[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Persistent Search questions

To: Jim Sermersheim <jimse@novell.com>
Subject: Re: Persistent Search questions
From: Rob Byrne <Robert.Byrne@france.Sun.COM>
Date: Wed, 31 Jan 2001 09:11:22 +0100
Cc: ietf-ldapext@netscape.com
Organization: Sun Microsystems
References: <sa76dbc0.007@prv-mail20.provo.novell.com>

Jim,

Seems like a good rule here would be something like "an entry returned
during a psearch operation must be subject to the same access controls
that would be applied if the entry was being returned during a
"one-off", normal search"....and that implies b).

I do no think that performance is a big issue for psearches and a "fixed
authorization" view sounds potentially dangerous.  So I would be for
mandating something like the statement above or b).

Rob.

Jim Sermersheim wrote:
> 
> The persistent search control (draft-ietf-ldapext-psearch-03.txt) states in section 3 that the search operation is modified in such a way that the searcResultDone message is never sent. This implies that the size and time limits are ignored, but it's not explicitly stated. Can anyone confirm if this is the case?
> 
> Also, there is a little blurb in the security considerations section about making sure access controls are checked for entries being returned. This is more of a question to other implementors, a server could:
> a) check access control information once at the beginning of the search, and use that information without refreshing it later (could speed response time, and "fix" authorization to a specific view, or it could
> b) recalculate access control information everytime an entry is to be returned (provides consistency over long persistent search sessions).
> 
> My feeling is that b is better, does anyone expect a?
> 
> Jim

References:
- Persistent Search questions
  - From: "Jim Sermersheim" <jimse@novell.com>

Prev by Date: Re: Persistent Search questions
Next by Date: I-D ACTION:draft-khan-ldapext-replica-mgmt-00.txt
Index(es):
- Chronological
- Thread