[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-zeilenga-ldap-readentry-01.txt

To: <andrews@adacel.com.au>
Subject: Re: [ldapext] draft-zeilenga-ldap-readentry-01.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 16 Dec 2003 22:10:40 -0800
Cc: "Ldapext $E-mail$" <ldapext@ietf.org>
In-reply-to: <000001c3c420$84b6b5b0$a618200a@mtwav.adacel.com.au>
References: <000001c3c420$84b6b5b0$a618200a@mtwav.adacel.com.au>

At 02:04 PM 12/16/2003, Andrew Sciberras wrote:

>G'Day,
>
>The following text can be found in section 3.1 and 3.2:
>
>~~~~~~~~~~~~~~~~~
>  The server is to return a SearchResultEntry containing, subject
>  to access controls and other constraints, values of the requested
>  attributes.
>
>  The normal processing of the update operation and the processing of
>  this control MUST be performed as one atomic action isolated from
>  other update operations.
>
>  If the update operation fails, no response control is provided.
>~~~~~~~~~~~~~~~~
>
>
>On one hand, the first paragraph implies that if the read fails due to
>access control restrictions, then no values should be returned.

The first paragraph implies that the contains of the entry
is subject to access controls which may cause some subset
of the attributes to be returned and, for those attribute
returned, some subset of their values.  The returned entry
could, in fact, have no attributes.

>On the other hand, paragraph two indicates that if the read fails (possibly
>due to access controls) then the entire operation should fail.

As with normal search processing, it is not generally viewed
as a failure to subject attributes (or values thereof) to access
controls.  However, there may be cases where it is appropriate
for the control processing to fail with insufficientAccessRights.
However, as LDAP doesn't have an standard access control model,
I purposely avoid providing examples which might case such
failures.

>Paragraph 3 explicitly states that if the update fails then the read should
>as well, but fails to address the alternate scenario.

"update operation" is intended to encompass both normal and
control processing.  I will clarify.

>What happens if the read operation fails due to the user not having
>sufficient access rights?  Should the update succeed or fail?

If the control processing fails, regardless of reason, than
THE operation fails.  If the operation fails, the entry
MUST NOT be updated and read response control(s) MUST NOT
be provided.

Kurt 

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] draft-zeilenga-ldap-readentry-01.txt
  - From: "Andrew Sciberras" <andrews@adacel.com.au>

Prev by Date: [ldapext] draft-zeilenga-ldap-readentry-01.txt
Next by Date: [ldapext] draft-bergeson-uddi-ldap-schema-02.txt
Index(es):
- Chronological
- Thread