Re: LDAP Extension Style Guide, re interaction between controls

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 05:36 PM 8/18/00 +0100, David Chadwick wrote:

>>   "Controls SHOULD NOT be combined unless the semantics of the
>>   combination has been defined.  A server MAY ignore non-critical
>>   controls (even those it recognizes) to establish semantics of the
>>   operation 
>
>Note that the Internet2 guys, IETF PKIX group and Middleware 
>people have been discussing this issue, as X.500 is ambiguous in 
>this case. A defect report has now been issued on X.500, and the 
>proposed solution is contrary to the above, i.e. it states that a 
>server that understands an extension (control in the case of LDAP) 
>MUST obey it even if it is marked non critical.

The issue is that the extension, as defined by two recognized
controls, is NOT understood because the semantics of the
combination is not defined.

LDAP allows for a non-critical control to be ignored.  This
implies that if a request contains two controls, one critical
and one not, is submitted to a server which recognizes BOTH
controls but does not understand the semantics of the
combination, the server must either:
  a) return unavailableCriticalExtension
  b) perform the operation as if the non-critical extension
  was not specified.

I prefer option a) as it follows from the similar case:
a request contains two controls, a recognized critical
control and a unrecognized non-critical control.

However, I can see the value offered in option b.

>I would like LDAP to 
>either take the same stance for compatibility purposes, or to 
>persuade the X.500 , PKIX and other groups that the proposed 
>solution is wrong and that the server should be free to choose what 
>to do. Either way, I think that compatibility should be the target.

I concur!