[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: [ldapext] password policy response control question
> Hmmm. I didn't think the control was required to be marked 'critical'
from <draft-behera-ldap-password-policy-09>
The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the criticality may
be TRUE or FALSE. There is no controlValue.
> but, if it is, then you are correct that the control will have been
> recognised if the request was performed. (Your remark "when the control
> is not critical" makes me believe that you don't understand the use of
> the criticality flag. For example, you cannot respond with
> "unavailableCriticalExtension" if the control is not marked critical.)
I believe I understand it. That's why I agree that if no criticality was
set in the request, a control response with no value should be sent to
clarify that the DSA understood the control.
> I don't see how whether a response control is sent is related to whether
> the control is critical.
If the control response does not add to the knowledge of the client, it's
a waste of resources. I believe this is the case if the control
criticality is set but the control response would be empty. The draft
correctly does not require an empty control response to be returned.
> Originally, the idea was that whether the
> control was marked critical or not, processing should be the same.
If the control is recognized, yes. If it's not, processing changes quite
a bit.
> This
> may have changed recently with Kurt's remarks on the behaviour of
> modules in OpenLDAP and also with reference to distributed operations.
>
> Therefore, it is simply a preference whether a control on the request is
> matched with one on the response. I am in favour of this always being
> the case. Two of the most troublesome operations in LDAP are Abandon and
> Unbind, simply because they are not confirmed operations. Please let's
> have this control 'confirmed'.
>
> Also, I don't believe it is required to be marked 'critical', so a
> response control will set the client at ease.
No, it's not. My suggestion is about not wasting resources. I don't mind
too much about badly written clients (things like: since I sent the
control request, there must be a control response, so I don't even check
it's there are nonsense). In "modern" LDAP client writing, developers
should never assume anything but correctness and, when possible,
efficiency. I think a response that doesn't add to what the client
already knows is inefficient.
Another point is: this control is about security; I don't like risking
that a security related control is ignored just because I'm too lazy to
mark the request as critical. If I send the request I'd first make sure
the server supports it, and then requite it to process my request
accordingly.
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext