Re: [ldapext] password policy response control question

[Howard Chu <hyc@highlandsun.com>]

I agree with most of the points here, and it aligns with our rationale 
in writing the OpenLDAP implementation. Also my reading of section 6.2 
of the draft:

6.2  Response Control

   If the client has sent a passwordPolicyRequest control, the server
   (when solicited by the inclusion of the request control) sends this
   control with the following operation responses: bindResponse,
   modifyResponse, addResponse, compareResponse and possibly
   extendedResponse, to inform of various conditions, and MAY be sent
   with other operations (in the case of the changeAfterReset error).

I interpret "the server ... sends this control" as "the server SHALL 
send this control..." But that's a separate question (whether the 
response control is sent at all) from the original query (whether the 
control value should be present in the response control).

Still, the use of the control by the client is purely for informative 
purposes; the policies will take effect on the server regardless. As 
such, if the client really really wants to know that an operation 
succeeded in full conformance with the policy, then the client should 
set criticality TRUE in the request.

Ramsay, Ron wrote:
> Hmmm. I didn't think the control was required to be marked 'critical'
> but, if it is, then you are correct that the control will have been
> recognised if the request was performed. (Your remark "when the control
> is not critical" makes me believe that you don't understand the use of
> the criticality flag. For example, you cannot respond with
> "unavailableCriticalExtension" if the control is not marked critical.)
>
> I don't see how whether a response control is sent is related to whether
> the control is critical. Originally, the idea was that whether the
> control was marked critical or not, processing should be the same. This
> may have changed recently with Kurt's remarks on the behaviour of
> modules in OpenLDAP and also with reference to distributed operations.
>
> Therefore, it is simply a preference whether a control on the request is
> matched with one on the response. I am in favour of this always being
> the case. Two of the most troublesome operations in LDAP are Abandon and
> Unbind, simply because they are not confirmed operations. Please let's
> have this control 'confirmed'.
>
> Also, I don't believe it is required to be marked 'critical', so a
> response control will set the client at ease.
>
> Ron
>
>
> -----Original Message-----
> From: Pierangelo Masarati [mailto:ando@sys-net.it] 
> Sent: Monday, 8 May 2006 6:17 PM
> To: Ramsay, Ron
> Cc: John McMeeking; ldapext@ietf.org
> Subject: RE: [ldapext] password policy response control question
>
> > Hi John,
> >
> > The question of whether to send a response ("when appropriate") has 
> > come up before and has not been resolved. I'd like to put a stake in 
> > the ground and say that a response should always be sent if the 
> > control is understood (that is, if the server supports the control).
>
> Ron,
>
> the fact that the control is understood is guaranteed by the fact that
> the DSA didn't reject the request with unavailableCriticalExtension; it
> would be acceptable for the control response to be absent if not needed.
> This is true, of course for critical controls.  I'd favor this case.
>
> > Further, I'd like to suggest that, in the case where there is no data 
> > to be sent, the value be absent.
>
> this should be the behavior when the control is not critical.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext