Hmmm. I didn't think the control was required to be marked 'critical'
but, if it is, then you are correct that the control will have been
recognised if the request was performed. (Your remark "when the control
is not critical" makes me believe that you don't understand the use of
the criticality flag. For example, you cannot respond with
"unavailableCriticalExtension" if the control is not marked critical.)
I don't see how whether a response control is sent is related to whether
the control is critical. Originally, the idea was that whether the
control was marked critical or not, processing should be the same. This
may have changed recently with Kurt's remarks on the behaviour of
modules in OpenLDAP and also with reference to distributed operations.
Therefore, it is simply a preference whether a control on the request is
matched with one on the response. I am in favour of this always being
the case. Two of the most troublesome operations in LDAP are Abandon and
Unbind, simply because they are not confirmed operations. Please let's
have this control 'confirmed'.
Also, I don't believe it is required to be marked 'critical', so a
response control will set the client at ease.
Ron
-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it]
Sent: Monday, 8 May 2006 6:17 PM
To: Ramsay, Ron
Cc: John McMeeking; ldapext@ietf.org
Subject: RE: [ldapext] password policy response control question
Hi John,
The question of whether to send a response ("when appropriate") has
come up before and has not been resolved. I'd like to put a stake in
the ground and say that a response should always be sent if the
control is understood (that is, if the server supports the control).
Ron,
the fact that the control is understood is guaranteed by the fact that
the DSA didn't reject the request with unavailableCriticalExtension; it
would be acceptable for the control response to be absent if not needed.
This is true, of course for critical controls. I'd favor this case.
Further, I'd like to suggest that, in the case where there is no data
to be sent, the value be absent.
this should be the behavior when the control is not critical.