[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5785) dontUseCopy in slapd requires criticality to be TRUE

ando@sys-net.it wrote:
> The "dontUseCopy" control requires criticality to be TRUE.  While this is the
> desirable value,

Why is this a desirable value? The answer Kurt gave on ldap-ext mailing
list just mentioned direct mapping to X.511 dontUseCopy option.

> a DUA could use the control with the criticality set to FALSE.

As I stated on ldap-ext mailing list in this case I'd simply accept a
best effort on the DSA side. So sending "dontUseCopy" control with
criticality FALSE would mean: If the DSA supports this control it should
*process* it according to what's specified in
draft-zeilenga-ldap-dontusecopy. Otherwise ignore it.

The main problem is that a DUA cannot determine in advance whether a DSA
supports a certain control for a certain backend. It turned out in
practice that looking a supportedControl in rootDSE does not have any
meaning at all.

IMO yet another control does not solve this.

> For full conformance with RFC4511, if the control is syntactically well-formed
> and criticality is set to FALSE, slapd MUST accept it if recognized, or MUST
> ignore it if not recognized, but CANNOT question the fact that the value of
> criticality is violating the control's specification.

I'm not sure whether this statement can be made generally. I'd wish so
and I'd rephrase "accept it" to "process it".

Ciao, Michael.