ProgressReport updates may be attached in Response controls accompanying
Search Response messages, Result messages, and also in Intermediate Response
messages.
The ProgressReport update will contain two integers of arbitrary units: one
representing the total amount of work, and one representing the current amount
already executed.
E.g., for a Search request, the total value may represent the number of
candidate entries to be evaluated in the search, and the current value may
represent the number of entries already evaluated.
Typically a write request should execute quickly, but if a write has other
side-effects, it may take longer. E.g., if a server is configured with
synchronous replication, where the client write does not complete until some
number of replicas have received the update, then the progress report may be
useful to indicate how many replicas have been updated.
There are some security concerns here regarding the control giving out
information that clients wouldn't otherwise have access to. E.g., access
controls may limit a client to seeing only a subset of entries in a directory;
a ProgressReport may allow them to discover the true number of entries. It's
not clear to me that this is critical or useful to an attacker, but it would
make sense for implementations to also control who is authorized to use the
ProgressReport control, and to fudge the units used in the update data so that
they don't correspond 1-to-1 with any actual counts of anything meaningful.
Comments?