[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: [ldapext] password policy response control question

To: <ando@sys-net.it>
Subject: RE: [ldapext] password policy response control question
From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Date: Mon, 8 May 2006 18:43:11 +1000
Cc: John McMeeking <jmcmeek@us.ibm.com>, ldapext@ietf.org
Content-class: urn:content-classes:message
In-reply-to: <33821.131.175.154.56.1147076220.squirrel@131.175.154.56>
Thread-index: AcZyeCGUud18oeLuSySHwF3jYdkuagAAZSaQ
Thread-topic: [ldapext] password policy response control question

Hmmm. I didn't think the control was required to be marked 'critical'
but, if it is, then you are correct that the control will have been
recognised if the request was performed. (Your remark "when the control
is not critical" makes me believe that you don't understand the use of
the criticality flag. For example, you cannot respond with
"unavailableCriticalExtension" if the control is not marked critical.)

I don't see how whether a response control is sent is related to whether
the control is critical. Originally, the idea was that whether the
control was marked critical or not, processing should be the same. This
may have changed recently with Kurt's remarks on the behaviour of
modules in OpenLDAP and also with reference to distributed operations.

Therefore, it is simply a preference whether a control on the request is
matched with one on the response. I am in favour of this always being
the case. Two of the most troublesome operations in LDAP are Abandon and
Unbind, simply because they are not confirmed operations. Please let's
have this control 'confirmed'.

Also, I don't believe it is required to be marked 'critical', so a
response control will set the client at ease.

Ron


-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it] 
Sent: Monday, 8 May 2006 6:17 PM
To: Ramsay, Ron
Cc: John McMeeking; ldapext@ietf.org
Subject: RE: [ldapext] password policy response control question

> Hi John,
>
> The question of whether to send a response ("when appropriate") has 
> come up before and has not been resolved. I'd like to put a stake in 
> the ground and say that a response should always be sent if the 
> control is understood (that is, if the server supports the control).

Ron,

the fact that the control is understood is guaranteed by the fact that
the DSA didn't reject the request with unavailableCriticalExtension; it
would be acceptable for the control response to be absent if not needed.
This is true, of course for critical controls.  I'd favor this case.

> Further, I'd like to suggest that, in the case where there is no data 
> to be sent, the value be absent.

this should be the behavior when the control is not critical.

p.



Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------



_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] password policy response control question
  - From: Howard Chu <hyc@highlandsun.com>
- RE: [ldapext] password policy response control question
  - From: "Pierangelo Masarati" <ando@sys-net.it>

References:
- RE: [ldapext] password policy response control question
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: RE: [ldapext] Grace logins and password policy
Next by Date: Re: [ldapext] password policy response control question
Index(es):
- Chronological
- Thread