[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Submission of Internet Draft - Complex Directory Lookup using Javabased LDAP Query Extension

To: Chris Tomlinson <christine.tomlinson@INNOSOFT.COM>
Subject: Re: Submission of Internet Draft - Complex Directory Lookup using Javabased LDAP Query Extension
From: Graham Klyne <GK@Dial.pipex.com>
Date: Fri, 08 Jan 1999 12:29:16 +0000
Cc: ietf-ldapext@netscape.com
Resent-date: Fri, 08 Jan 1999 04:27:19 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"jrhGa1.0.ZO6.bcVbs"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 17:43 07/01/99 -0600, you wrote:
>Perhaps rather than sending code to a server it would be reasonable to
>identify an extension to the filter syntax so that nested searches could be
>expressed in a manner similar to the nesting of 'selects' within an SQL
>'where' clause.

I think this is the right general approach.  I disagree with the breadth of
assertion in <draft-goenka-ldapext-java-complex-search-00.txt>:

  3.2  Proposal Overview

       The key reason for the above problem is the inability to run a
       piece of client code securely at the server end. [...]

I think the 'key reason' here is the limited expressive power of the search
filter, as currently defined.  I think that to take on the full complexity
of a generalized programming environment for this purpose is not required;
I like Java, but in this instance I think its a hammer looking for a nail.

I would suggest that the key area to examine would be the right hand side
of a search filter primitive.  From RFC 2254:

        item       = simple / present / substring / extensible
        simple     = attr filtertype value
        filtertype = equal / approx / greater / less
        equal      = "="
        approx     = "~="
        greater    = ">="
        less       = "<="
         :
        attr       = AttributeDescription from Section 4.1.5 of [1]
        matchingrule = MatchingRuleId from Section 4.1.9 of [1]
        value      = AttributeValue from Section 4.1.6 of [1]

In my view, if the allowable 'value' can be generalized in some way to
reference a result obtained by some other lookup, a whole range of complex
directory lookups could be accommodated without requiring a full-scale
programming invironment in the server.

For those servers that do happen to have JVM environments, I think that the
extensions could be designed to be easily mappable to a Java subset so that
the JVM becomes a resonable (but not required) implementation technique.

But, whether this is appropriate functionality to consider for an LDAP
server is a queston that needs to be considered first, before getting too
hung up on design details...

#g

------------
Graham Klyne
(GK@ACM.ORG)

Prev by Date: Re: Submission of Internet Draft - Complex Directory Lookup usingJavabased LDAP Query Extension
Next by Date: Re: Submission of Internet Draft - Complex Directory Lookup usingJavabased LDAP Query Extension
Index(es):
- Chronological
- Thread