[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Chained Operation (control, extended op, or op?)

Jim,

The operationProgress becomes important in name resolution when DSAs have subordinate/superior relationships. Traditionally LDAP servers are defined as "First-level DSAs" which means that the operationProgress information is of little value in processing of referrals.

It is not true that a receiving DSA will not get a nameResolutionPhase of "completed". This can occur when processing a search operation, where name resolution has completed, but the scope of the search includes a reference to a subordinate DSA. The search will be chained with the targetObject of the chainingArguments set to the name of the superior of the DSE containing the subordinate reference and the operationProgress.nameResolutionPhase set to completed (cf. X.518 19.3.2.2.1 7a). This allows the subordinate DSA to confirm the targetObject is an immSupr DSE and proceed with the search from this point. If the subordinate DSA cannot resolve the targetObject as an immSupr DSE then it should generate ServiceError.unableToProceed to indicate an inconsistency in the hierarchical operational binding (i.e. the knowledge) between these DSAs.

X.518 assume that the first step for the processing of any operation is name resolution. The operationProgress is used to determine if the hierarchical operation binding (represented by the knowledge such as subordinate and superior references) is consistent. In the absence of the operationProgress, a subordinate DSA, on receiving a request for a naming context it does not recognise, will chain the request to a superior DSA. Where the hierarchical operational binding has become inconsistent between the superior and subordinate DSA, this could lead to a loop condition or an incorrect NameError.noSuchObject.

The operatonProgress in the traceInformation of the chaining arguments is used to support a situation where one DSA contains both superior and subordinate parts of the DIT to a second DSA. Because of aliases, the first DSA could have the same request chained to it at different points in the name resolution and needs to be able to distinguish between the incidents in order to allow the name resolution to complete.

N.B. I have used the ITU-T Rec. X.518 (1993 E) as my reference for the X.500 procedures for distributed operations. As far as I am aware there are no significant differences in more recent editions of this recommendation.

- Mark.

Jim Sermersheim wrote:

Thanks Mark,

Yes, I do need to add better semantics and some implementation details.
If people agree that this operation should be sent as an extended
request, I'll do that and submit.

I couldn't find a reason why operationProgress was needed. For example,
today's LDAP servers return referrals and search result references which
LDAP clients can follow. Nothing is conveyed regarding the operation
progress when those clients follow these referrals and search referral
references. 

Furthermore, I don't understand what a receiving DSA does with this
information. A receiving DSA will not get a nameResolutionPhase of
completed, thus it's either notStarted or proceeding. Regardless of
whether it's notStarted or proceeding, the targetObject contains the DN
to be resolved (unless the value is the same as the base DN of the
embedded operation). Will you let me know what I'm missing here?

Some of the other fields are left for future controls that I haven't
had time to write up (specifically referenceType, timeLimit,
excludeShadows, and nameResolveOnMaster). Each of these have utility
outside of the chained operation, so I think defining them as controls
in their own documents would be better.

Jim


Mark Ennis <mark.ennis@adacel.com> 6/21/04 6:35:13 PM >>> 

Jim,

It is my opinion that you need to define your procedures for
distributed operations and define your chaining argument and chaining result based

on those procedures. If you choose to assume that the procedures for distributed operations are those defined in X.518, then you will need
to include fields in the chaining arguments and results that are required

by those procedures. In particular, the operation progress information

is critical to the name resolution procedures defined in X.518 and I do

not see how you can use these procedures without this field in the chaining arguments and in the trace information (and in referrals).

Where information critical to X.518 procedures for distributed operations is not supported, new procedures need to be defined to accomodate chaining of LDAP operations.

- Mark.

Jim Sermersheim wrote:


All,

I'm attaching a not-ready-for-prime-time I-D which describes an LDAP
chained operation. Following X.518, I described it as an operation
(well, an extended operation) which contains the original message


and

some chaining arguments. Some of my peers here have repeatedly 

argued

that there is no reason to define it as an extended operation, and 

that

a control makes more sense.

What do others think? I can go either way.

If it's a control, I'd want to reconsider the targetObject and
entryOnly fields. If the control holds these, and is sent as
non-critical, and the receiving server doesn't support the control,


the

outcome will be erroneous. 

As an extended operation, we have two sets of resultCode, matchedDN,
errorMessage, and referral. This can be resolved by chosing yet


another

solution: Create a whole new operation (don't use an extended
operation). The new operation would not include the elements of
LDAPResult (well, the resultCode might be nice, but referral and
matchedDN is confusing).

I'll publish once I get some feedback on this, and fix up some
editorial issues.

Jim






_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext