Re: Returning single values from multivalued attributes

[Helmut Volpers <helmut.volpers@icn.siemens.de>]

Mark C Smith wrote:
> 
> David Chadwick wrote:
> >
> > Mark Smith wrote
> >
> > > I lean towards (i) but I'd like to have more discussion about this -- both
> > > about how people envision using this feature and how the existing feature
> > > works in X.500 DAP.  Can you explain exactly how the matchedValuesOnly
> > > argument works in DAP?  I find the text in X.511 to be quite confusing.
> > > Some basic questions I have:
> > >
> > > a) Does matchedValuesOnly affect single-valued attributes or just
> > > multivalued ones?
> >
> > Its effect on a single valued attribute is null.
> 
> I find it surprising and confusing that the behavior is different when
> an attribute has multiple values vs. when it only has one. 

I didn't follow the complete discusion but what is surprising ?
When I have a single valued attribute I don't need a matchedValuesOnly
because if it
match you get it back and need no additional flag.

 Just so I
> understand how this works, here's an example.  Suppose entry E1 has one
> userCertificate value and entry E2 has two such values.  Further suppose
> that a client wants to always retrieve the cn attribute from an entry
> but wants to receive a userCertificate value only if the cert value
> presented in a filter matches one of the certs present in the entry.
> For E1, this will require two search operations (base search to grab the
> cn and another to test for the cert) but for E2 it can be done in one
> (base search with a filter like
> "(|(cn=*)(userCertificate;binary=<DER>))" with matchedValuesOnly set to
> TRUE).  Correct?  

Not correct. If you make this search and the userCertificate match that
in E1
you get the entry and userCertificate back I hope.
But is this the normal search to find somebody in the directory where
the client already know the complete userCertificate ? I think you have
some parts
of the userCertificate and use the special matching rules to find the 
complete userCertificates.

Or by "single valued attribute" do you mean an
> attribute type that allows multiple values?  Technically, the filter I
> present above won't work because presence and equality filters don't
> work with matchedValuesOnly (see below).

I see no reason at the moment why the matchedValuesOnly cannot be used 
with equality filters ? David is there a reason ?
> 
> >
> > >
> > > b) Can matchedValuesOnly be used with equality filters?
> >
> > No, but the easy work around to this is to put the equality filter in the
> > extended filter element of the search.
> 
> I'd like to see us fix this problem when we define a matched values only
> control for LDAPv3. 

I agree with you.

 Presence filters are not allowed either.  

How do you want to use matchedValuesOnly with the presence filter ?

This
> seems like an unnecessary limitation to me.
> 
> --
> Mark Smith
> iPlanet Directory Architect / Sun-Netscape Alliance
> My words are my own, not my employer's.   Got LDAP?

begin:vcard 
n:Volpers;Helmut 
tel;fax:+49-89-63645860
tel;home:+49-89-1576588
tel;work:+49-89-63646713
x-mozilla-html:FALSE
url:http://www.siemens.com/bus-com/
adr:;;Otto-Hahn-Ring 6;Munich;;81730;Germany
version:2.1
email;internet:Helmut.Volpers@icn.siemens.de
title:Directory Server Architect
x-mozilla-cpt:;30160
fn:Volpers, Helmut 
end:vcard