furuseth" <h.b.furuseth@usit.uio.no>
Subject: RE: Lifetime of associations
From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Date: Fri, 1 Oct 2004 11:32:55 +1000
Cc: <ietf-ldapbis@OpenLDAP.org>
Content-class: urn:content-classes:message
Thread-index: AcSnFHb7ldGVRXnkRf6Mb6obsWk9rAAQPQ1g
Thread-topic: Lifetime of associations

I'm sorry, Kurt, but this is gobble-de-gook.

Firstly, you may refer to [TCP connect, StartTLS, Bind] as an exchange, but it ends there. And the point is to establish an "association". This association lasts until the next bind, a point which is critical for the discussion of whether a modify succeeded.

An exchange can only, generally, encompass a single request and its associated responses. It may be extended during "association" establishment to included negotiation of security layers, etc.

An association (or LDAP association) lasts from one bind (or the implicit bind on connection establishment) to the succeeding unbind or bind, if there was no unbind.

The "connection" is the underlying transport service. This is different from the LDAP association as the connection may persist after an unbind. (This is one of the features of LDAP that I'm not happy with, but it has always been thus for LDAP.)

Ron

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Friday, 1 October 2004 03:39
To: Hallvard B Furuseth; Ramsay, Ron
Cc: ietf-ldapbis@OpenLDAP.org
Subject: RE: Lifetime of associations


There does seem to be some terminology issues here.
I suggest we should continue to focus on getting [protocol]
fixed, then have [authmeth] simply apply that terminology.

The term "LDAP Exchange" was intended, I believe, to refer
to the protocol session at the LDAP PDU level, which may
include multiple operations (bind, starttls, etc.) which
directly impact the authentication/authorization/security
state.  The word "exchange" was selected over "session"
as "session" commonly is used to refer to the octet stream
carried by the transport service, e.g., the steam carried
on the "connection".  (See the picture in Section 5.)

The term "LDAP association", as defined, refers to the
CURRENT authentication/authorization/security state 
associated with an LDAP Exchange.  The word "current" in
the definition should likely be dropped.  We should,
on use, qualify whether we are talking about the
past, present, or future state of the exchange.

There is no currently defined term which to refer to
lifetime of an LDAP association.  As the association
may change at any time, I don't think we need one.

As the messageId reuse doesn't depend on the
authentication/authorization/security state associated
with the exchange, the reuse discussion should not
involve use of the term "association".

As the exchange includes PDUs sent before and
after a particular Bind request, one has to be careful
in s/association/exchange/.  However, at least in
section 4.1.1.1, I think it okay to do this replacement.

Kurt

Follow-Ups:
- Re: Lifetime of associations
  - From: Michael Ströder <michael@stroeder.com>

Next by Date: Re: Lifetime of associations
Index(es):
- Chronological
- Thread