Re: [ldapext] draft-zeilenga-ldap-dontusecopy & chaining

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 06:38 AM 6/25/2005, Pierangelo Masarati wrote:


>> When the control is attached to an LDAP request, the requested
>> operation MUST NOT be performed on copied information.  That is, the
>> requested operation MUST be performed on authoritative information.
>>
>> If authoritative information for the target or base object of the
>> operation is not available, the server MUST either return a referral
>> to a server believed to be better able to service the request or
>> return an appropriate result code (e.g., unwillingToPerform).
>
>There might be a third option, i.e. "chain" the operation by chasing the referral to where the original data is contained.

I don't think this document and, in general, other documents
defining LDAP control extensions, should mention chaining.  LDAP is
a client/server protocol.  If a server "chains" a request, it
MUST do so in a manner that provides service consistent with
the service model.   This document says what service the
client expects.

>I think you should either specify if this is acceptable, provided that chaining ensures that the Don't Use Copy control is propagated along with the chaining request, or this must not be performed;

I note that chaining servers have some obligation to ensure
that a non-critical control (of any type) is either used in
performing the entire operation or not used in performing the
entire operation.  The chaining server cannot allow a portion
of the operation to be performed with a control and another
portion not to be.  So, when chaining a request (such as
portions of a subtree search) to other servers, it has to
ensure that it and those other servers, all perform the
same operation.  

It's not good enough to simply propagate a control (of any
type).  To ensure proper service is provided the client
(which is general obligation of the directory service),
the chaining server needs to either make the control
critical so as to force it use by all other servers, or to
remove the control altogether to force it not to be used by 
all other servers.  It must do the former if it used the
control in any way in its performance of the operation.
It must do the latter if it ignored the control in any way
in its performance of the operation.  If it hasn't performed
any of the operation, such as in the case where it chains
an entire request (like when it doesn't hold the baseObject
of a search request), then it has the option of including
the control as presented by the client.

(I note that above implies a chaining service based upon
simple rewriting of requests.  Such a service may not be able
to adequately chain all operations.  Generally, one needs to
use a chaining operation which provides the original request
as well information necessary to ensure consistent performance.)

Note that none of this is specific to this control.  Same applies
to all controls.  And, because the semantics are shared, it's
better this be placed in a common document about chaining.

It is appropriate for control specifications to simply detail
what the service is to be provided to the client is.  Whether the
directory service is distributed or not, the receiving server
is obligated to provide service consistent with the service
model.

The document, I believe, adequately specifies what service is
to be provided to the client.


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext