Re: Persistent Search questions

["Timothy Hahn" <hahnt@us.ibm.com>]

Jim,

I would expect behavior as described in b) below.

I cannot confirm that sizeLimit and timeLimit are ignored - but it seems reasonable.  It also seems reasonable that there may be some other administrative configuration that implementations support to help reduce the thread of DOS attacks when employing this control.  (I can envison 500,000 clients all setting up a persistent search to a single server ....)

Regards,
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)
phone: 607.752.6388     tie-line: 8/852.6388
fax: 607.752.3681

To:        <ietf-ldapext@netscape.com>
cc:        
Subject:        Persistent Search questions



The persistent search control (draft-ietf-ldapext-psearch-03.txt) states in section 3 that the search operation is modified in such a way that the searcResultDone message is never sent. This implies that the size and time limits are ignored, but it's not explicitly stated. Can anyone confirm if this is the case?

Also, there is a little blurb in the security considerations section about making sure access controls are checked for entries being returned. This is more of a question to other implementors, a server could:
a) check access control information once at the beginning of the search, and use that information without refreshing it later (could speed response time, and "fix" authorization to a specific view, or it could
b) recalculate access control information everytime an entry is to be returned (provides consistency over long persistent search sessions).

My feeling is that b is better, does anyone expect a?

Jim