[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Returning single values from multivalued attributes

David:

We would like to see these drafts written. Thanks for pointing out that
we need the matched values only feature in addition to the certificate
matching rule to select a particular value of a certificate using LDAP. 

We are also curious to know if client vendors intend to implement
attribute types other than userCertificate to retrieve certificates from
the directory using LDAP v3.

Ella

Sean Mullan wrote:
> 
> Hi David,
> 
> I'd like to work on an LDAP draft with you as I believe this is very
> important. (Actually, I was planning to write a draft but I was a
> bit discouraged by the lack of response to my message on 7/30). Please
> let me know how you want to coordinate this.
> 
> I think that 2 drafts are probably needed, one describing a control for the
> matchedValuesOnly feature and another for describing the X.509 certificate
> and CRL matching rules as new LDAP matching rules.
> 
> Thanks,
> --Sean
> 
> David Chadwick wrote:
> >
> > This topic has been briefly discussed on this list before (30 July),
> > but no conclusions were reached. Briefly the situation is that X.500
> > DAP allows a user to search an entry and only request that matched
> > values are returned from a multi-valued attribute rather than all
> > attributes. LDAP only allows all or no values to be returned.
> >
> > There has also been a request in the PKIX group that LDAP should
> > allow a single user certificate to be returned (the one that matches
> > the users filter), rather than all the users certificates.
> >
> > I believe that once clients start to retreive schema definitions they
> > will also want matched values only to be returned.
> >
> > There are a couple of approaches this group can take
> >
> > i) say that this is not a significant problem and ignore it. Let the
> > client sort out the value it wants
> >
> > ii) say that it is a significant problem and try to fix it via a new
> > matchedValuesOnly control ID. (I can volunteer to write the ID if
> > people are interested in it)
> >
> > What do people think about this?
> > 
> > David
> >
> > ***************************************************
> >
> > David Chadwick
> > IS Institute, University of Salford, Salford M5 4WT
> > Tel +44 161 295 5351  Fax +44 161 745 8169
> > Mobile +44 790 167 0359
> > *NEW* Email D.W.Chadwick@salford.ac.uk *NEW*
> > Home Page  http://www.salford.ac.uk/its024/chadwick.htm
> > Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
> > X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
> > Entrust key validation string MLJ9-DU5T-HV8J
> >
> > ***************************************************
> 
> --
> Sean Mullan                     Email: sean.mullan@sun.com
> Sun Microsystems Laboratories   Tel:   (781) 442-0926
> One Network Drive               Fax:   (781) 442-1692
> Burlington, MA 01803-0902
begin:vcard 
n:Bassett;Ella Paton
tel;fax:+1 703 883 7142
tel;work:+1 703 883 5826
x-mozilla-html:FALSE
org:The MITRE Corporation
adr:;;1820 Dolley Madison Boulevard;McLean;VA;22102-3481;USA
version:2.1
email;internet:egardner@mitre.org
title:Principal Networking Engineer
x-mozilla-cpt:;26000
fn:Ella Paton Bassett
end:vcard