[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5872) slapo-cloak

Kurt Zeilenga wrote:
> On Dec 27, 2008, at 2:46 AM, ando@sys-net.it wrote:
>> empty or "*" ; all user, except attrs that need to be explicitly req.
>> "+" ; all operational
>> <all including attrs that need to be explicitly requested>
>> <...>
> I note that the specification of '+' does allow a server not to provide 
> all operational attributes.  That is, a server is allowed to only return 
> some operational attributes when requested by name.

... based on how expensive their computation is.  In fact, we do not 
exploit this too much in slapd(8), where '+' usually triggers 
operational all attributes evaluation.  Probably, we should add the 
possibility to configure whether the most expensive are computed or not 
when not explicitly requested.

> This is not so with '*' (or empty list).

well, according to RFC4511, Section

    Client implementors should note that even if all user attributes are
    requested, some attributes and/or attribute values of the entry may
    not be included in Search results due to access controls or other

The restrictions we're discussing may well fit into this.

> However, that said, I see no 
> particular issue with a server choosing to return a particular user 
> applications attribute only when requested by name.  I see this simply 
> as an administrative restriction... and those are always allowed.


> (I also note that use of '*' (or empty list) and '+' should generally be 
> limited to requests formed by a human.  It is bad (but all to common) 
> practice for application-specific directory clients to ask for 
> everything.  They should really only ask for what they are prepared to 
> make use of.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it