[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[ldapext] Request Progress Reporting
- To: Ldapext <ldapext@ietf.org>
- Subject: [ldapext] Request Progress Reporting
- From: Howard Chu <hyc@highlandsun.com>
- Date: Thu, 02 Apr 2009 07:44:05 -0700
- Delivered-to: ldapext@core3.amsl.com
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b3pre) Gecko/20090317 SeaMonkey/2.0a1pre Firefox/3.0.3
This discussion began on the OpenLDAP-Devel mailing list, talking about
returning a progress indicator to a client for a long running search operation.
http://www.openldap.org/lists/openldap-devel/200903/msg00082.html
It was suggested that progress reporting may be useful in general, not just
for search requests. Moving the discussion here to get more input.
The idea currently is to attach a "ProgressReport" control to any request. The
control will specify a time interval to indicate how often progress updates
should be returned.
ProgressReport updates may be attached in Response controls accompanying
Search Response messages, Result messages, and also in Intermediate Response
messages.
The ProgressReport update will contain two integers of arbitrary units: one
representing the total amount of work, and one representing the current amount
already executed.
E.g., for a Search request, the total value may represent the number of
candidate entries to be evaluated in the search, and the current value may
represent the number of entries already evaluated.
Typically a write request should execute quickly, but if a write has other
side-effects, it may take longer. E.g., if a server is configured with
synchronous replication, where the client write does not complete until some
number of replicas have received the update, then the progress report may be
useful to indicate how many replicas have been updated.
There are some security concerns here regarding the control giving out
information that clients wouldn't otherwise have access to. E.g., access
controls may limit a client to seeing only a subset of entries in a directory;
a ProgressReport may allow them to discover the true number of entries. It's
not clear to me that this is critical or useful to an attacker, but it would
make sense for implementations to also control who is authorized to use the
ProgressReport control, and to fudge the units used in the update data so that
they don't correspond 1-to-1 with any actual counts of anything meaningful.
Comments?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext