Re: Changes to {C}LDAP ASN.1
Simon E Spero <ses@tipper.oit.unc.edu> Tue, 23 November 1993 00:24 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa14545;
22 Nov 93 19:24 EST
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa14541;
22 Nov 93 19:24 EST
Received: from haig.cs.ucl.ac.uk by CNRI.Reston.VA.US id aa19471;
22 Nov 93 19:24 EST
Received: from bells.cs.ucl.ac.uk by haig.cs.ucl.ac.uk with local SMTP
id <g.08276-0@haig.cs.ucl.ac.uk>; Mon, 22 Nov 1993 23:20:57 +0000
Received: from tipper.oit.unc.edu by bells.cs.ucl.ac.uk with Internet SMTP
id <g.11441-0@bells.cs.ucl.ac.uk>; Mon, 22 Nov 1993 23:20:39 +0000
Received: from localhost.oit.unc.edu by tipper.oit.unc.edu (SMI4.1/FvK 1.02)
id AA01338; Mon, 22 Nov 93 09:41:43 EST
Message-Id: <9311221441.AA01338@tipper.oit.unc.edu>
To: Tim Howes <tim@terminator.rs.itd.umich.edu>
Cc: osi-ds@cs.ucl.ac.uk
Subject: Re: Changes to {C}LDAP ASN.1
In-Reply-To: Your message of "Sat, 20 Nov 93 00:31:34 EST."
<199311200531.AAA22101@terminator.rs.itd.umich.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 22 Nov 93 09:41:42 -0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Simon E Spero <ses@tipper.oit.unc.edu>
Tim Howes <tim@terminator.rs.itd.umich.edu> writes: > >> 3) Add new protocolOp grouped Request and grouped Response; >Can you explain in a little more detail what this is for? This is to allow binding with CLDAP, so that that connectionless messages can still be authenticated. CLDAP at the moment uses just anonymous binds, and whilst not forbidding modification requests, discourages them. There are several applications where there may be changes requests issued several times a second (for example, when using the directory to manage a caching file store with name->location mapping. LDAP connections may be too heavy for this; this seemed to be the simplest way of handling things. The other alternative was to have a boundRequest which carried a bindRequest and one other message. However, that doesn't solve the problems of multiple results. >> mesh, as gatewaying becomes simpler. >So this is a clue for the LDAP server to know where to go for the info? A very strong suggestion... The reason for suggesting this change is to handle some of the problems that may occur when dealing with referrals that might point to hetrogenous directory servers. For example, if the client gets a referral to a server that only supports Fat DAP, allowing the client to specify a gatewaying machine makes things easier. This change isn't strictly necessary, as the client could re-issue the request in chainonly mode; this has the effect of requiring all servers to be able to dereference everything they issue referrals to. > >> 5) Add new value to scope enumeration: namedHierarchy (3). >> Add new element to searchRequest - hierarchyName. >> Add new enumerated type "sendReferrals" indicating relative >> preferences for referrals vs chaining. > >I don't really get the namedHierarchy and hierarchyName stuff. It's >for when you want to search a centroid instead of the ldap (x500) >directory, right? How does the ldap server translate the attribute type >into a centroid location, or does it hold it locally, or is it specified >in a bindingTarget URL? I should have used IA5String instead of AttributeType ... sorry. The namedHierachy bits are related to centroids, but not functionally independent; either can work without the other, but some synergy is lost. The named hierachies allow each directory server to be part of many different directory "trees"; the effect is to let searching be constrained in ways that help reduce the resulting cost-path to the objects found. For example, the value "topology" signifies a network relationship between two servers; if I search with the scope set to "topology", then I should not be offered referrals to servers only reachable via other hiearachies. This is pretty hard to show without a slide... Take the case of UNC, MCNC Concert, Sun East (RTP), and Sun HQ. Assume that Concert is manages the Triangle Area server; If someone at UNC or Sun East searches for the nearest West Indian deli, the MCNC is obviously the right server to move up to when doing a bottom up search if there are no matches on the local server. When a person at UNC starts looking for a copy of gnu-emacs, MCNC would also be the best upwards link. However, since Sun East is on Sun's private network, moving towards MCNC would give highly sub-optimal results (packets might have to cross the country twice). > >Multiple values (entries) are allowed to be returned, they just come >back in separate messages. Do you mean you want to be able to combine >multiple search entry responses in a single response? The reason it >was split up the way it was is to allow streaming of the results (client >can start processing the first part of a large result before the whole >I didn't find the one entry at a time thing a hardship when implementing. It's not really a problem when doing LDAP plain and simple, but for CLDAP it becomes a little trickier, as one can no longer use the message id to detect duplicate responses, etc. Simon
- Changes to {C}LDAP ASN.1 Simon E Spero
- Re: Changes to {C}LDAP ASN.1 Tim Howes
- Re: Changes to {C}LDAP ASN.1 Simon E Spero
- Re: Changes to {C}LDAP ASN.1 Steve Kille