[ldapext] draft-zeilenga-ldap-assert-05 notes

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

draft-zeilenga-ldap-assert-05.txt says:

> 3.  The Assertion Control
>
>   The control is appropriate for both LDAP interrogation and update
>   operations [Protocol] including Add, Compare, Delete, Modify, ModifyDN
>   (rename), and Search.  It is inappropriate for Abandon, Bind nor
>   Unbind, and Start TLS operations.

I expect "including..." means it's also appropriate for the Password
Modify Extended Operation (RFC 3062)?

Is Add intended to be part of the above list?  Kurt stated in thread
'Assert I-D.', 22-23. jul 2003, that he would change the control to not
be applicable to Add - since the entry is not yet present to be compared
with.  Though the thread can be read as keeping Add anyway and compare
with the entry to be added.

> 4.  Security Considerations
>
>   As with any general assertion mechanism, the mechanism can be used to
>   determine directory content.  Hence, this mechanism SHOULD be subject
>   to appropriate access controls.

I suggest to add something like:

    ... preferably the same access controls as search filters.

The implementor might find the same access controls as for Compare
natural, but the server admin might e.g. not want substring matching to
be possible - and he could have written the Compare ACLs knowing that
Compare can't do substring matching.  Or one might mistakenly use the
same ACLs as for the "basic" operation being performed, e.g. Modify.

-- 
Hallvard

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext