[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Comments to <draft-sermersheim-ldap-chaining>

To: Jim Sermersheim <jimse@novell.com>
Subject: Re: [ldapext] Comments to <draft-sermersheim-ldap-chaining>
From: Howard Chu <hyc@highlandsun.com>
Date: Thu, 24 Feb 2005 22:10:06 -0800
Cc: Kurt@OpenLDAP.org, ldapext@ietf.org
In-reply-to: <s21e4b20.029@sinclair.provo.novell.com>
References: <s21e4b20.029@sinclair.provo.novell.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050111

Jim Sermersheim wrote:

I have to admit that I disliked the names and limited usefulnes of the
controls as they are defined in X.511, and that may have influenced me
to simply define them in a symmetrical and (to me) more clear way for
LDAP.


Fair enough, I can appreciate symmetry...

I see usefulness in chainingRequired. For example, assume a client
wishes to perform a SSS or VLV search operation and knows that the data
in the result set may be distributed (and perhaps further assume some
DSAs support chaining these operations). If the client can specify
chainingRequired, it would know that the results it gets back are
already sorted and no extra work needs to be done. If the server cannot,
or will not chain, then the operation fails, and the client learns this
up front. In the absence of chainingRequired, the client may get back
many search results -- assuming they're sorted, only to find out in the
end that one or more search result references need to be followed to
complete the operation.

I believe you're seeing a false economy here. The point is, why did the client ask the question it asked - presumably, because it wanted some data. If your client sends a request with e.g. SSS, the server will proceed to gather results up, find that it can't obey the Chaining control, and return an error to the client. But as far as I can see, the client still wanted that data, else why did it ask in the first place. The client can just give up and say "sorry, I can't get what you want in my preferred fashion" but the more useful thing for it to do is to retry the request and make do with whatever results it gets. In that case, you've just doubled the amount of work the server has to do, because the client will re-issue the same request, with relaxed controls. Nothing changes the fact that extra work needs to be done by the client, (or it must just fail); the presence of the control doesn't help matters in any way.

Also, this SSS example isn't quite right - obviously a server needs to gather up the complete result set before it can begin returning sorted results to the client. As such, it will already know if references are present before sending any results to the client. It would be wrong for the server to begin sending entries back knowing that the result set contains unresolved references, so that search should automatically fail in the absence of chaining. Indeed, RFC2891 pretty much dictates that the request will fail, in section 2.1. In this regard, I would prefer that that spec be changed to require servers to send unresolved references first, ahead of regular entries, and let the client decide whether it wants to slog through or give up. Cutting off the information at the server prevents the DUA user from making an informed decision about what to do next. Giving the information to the client allows the possibility of a graceful recovery.

> I believe that chainingRequired may also be

useful for other multi-object operations which are served best (or can
only be completed) by the act of DSA chaining. Off the top of my head, I
can't think of a strong case for chainingRequired during name resolution
(otehr than the case I make below for referralsPreferred), but I see no
harm in allowing it's specification.

I believe the harm is in preventing useful information from reaching the client, thus making error recovery messier and more expensive than it needs to be.

I also see usefulness in referralsPreferred. It allows one to possibly
override whatever the server's behavior is.  We have deployments where
the server's setting is chainingPreferred or chainingRequired. Clients
may prefer to receive referrals, yet want the operation to be chained
when policy prevents a referral from being returned.

To me, the absence of any chaining control already implies "referralsPreferred" but I'll have to think about it some more. It becomes useful if you assume that the client knows more about the referred server than the original DSA knows. Personally I believe this assumption is seldom true, but I guess I can't say "never" so I'll leave this alone for now.

--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Prev by Date: Re: [ldapext] Comments to <draft-sermersheim-ldap-chaining>
Next by Date: Re: [ldapext] Comments to <draft-sermersheim-ldap-chaining>
Index(es):
- Chronological
- Thread