[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I-D ACTION:draft-ietf-ldapext-namedref-00.txt

To: Rob Weltman <rweltman@netscape.com>
Subject: Re: I-D ACTION:draft-ietf-ldapext-namedref-00.txt
From: Mark Smith <mcs@netscape.com>
Date: Thu, 10 Jun 1999 11:50:16 -0400
Cc: ietf-ldapext@netscape.com
Organization: Netscape Communications
References: <199906101232.IAA26983@ietf.org> <375FDC93.89DAEC91@netscape.com>
Resent-date: Thu, 10 Jun 1999 08:50:26 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"hFcDTD.A.Gg.869X3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Rob Weltman wrote:
> 
> ...
> > If the type of operation requested is not a search and the URI contained
> > in the ref attribute of the requested target object is an LDAP URI
> > [RFC2255], the server should return a modified form of this URL. The
> > returned URL must have only the protocol, host, port, and trailing "/"
> > portion of the URL contained in the ref attribute. The server should
> > strip any dn, attributes, scope, and filter parts of the URL.
> >
> > Example:
> >
> > If the client issues a modify request for the target object of
> > "o=abc,c=us", server A will return
> >
> >         ModifyResponse "referral" {
> >          ldap://hostB/
> >          ldap://hostC/
> >         }
> >
> 
> 
> 
>   That complicates things for the client. Shouldn't the URI be
> rewritten to fully qualify the referred-to entry in this case? So:
>
> 
>         ModifyResponse "referral" {
>          ldap://hostB/o=abc,c=us
>          ldap://hostC/o=abc,c=us
>         }


Actually, I think the trailing slash needs to be stripped off for the
above to be correct (a trailing slash in an LDAP URL specifies the
zero-length DN).  Since LDAP clients need to reuse the original DN when
presented with a referral that does not include a DN, this seems like
the most efficient response:
         ModifyResponse "referral" {
            ldap://hostB
            ldap://hostC
         }

What you suggest is acceptable too Rob.

Also, I don't think the server should strip off the DN (or substitute
the client's) for all non-search operations; it should only do so if the
target DN in the operation is a descendent (i.e., is below) the referral
entry.  The referral entry might point to a different DN entirely and if
the target of the operation is the entry that contains the ref
attribute, the values should be returned intact.


> 
> > If a client requests an operation for which the base or target object is
> > not held by the server, but is subordinate to one or more objects with a
> > ref attribute held by the server, the server must return the referral
> > from the superior held object nearest to the requested base or target
> > object. Nearest superior object with a referral, in this document, means
> > an object superior to the base or target object with the DN that has the
> > most attribute values in common with the DN of the base or target object
> > and contains a ref attribute.
> >
> ...
> 
> > If the client issues an add request where the target object has a DN of
> > "cn=Chris Lukas,o=abc,c=us", server A will return
> >
> >         AddResponse "referral" {
> >          ldap://hostB/
> >          ldap://hostC/
> >         }
> >
>   Same thing here. Shouldn't the server return:
> 
>         AddResponse "referral" {
>          ldap://hostB/cn=Chris Lukas,o=abc,c=us
>          ldap://hostC/cn=Chris Lukas,o=abc,c=us
>         }

Yes, or leave the DN off entirely as I suggest above.  Well, technically
the space in the DN must be encoded as %20.

-- 
Mark Smith
Netscape Communications Corp. / Directory Server Engineering
"Got LDAP?"

References:
- I-D ACTION:draft-ietf-ldapext-namedref-00.txt
  - From: Internet-Drafts@ietf.org
- Re: I-D ACTION:draft-ietf-ldapext-namedref-00.txt
  - From: rweltman@netscape.com (Rob Weltman)

Prev by Date: Re: I-D ACTION:draft-ietf-ldapext-namedref-00.txt
Next by Date: Re: C API draft 3: ldap_search_ext() timeout param
Index(es):
- Chronological
- Thread