RE: When can Search return errors (post name resolution)

["Ramsay, Ron" <Ron.Ramsay@ca.com>]

I think you should take it completely literally.

Yes, silently ignore alias loops while searching (retrieving entries).

Yes, if out of memory return directory unwilling to perform, although LDAP has the possibility of returning the entries discovered so far plus putting an error in the search done message.

I think the seach done message can be used in place of the partial outcome qualifier for size/time limit exceeded.

 

Ron

-----Original Message-----
From: owner-ietf-ldapbis@OpenLDAP.org [mailto:owner-ietf-ldapbis@OpenLDAP.org]On Behalf Of Jim Sermersheim
Sent: Wednesday, 1 December 2004 02:45
To: ietf-ldapbis@OpenLDAP.org
Subject: When can Search return errors (post name resolution)

How literally are we to take the statement from X.511:

"The request succeeds, subject to access controls, if the baseObject is located, regardless of whether there are any
subordinates to return"?

 

For example, if an alias loop is detected while searching, is it silently ignored? Similarly, if an alias cannot be dereferenced while searching, do we not return aliasProblem?

 

Surely, if there is an internal error (out of memory, etc.) the request does not succeed.

 

Of course sizeLimitExceeded and timeLimitExceeded may be returned even if the base object is located, but in X.511 these are not returned as ERRORS, they are returned in partialOutcomeQualifier.

 

[Protocol] says this instead:

"   Servers MUST NOT return errors if attribute descriptions or matching
   rule ids are not recognized, assertion values are invalid, or the
   assertion syntax is not supported. More details of filter processing
   are given in Clause 7.8 of [X.511]."

 

I've had it asked whether LDAP implementations are to go beyond this statement and never fail a search once name resolution has completed (as is implied by X.511), and specifically, what to do about alias derefrencing problems while searching.

 

Jim