IETF Logo Mail Archive

Re: [ldapext] password policy response control question

"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> Mon, 08 May 2006 23:39 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FdFKW-0001bN-MM; Mon, 08 May 2006 19:39:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FdFKV-0001ad-Cj for ldapext@ietf.org; Mon, 08 May 2006 19:39:55 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FdFKV-0000Ye-BE for ldapext@ietf.org; Mon, 08 May 2006 19:39:55 -0400
Received: from boole.openldap.org ([204.152.186.50]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FdF3M-0006D6-Fo for ldapext@ietf.org; Mon, 08 May 2006 19:22:14 -0400
Received: from gypsy.OpenLDAP.org (24-205-218-53.dhcp.crcy.nv.charter.com [24.205.218.53] (may be forged)) (authenticated bits=0) by boole.openldap.org (8.13.3/8.13.3) with ESMTP id k48NK9KU050454 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 8 May 2006 23:20:10 GMT (envelope-from Kurt@OpenLDAP.org)
Message-Id: <7.0.1.0.0.20060508161240.03a47b98@OpenLDAP.org>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Mon, 08 May 2006 16:19:51 -0700
To: Pete Rowley <prowley@redhat.com>
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: [ldapext] password policy response control question
In-Reply-To: <445FCE43.3070307@redhat.com>
References: <33821.131.175.154.56.1147076220.squirrel@131.175.154.56> <52681ACFF63C114F8A3C3651FC9D301F26B175@AUSYMS11.ca.com> <34131.131.175.154.56.1147082584.squirrel@131.175.154.56> <445FCE43.3070307@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: -2.6 (--)
X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465
Cc: "Ramsay, Ron" <Ron.Ramsay@ca.com>, ldapext@ietf.org, John McMeeking <jmcmeek@us.ibm.com>
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
Errors-To: ldapext-bounces@ietf.org

A control can be recognized by the server and hence
published in supportedControl but current unavailable.
I also note that supportedControl may be visible to
the client.  But I think this is a bit of digression.

IMO, If a request control has an associated response control,
that response control should be returned whenever the
request control is made use of in processing the operation.
No exceptions.  Having a request control that sometimes has,
sometimes hasn't a response control is bad.

Kurt

At 04:03 PM 5/8/2006, Pete Rowley wrote:
>Pierangelo Masarati wrote:
>>>Hmmm. I didn't think the control was required to be marked 'critical'
>>>    
>>
>>from <draft-behera-ldap-password-policy-09>
>>
>>   The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the criticality may
>>   be TRUE or FALSE.  There is no controlValue.
>>
>>
>>  
>>>but, if it is, then you are correct that the control will have been
>>>recognised if the request was performed. (Your remark "when the control
>>>is not critical" makes me believe that you don't understand the use of
>>>the criticality flag. For example, you cannot respond with
>>>"unavailableCriticalExtension" if the control is not marked critical.)
>>>    
>>
>>I believe I understand it.  That's why I agree that if no criticality was
>>set in the request, a control response with no value should be sent to
>>clarify that the DSA understood the control.
>>
>>  
>If the client needs to know that there support for the control, doing so by altering the flow of the protocol is not the way to do it, particularly when the change in flow is unrelated to the mechanism that caused it.  The client should examine the root DSE entry for supported controls, and should be able to expect the same behavior whether it marks the control critical or not. Marking a control non-critical implies a level of indifference as to whether its function is understood and performed and I fail to see the need to inform those who are indifferent.
>
>-- 
>Pete
>
>
>
>
>_______________________________________________
>Ldapext mailing list
>Ldapext@ietf.org
>https://www1.ietf.org/mailman/listinfo/ldapext


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

v2.23.0 | Report a Bug | By Email