[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Comments to <draft-sermersheim-ldap-chaining>
- To: Jim Sermersheim <jimse@novell.com>
- Subject: Re: [ldapext] Comments to <draft-sermersheim-ldap-chaining>
- From: Howard Chu <hyc@highlandsun.com>
- Date: Thu, 24 Feb 2005 22:10:06 -0800
- Cc: Kurt@OpenLDAP.org, ldapext@ietf.org
- In-reply-to: <s21e4b20.029@sinclair.provo.novell.com>
- References: <s21e4b20.029@sinclair.provo.novell.com>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050111
Jim Sermersheim wrote:
I have to admit that I disliked the names and limited usefulnes of the
controls as they are defined in X.511, and that may have influenced me
to simply define them in a symmetrical and (to me) more clear way for
LDAP.
Fair enough, I can appreciate symmetry...
I see usefulness in chainingRequired. For example, assume a client
wishes to perform a SSS or VLV search operation and knows that the data
in the result set may be distributed (and perhaps further assume some
DSAs support chaining these operations). If the client can specify
chainingRequired, it would know that the results it gets back are
already sorted and no extra work needs to be done. If the server cannot,
or will not chain, then the operation fails, and the client learns this
up front. In the absence of chainingRequired, the client may get back
many search results -- assuming they're sorted, only to find out in the
end that one or more search result references need to be followed to
complete the operation.
I believe you're seeing a false economy here. The point is, why did the
client ask the question it asked - presumably, because it wanted some
data. If your client sends a request with e.g. SSS, the server will
proceed to gather results up, find that it can't obey the Chaining
control, and return an error to the client. But as far as I can see, the
client still wanted that data, else why did it ask in the first place.
The client can just give up and say "sorry, I can't get what you want in
my preferred fashion" but the more useful thing for it to do is to retry
the request and make do with whatever results it gets. In that case,
you've just doubled the amount of work the server has to do, because the
client will re-issue the same request, with relaxed controls. Nothing
changes the fact that extra work needs to be done by the client, (or it
must just fail); the presence of the control doesn't help matters in any
way.
Also, this SSS example isn't quite right - obviously a server needs to
gather up the complete result set before it can begin returning sorted
results to the client. As such, it will already know if references are
present before sending any results to the client. It would be wrong for
the server to begin sending entries back knowing that the result set
contains unresolved references, so that search should automatically fail
in the absence of chaining. Indeed, RFC2891 pretty much dictates that
the request will fail, in section 2.1. In this regard, I would prefer
that that spec be changed to require servers to send unresolved
references first, ahead of regular entries, and let the client decide
whether it wants to slog through or give up. Cutting off the information
at the server prevents the DUA user from making an informed decision
about what to do next. Giving the information to the client allows the
possibility of a graceful recovery.
> I believe that chainingRequired may also be
useful for other multi-object operations which are served best (or can
only be completed) by the act of DSA chaining. Off the top of my head, I
can't think of a strong case for chainingRequired during name resolution
(otehr than the case I make below for referralsPreferred), but I see no
harm in allowing it's specification.
I believe the harm is in preventing useful information from reaching the
client, thus making error recovery messier and more expensive than it
needs to be.
I also see usefulness in referralsPreferred. It allows one to possibly
override whatever the server's behavior is. We have deployments where
the server's setting is chainingPreferred or chainingRequired. Clients
may prefer to receive referrals, yet want the operation to be chained
when policy prevents a referral from being returned.
To me, the absence of any chaining control already implies
"referralsPreferred" but I'll have to think about it some more. It
becomes useful if you assume that the client knows more about the
referred server than the original DSA knows. Personally I believe this
assumption is seldom true, but I guess I can't say "never" so I'll leave
this alone for now.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext