[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3608) problem with non-critical controls

At 12:30 PM 3/27/2005, hyc@symas.com wrote:
>OK. I have raised this question on the ietf-ldapbis mailing list.


>In this case, the control in question was actually the ManageDSAit 
>control directed at back-config (not PagedResults which I thought at 
>first). I guess regardless of the outcome of the ldapbis discussion, 
>back-config should register support for this control and the immediate 
>problem goes away.

I note that clients really shouldn't set ManageDsaIT unless they
intend to manage the DSA IT.

>Kurt D. Zeilenga wrote:
>>At 11:04 PM 3/26/2005, Howard Chu wrote:
>>>Kurt D. Zeilenga wrote:
>>>>>If slapd_global_controls returns LDAP_COMPARE_FALSE meaning that a control is
>>>>>unavailable, the frontend will fail the request even if the control is marked
>>>>>non-critical. The request should only fail for critical controls, non-critical
>>>>>ones should be ignored.
>>>>Actually, that's incorrect.
>>>>If the server recognizes the control it MUST make use of it.
>>>>If it is unwilling or unable to, it is obligated to return
>>>>an error.
>>>RFC2251 does not explicitly state this anywhere.
>>The problem here lies in the interpretation of "appropriate".
>>In LDAPBIS discussions, "appropriate" was viewed as a matter
>>of specification, not a local matter.  That is, the paging
>>results control is appropriate for the search operation,
>>Not the server chooses which operations the paging control is
>>appropriate for.
>>Not that I argued that "appropriate" should be a local matter,
>>including in determining what combination of non-critical
>>controls should be used.  LDAPBIS however decided that it is
>>a protocol error to provide two non-critical controls which
>>the server doesn't know how to make use of.  I argued it would
>>be better for servers to assume they know all possible
>>combinations, and that the combination provided is unrecognized
>>to them, hence they should pair it down.
>>But I lost that debate.
>>I suggest, if you feel strongly about this, that you raise a
>>concern to the LDAPBIS WG with specific cases where this is
>>causing interoperability problems.
>>>Nor does the current (30) draft of the LDAPbis protocol document.
>>>The specs only say "if the control is recognized and it is appropriate for the operation, the server is to make use of the control." It does not say "if the server is unable to make use of the control it must return an error." The word "appropriate" is also very ambiguous. One could make a case that "appropriate" means not only that the control applies to the type of operation, but that it is available in the underlying directory. As such, a control that is not available in the underlying DIT is not appropriate, and can be silently ignored.
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support