[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] [Fwd: New Version Notification for draft-pluta-ldap-srv-side-current-time-match-00]
Hi Daniel,
Daniel Pluta wrote:
Hi Steven,
Steven Legg wrote:
Hi Daniel, Daniel Pluta wrote:
Hi Steven, Steven Legg wrote:
Hi Daniel, Daniel Pluta wrote:
Hi Steven, Steven Legg wrote:
Hi Daniel, Daniel Pluta wrote:
Hi Steven, Steven Legg wrote:
Hi Daniel, Daniel Pluta wrote:
Hi Steven, Steven Legg wrote:
Hi Daniel, Daniel Pluta wrote:
Hi Steven, Steven Legg wrote:
Daniel Pluta wrote:
Steven Legg wrote:
Daniel Pluta wrote:
- In my opinion: "NOW" would offer improved readability
That's the reason we have to clarify our intention and to further
differentiate in regard to your answer:
You assumed that the timeAttr is of generalizedTime syntax, but the
above "timeAttr" (from my previous posting) is not of generalizedTime
syntax (1.3.1....24) but of a new generalizedTime-similar syntax
(1.3.1...7650....).
I assumed that timeAttr was of Generalized Time, nowBefore,
nowBeforeOffset, nowAfter or nowAfterOffset syntax. What you are
describing now is quite different from what is written up in the draft.
This extension just demonstrates a possible future demand. Instead of my
above statement this syntax and the matching rules have been developed
during our discussion based on our draft but not mentioned in it -
please excuse me the unintended confusion this might has caused!
<hypothetical_discussion>
My main questions into direction of any interested standardization
organization would be:
- How to express this special (floating) point in time in regard to
ISO8601 - is there possibly a gap in ISO8601?
I haven't ever heard anyone else express a need for such a special value.
In my opinion we are not the only party that is interested in allowing
Generalized Time to be compared with the current time but possibly we
are the only party that relies on well defined standards.
For example the SQL-guys seems to make use of "now" without any problems
since years...
SQL has a much richer expression syntax than LDAP so it is possible to
naturally express all sorts of things that LDAP filters weren't designed for.
In LDAP we are restricted to comparing an attribute to a constant value.
It would be nice to be able to compare one attribute to another attribute
(i.e., do a join) or compare an attribute to the value of an expression
(possibly including an environment variable like the current time) and
so on.
To my mind, the absence of a way to represent "now" in GeneralizedTime
isn't really the problem. The limited expressibility of LDAP filters is the
problem, and a better query language for LDAP is the solution. I would
rather spend my time building a better query language than building
workarounds like forcing "now" into GeneralizedTime. What you see as
future demand I see as skirting around the real issue.
- Would it be worth to introduce a specialized syntax token (e.g.
"NOW" or what ever) which extend the generalizedTime syntax to
address the first question?
I would take a lot of hard work to attempt to make such a change to
ISO 8601
and/or X.680 with no guarantee of success. The ASN.1 working group might
just tell you that no change is necessary because you can use a CHOICE to
define a suitable type, i.e.,
CHOICE {
time GeneralizedTime,
now NULL,
nowOffset DURATION
}
The LDAP-specific encoding could be anything you like as long as it
provides a one-to-one mapping of values.
I don't think another type solves the might by future demand regarding
support for adding the server side current time into a generalizedTime
attribute using for example ldif changetypes.
Quite right, but what you are talking about is what I see as a special case
of a more general facility to be able to set any attribute to the value of an
expression, much as one can do in SQL. That would be a more interesting and
more generally useful future direction.
Of course this is not directly related to our draft's matching idea but
seems to be a valid question that could arise sooner or later in regard
to LDAP server's that are able to deal with the current time...
- Is it really a standardization organization's intention that the
nullValue should be (mis)used to represent the abstract floating
current (point in) time? If yes, where can I find a source/cite which
answers this question?
If GeneralizedTime were extended to include a special value to indicate
the current time then I imagine it would be called something like "NOW"
or "CURRENT-TIME". The NULL type in ASN.1 is used in cases where the
only thing that needs to be conveyed is the presence of some quantity
because its value is implicitly understood. You had not previously
indicated that the assertion syntax for nowMatch could also include
GeneralizedTime
values so it seemed to have an implicitly understood value that fits
with the typical use of NULL.
Our prototype just demonstrates two orthogonal approaches for discussion:
1.) extend RFC4517's generalizedTime[Ordering]Match to support current
time matching (there seems to be a need for the NOW assertion/attribute
syntax, to also allow modify/add operations the way)
2.) create an RFC4517-similar generalizedTime syntax with similar
generalizedTime[Ordering]Match rules to achieve the same goal as 1.) but
without altering/violating the specified behavior of RFC4517.
Although both approaches do not seem to fulfill the privacy requirements
they are just used for discussion: probably there is a need for such
kind of functionality which can be justified similar to the
justification we've already given regarding the matching of client side
unknown current time.
E.g. adding the current time (possibly also with an offset) to an
entry's attribute because the client does not know the server's current
time, especially in the distributed directory environment where the
client does not establishes a connection to the server the (add/modify)
operation will be of effect. Imagine a
Resource-Provider-Reseller-Scenario where the reseller needs to add the
current time to a previously paid resource directly into the provider's
side for example.
You would need to make a case for the end server's idea of the current
time being better than the client's idea of the current time. Their clocks
will be about the same anyway and any discrepancy won't matter for many/most
applications.
The client could always get the same effect by updating the timestamp
with a reasonable value, then reading back the modifyTimestamp of the entry
and finally replacing the previously written timestamp value with the value
from the modifyTimestamp. It's more work, but it can be done today.
If there currently is (or in the future could be) a common need for such
kind of feature we should take this into account in regard to the
specification of current time matching.
I don't think we two are currently able to answer these questions in
the correct (standardized) way - all we've found out seems just to be
a compromise which just represents an limited "LDAP specific
temporary workaround" that perhaps (mis)uses the nullValue.
</hypothetical_discussion>
The nowMatch rule is not, and cannot be, the equality matching rule
of timeAttr, so
(timeAttr=NOW) is bogus.
It's not bogus in case timeAttr is of gT-similar syntax. For that
reason we think the nowMatch matching rule needs to at least:
- support EQ-matching for attribute's of our generalizedTime-similar
syntax
- support EXT-matching for generalizedTime syntax attributes
Hopefully now our idea has become more obvious and hopefully it also
conforms to the directory specification - feedback is greatly
appreciated.
Background regarding the EQ matching support:
Next to LDAP search operations our current prototype also supports
NULL and OFFSET assertion values during add/delete/modify operations.
It's supported to use this assertion values for example via ldif
changes for (multi-value) attributes based on our
generalizedTime-similar syntax. To support multi-value handling an
appropriate equality rule has to exist and needs to be used.
Therefore we would like to see our new gT-similar syntax to support
EQ-matching using nowMatch to detect already existing values in
multi-value attributes...
This is one seriously convoluted syntax.
Convoluted yes, but just in case there is a need for the above
demonstrated behavior (on top of our goal of current time matching).
To legitimize all the things your
implementation is doing the syntax would have to be at least notionally
represented by a choice type like the one I gave above and would be both
the attribute syntax of timeAttr and the assertion syntax of nowMatch.
However there would be restrictions on the use of the syntax depending on
the context. To protect disclosure of timestamps it would be necessary to
allow only "NOW" as a value of the assertion syntax when nowMatch is used
in a filter (extensible match or otherwise). However, when nowMatch is
used
to compare attribute values during, for example, update operations the
assertion syntax would be unrestricted. The attribute syntax would be
unrestricted in protocol messages but at some point in the processing of
an operation the "NOW" and offset values have to be replaced by
GeneralizedTime values. The description would have to be extensive to
cover all the situations in which the syntax and matching rule are
explicitly or implicitly involved.
I for one, would not be interested in implementing such a strange syntax.
For us the current time matching is the primary goal. Everything else on
top (mentioned above) is optional for us. Nevertheless we wanted to
mention it because other people could become interested into this
direction. If so we probably need to take care.
The matching rules are okay, but the "everything else" looks like the wrong
direction from my, possibly unique, perspective.
If there is no positive feedback regarding any demand for our add-on
ideas we would like to focus on the current time matching from now on.
That would be best, unless someone else wades into this discussion expressing
support for the add-ons.
Regards,
Steven
Therefore the 01-Version of our draft will address:
- Two new matching rules useful for extensible matching of
generalizedTime attribute values:
nowMatch / nowOffsetMatch
- Two new assertion value syntaxes:
NULL / DURATION
nowMatch just supports the NULL syntax while nowOffsetMatch supports
both syntaxes.
That's it - more or less.
2.) MODIFY:
ldap_initialize( <DEFAULT> )
add timeAttr:
20100301000001Z
NULL
0#0#0#0#0#1
This is a use case that you haven't previously revealed or justified.
I've given a justification in this message, please see above.
Best regards,
Daniel
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext