[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] password policy response control question

To: John McMeeking <jmcmeek@us.ibm.com>
Subject: Re: [ldapext] password policy response control question
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 08 May 2006 11:11:34 -0700
Cc: ldapext@ietf.org
In-reply-to: <OF54772593.D3191754-ON86257168.00093591-86257168.000D65F2@ us.ibm.com>
References: <OF54772593.D3191754-ON86257168.00093591-86257168.000D65F2@us.ibm.com>

At 07:26 PM 5/7/2006, John McMeeking wrote:

>What response should the server send if there are no password policy warnings or errors to report? 
>
>I've heard several answers proposed on my team, along with arguments for and against: 
>
>1.  Do not send a password policy response control. 
>2.  Send a response control with no value. 
>3.  Send a response control where the value consists of an empty sequence. 

IIRC, 2) would violate the control specification. The control value
is a BER-encoded instance of a SEQUENCE with some optional fields.
One could change the specification to state that, in lieu of
sending an empty sequence, no control value MUST/SHOULD/MAY be
provided.  However, doing so
1) can complicate implementations and
2) (in the SHOULD/MAY case) can lead to interoperability problems.

>The draft says that responses are sent "when appropriate", and there is a general rule that protocols shouldn't be unnecessarily "chatty".

The "chatty" rule is not applicable here.  A protocol is not
unnecessary chatty simply because the rules used to encode
a value is not minimally compact.

I note that there is value in the protocol being simple.
Having multiple encoding rules for the same or different
abstract values of the same type is unnecessarily complex.

>Not sending a response fits both those criteria, but some have argued that not sending this control should be interpreted as meaning the server does not support the control (perhaps the control is not supported with a particular naming context) .  Control values are optional for LDAP controls in general.  The draft doesn't say the response MUST be sent with a control value; neither does it state any condition under which the server would send a response control without a warning or error. 
>
>The converse of the question might be:  What should a client expect as normal responses? 
>
>
>John  McMeeking
>_______________________________________________
>Ldapext mailing list
>Ldapext@ietf.org
>https://www1.ietf.org/mailman/listinfo/ldapext

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] password policy response control question
  - From: John McMeeking <jmcmeek@us.ibm.com>

Prev by Date: RE: [ldapext] Grace logins and password policy
Next by Date: Re: [ldapext] password policy response control question
Index(es):
- Chronological
- Thread