[ldapext] Proposal of a companion control to draft-wahl-ldap-session
Pierangelo Masarati <ando@sys-net.it> Sat, 15 September 2007 14:12 UTC
Return-path: <ldapext-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IWYO9-0007Xa-2e; Sat, 15 Sep 2007 10:12:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IWYO8-0007XV-5E for ldapext@ietf.org; Sat, 15 Sep 2007 10:12:48 -0400
Received: from ns1.sys-net.it ([194.244.21.114] helo=mail.sys-net.it) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IWYO6-00022o-IS for ldapext@ietf.org; Sat, 15 Sep 2007 10:12:48 -0400
Received: from [192.168.1.199] (dossi.sys-net.it [82.63.140.131]) (authenticated bits=0) by mail.sys-net.it (8.13.5.20060308/8.13.3) with ESMTP id l8FEBRqT029920 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ldapext@ietf.org>; Sat, 15 Sep 2007 16:11:30 +0200
Message-ID: <46EBE8A6.4090100@sys-net.it>
Date: Sat, 15 Sep 2007 16:13:58 +0200
From: Pierangelo Masarati <ando@sys-net.it>
User-Agent: Mail/News 1.5.0.8 (X11/20061210)
MIME-Version: 1.0
To: Ldapext <ldapext@ietf.org>
X-Enigmail-Version: 0.94.2.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-SysNet-MailScanner-Information: postmaster@sys-net.it
X-SysNet-MailScanner:
X-MailScanner-From: ando@sys-net.it
X-Spam-Score: -0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Subject: [ldapext] Proposal of a companion control to draft-wahl-ldap-session
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
Errors-To: ldapext-bounces@ietf.org
Hi all.
The draft in object proposes a control that a client can send along with
a request, and similarly a server can return along with a response, to
add session tracking information to LDAP operations when a client-server
operation is just part of a larger infrastructure.
I think that, in the spirit of a fair cooperation between components of
the same infrastructure, the session tracking control of
draft-wahl-ldap-session (1.3.6.1.4.1.21008.108.63.1) could be augmented
by a companion control that requests session tracking contents in
response to an operation, to allow the client to request information
about how a proxy handled the operation. The rationale behind it is
that a proxy, acting as a client in an operation that is chained across
a distributed system (I'm using the term "chain" in a loose manner, with
no direct reference to chained operations as described in X.500), might
want to track how the operation is actually performed only in some
cases, so a server could be configured to return control
1.3.6.1.4.1.21008.108.63.1 only on demand.
I'm proposing this enhancement here instead of in a separate I.D.
because I think I need some preliminary feedback first, and also because
I think it is so closely related to draft-wahl-ldap-session that it
could even be integrated in it, if considered appropriate. Based on
discussion, if any, I plan to start implementing it in OpenLDAP very soon.
The semantics of the proposed control is discussed below.
Cheers, p.
- o --- o --- o -
This control solicits a response containing the same type of information
of control 1.3.6.1.4.1.21008.108.63.1 for informational purposes.
request control: sessionTrackingRequest
OID: TBA
criticality: TRUE or FALSE
value: propagate BOOLEAN OPTIONAL
if the server is willing to propagate the control, this occurs only if
propagate is not FALSE.
if the server is not willing to propagate the control and propagate is
TRUE, if criticality is TRUE, the operation is bounced returning
unwillingToPerform, otherwise if criticality is FALSE the control is
ignored.
if the client has no preference about control propagation, the control
value MUST be absent.
response control: sessionTrackingRequest
OID: TBA
criticality: FALSE as per RFC 4511
four response scenarios:
1. [in case of request criticality == FALSE]
the control is absent (not recognized, or unwillingToPerform
because of local privacy/security policy considerations)
2. [in case of request criticality == TRUE]
the response is unwillingToPerform (not recognized, or because
of local privacy/security policy considerations)
3. [regardless of request criticality]
the control is present, but the value is absent: the request
has been handled locally, or the server is pretending so
4. [regardless of request criticality]
the control is present, with value as per 1.3.6.1.4.1.21008.108.63.1
If value is present, it SHALL contain information as per
1.3.6.1.4.1.21008.108.63.1 related to the remote server that was
contacted to perform the operation. It is left to the DSA's discretion
(based on local privacy/security policy considerations) to propagate the
control request along with the operation, according to the semantics of
the "propagate" in the request, and to return any other instance of the
control response along with the response to the operation; in this case
there might be multiple instances of the control in the response.
If the server is willing to provide 1.3.6.1.4.1.21008.108.63.1 in the
response, and sessionTrackingRequest was issued and not ignored, it
SHALL return sessionTrackingRequest instead.
The same security considerations of draft-wahl-ldap-session apply.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext
- [ldapext] Proposal of a companion control to draf… Pierangelo Masarati