[Date Prev][Date Next]
Re: (ITS#5872) slapo-cloak
Kurt Zeilenga wrote:
> On Dec 27, 2008, at 2:46 AM, email@example.com wrote:
>> empty or "*" ; all user, except attrs that need to be explicitly req.
>> "+" ; all operational
>> <all including attrs that need to be explicitly requested>
> I note that the specification of '+' does allow a server not to provide
> all operational attributes. That is, a server is allowed to only return
> some operational attributes when requested by name.
... based on how expensive their computation is. In fact, we do not
exploit this too much in slapd(8), where '+' usually triggers
operational all attributes evaluation. Probably, we should add the
possibility to configure whether the most expensive are computed or not
when not explicitly requested.
> This is not so with '*' (or empty list).
well, according to RFC4511, Section 188.8.131.52.:
Client implementors should note that even if all user attributes are
requested, some attributes and/or attribute values of the entry may
not be included in Search results due to access controls or other
The restrictions we're discussing may well fit into this.
> However, that said, I see no
> particular issue with a server choosing to return a particular user
> applications attribute only when requested by name. I see this simply
> as an administrative restriction... and those are always allowed.
> (I also note that use of '*' (or empty list) and '+' should generally be
> limited to requests formed by a human. It is bad (but all to common)
> practice for application-specific directory clients to ask for
> everything. They should really only ask for what they are prepared to
> make use of.
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497