[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: (ITS#6247)

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6247)
From: daniel@pluta.biz
Date: Thu, 13 Aug 2009 11:12:34 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)
masarati@aero.polimi.it wrote:
>> Hi,
>>
>> I've just uploaded an updated version.
>>
>> Changes regarding schema:
>> - Added EQ-Matching rule to both nowNot{Before|After} attributes
>> - changed attribute nowNotAfter from single- into multi-value
>>
>> ftp://ftp.openldap.org/incoming/daniel-pluta-now-090812.tgz
>>     
>
> In order to make your contribution useful to others, I think you should
> definitely separate comparison with respect to current time from the rest
> of what you need.
> In this sense, special matching rules to compare generalizedTime-syntax
> attributes with respect to "now" have nothing to do with the declaration
> of specific generalizedTime-valued attributes.
>   
I've already thought about this. I'm in two minds about that.

> As I mentioned in an earlier posting, any generalizedTime-syntax attribute
> can use your special matching rules by way of the extensible filter
> mechanism, regardless of having any matching rule in their definition.
>   
I thought, that by not assigning any matching rule the EQ/LE/GE 
comparison is not possible at all. That's the behavior I would like to 
achieve regarding the two minimum-attributes (regardless whether the 
probable separation of matching rules and attribute definitions - 
disscussed in the above paragraphs).

Yesterday I've noticed that without an EQ-Matching definition I was not 
able to add an additional value in case of a multi-valued attribute 
definition (so I added EQ-Matching again). I have to admit that I do not 
understand this in detail. I also have not investigated in deep...

> Moreover, attributes can already be defined using slapd.conf/back-config,
> so there's no need to hardcode them in your module (except, possibly, for
> your specific needs, but this makes the module less general and useful to
> others).
>   
The oc/attr definition is for demonstration purposes only (I though it's 
more compact to include this "demo" and implement it the most restricted 
way regard data privacy (especially disallow querying LE/GE for both attr).
Problably I'll separate the demo into an extra schema file.

> But
> the real reason is that "exactly equal to now" makes little sense as "now"
> is evanescent: you have no control about exactly when your matching rule
>   
hehe that relativistic effects I already had in mind before implementing 
this kind of matching rule. That's the reason I originally followed the 
approach to manipulate the search requests' filters. This approach could 
assure to make use of the "same" now (op->o_time) for all entries.

By using the matching rule (especially in combination with the filter= 
statement in ACLs) "now" will become some kind of "time distance" 
instead of a point in time because a search' results get evaluated 
sequentially by test_filter().

In worst case the second have of a billion search entries are valid 
during the search but get "invalid" during acl processing, because time 
move's on... ;-)

On the other side comparing the lines of code of the matching rule 
approach to my previous pre-alpha overlay's lines of code, this matching 
rule's implementation is about 10 times smaller...

> will be evaluated, so if the difference between "including now" or
> "excluding now" is crucial, then there might be something flawed in the
> policy you're trying to implement.
>   
Ok, this in mind I'll at least reduce the matching rules to two but the 
problem (now == time_delta) still exists.
> Getting more into implementation related aspects, I think you should
> really ignore the asserted value, rather than check it's equal to the
> Epoch.  I initially suggested to put the Epoch as the asserted value in
> order to use some clearly recognizable, yet valid, value.  But this should
> be a matter of style rather than a requirement of the matching rule.
>   
I regard to some kind of future formal specification I thought about 
this, too: in my opinion it seems to be "unnatural" to search (assert) a 
non-Timestamp-value to a generalizedTimestamp-Syntax attribute... But 
probably that's really only a matter of style.

> With respect to OID assignment, as soon as your contribution is considered
> of general usefulness, it could receive a temporary OID out of OpenLDAP's
> experimental branch.  If you intend to formalize this set of matching
> rules somehow, you should apply for IANA assignment of an official OID. 
>   
> Note that I'm not encouraging nor discouraging you in this sense.
>   
I'm currently thinking about this...

Thanks for your feedback the discussion is very interesting and helpful.
Prev by Date: Re: (ITS#6140) nadf.schema: AttributeType not found: "lastModifiedTime"
Next by Date: Re: (ITS#6247)
Index(es):
- Chronological
- Thread