[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Submission of Internet Draft - LDAP Control for Tree Deletion dra ft
Attached is a draft for an LDAP Control for Tree Deletion. This control
allows a client to delete a container and all subcontainers and objects. It
is being submitted to the IESG as an individual standard-tracks document and
forwarded to the LDAPEXT group for review and comment.
Comments and feedback on this draft would be appreciated.
Thanks,
Michael Armijo
<<draft-rfced-info-armijo-treedelete-00.txt>>
INTERNET-DRAFT Michael P. Armijo
Status: Informational Microsoft Corporation
November 1998
Expires May 1998
LDAP Control extension for Tree Deletion
draft-rfced-info-armijo-treedelete-00.txt
1. Status of this Memo
This memo provides information for the Internet community. It does not
specify an Internet standard of any kind. Distribution of this memo is
unlimited.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute working
documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe),
ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim),
ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
2. Abstract
This control will delete an entire subtree of a container entry.
This control is beneficial in extending the functionality of the LDAP
protocol and may be useful in administration in an LDAP environment.
3. RFC Key Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
4. Tree Delete Control
This control allows a client to delete an entire subtree. This can
only be done if the authenticated user has appropriate permissions to
complete the operation. This control MUST only be used with a
DelRequest message. A server MUST ignore the control if used with any
other message unless the criticality field is set to True, in which
case the entire operation MUST fail and MUST instead return the
resultCode unsupportedCriticalExtension as per section 4.1.12 of
[RFC 2251]. The server MUST list that it recognizes this control in
the supportedControl attribute in the root DSE.
The control is included in the DelRequest message as part of the
controls field of the LDAPMessage. The controlType is
" 1.2.840.113556.1.4.805", the criticality field may be TRUE or FALSE,
and the controlValue field is absent.
4.1 Error Messages with this Control
When the Tree Delete Control is invoked, the server MUST check to see
if the authenticated user has appropriate permissions to delete the
object and all of its descendants. If the user does not have
appropriate permissions, an insufficientAccessRights(50) error SHOULD
be returned. Consistency of the DIT must be guaranteed by preventing
changes to access control on the portion of the tree being deleted
once the control has been invoked.
If the server has a problem identifying the objects to delete, the
server MAY return an operationsError(1). The operation MAY be retried
if this error is returned.
Server implementations may have other restraints on which containers
may or may not use the Tree Delete control. If you attempt to delete a
container that cannot be deleted due to a platform specific restraint,
the server SHOULD return the error unwillingToPerform(53). The Tree
Delete control will not work under these circumstances and the
operation SHOULD NOT be retried on this container.
If the limit to the number of objects that can be deleted in one
operation is reached, the server SHOULD return adminLimitExceeded(11).
Objects processed up to the point of the limit SHOULD be deleted. The
DelRequest with the Tree Delete Control SHOULD be resubmitted until a
successful response is returned to the server.
4.2 Processing of Objects
The Tree Delete control MUST follow certain rules in regard to the
order that objects are processed for deletion. The objects MUST be
processed in a such a way that if the operation is halted the integrity
of the directory tree is maintained and the delRequest can be
resubmitted to complete the operation. The control MUST delete leaf
objects first. The server MUST NOT process the objects in a method that
might allow an object to be orphaned.
5. Security Considerations
This document specifies an LDAP control that allows the deletion of
objects from an LDAP server implementation. Any server implementation
that utilizes this control should provide methods to deny the use of
this control to unauthorized users.
6. References
[RFC 2251]
M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol
(v3)", RFC 2251, December 1997. 1997.
[RFC 2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels,"
RFC 2119, Harvard University, March 1997.
6. Authors Address
Michael P. Armijo
One Microsoft Way
Redmond, WA
98052
USA
(425)882-8080
micharm@microsoft.com