You're right, it needs to be clarified.
The original intent was that the control is only returned when needed (as specified), and not needed when operations suceed (and no extra information needs to be returned).
We need to consider your reasons for returning the control for every bind and compare.
Jim >>> "Andrew Sciberras" <andrews@adacel.com.au> 9/1/03 6:44:59 PM >>> Hi, I believe that there may be some ambiguity in the password policy draft (draft-behera-ldap-password-policy-06.txt) regarding the inclusion of a PasswordPolicyResponse control in LDAP response messages. When the text discusses how various operations should be processed (Section 6), it is very clear on what the passwordPolicyResponse control should contain in each of the various erroneous and successful scenario's. The text even goes to the extent of specifying that the control should be returned with an empty SEQUENCE for various bind and compare cases. I believe the ambiguity lies with other operations (ADD for example), where the text does not specify whether a control should be returned if the operation is completed successfully. Typically I would assume that the absence of such text would mean that a control! should not be returned. However this seems to conflict with the following description of the 'Response Control', which can be found in section 5.2: " If the client has sent a passwordPolicyRequest control, the server sends this control with the following operation responses: bindResponse, modifyResponse, addResponse, compareResponse and possibly extendedResponse, to inform of various conditions....." Although this sentence lacks any mandating words, such as MUST, I interpret it to mean that the passwordPolicyResponse control should always be returned for the previously mentioned operations, if a passwordPolicyRequest control was supplied in the original LDAP request. So, I my question is, when should a passwordPolicyResponse control be returned? Only when the text explicitly states that it should, or whenever a passwordPolicyRequest control is included in an LDAPMessage? I think that it is important to include the pa! sswordPolicyResponse control in every bind and compare response (wh en the request control is supplied) to provide a strong indication to the client that the server is enforcing the password policy. By having the server indicate its support of the password policy to the client at this early authentication stage, I don't think that it's required for the control to be returned for any other operation, unless it is conveying some useful information. Clarification on this issue would be appreciated. Thanks. Andrew Sciberras _______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext |