internet spy

From list@netscape.com Tue Feb 1 21:41:09 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA12965 for ; Tue, 1 Feb 2000 21:41:08 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id SAA26356; Tue, 1 Feb 2000 18:36:36 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id SAA15488; Tue, 1 Feb 2000 18:39:51 -0800 (PST) Resent-Date: Tue, 1 Feb 2000 18:39:51 -0800 (PST) Message-ID: <3897C2D9.2B1680F8@software.com> Date: Tue, 01 Feb 2000 21:38:33 -0800 From: sanjay jain Organization: Software.Com X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: ietf-ldapext Subject: 'mail' attribute syntax Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"Vf1T0C.A.uxD.1j5l4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit could somebody please point me to the description
of 0.9.2342.19200300.100.3.5{256} attribute syntax.
It is 'mail' attribute syntax referred in http://www.alternic.com/drafts/drafts-s-t/draft-smith-ldap-inetorgperson-01.txt

thanks
sanjay From list@netscape.com Wed Feb 2 02:16:37 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA29212 for ; Wed, 2 Feb 2000 02:16:36 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id XAA13703; Tue, 1 Feb 2000 23:11:01 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id XAA14316; Tue, 1 Feb 2000 23:14:16 -0800 (PST) Resent-Date: Tue, 1 Feb 2000 23:14:16 -0800 (PST) Message-Id: <3.0.5.32.20000201231834.00926770@pop.walltech.com> X-Sender: bgreenblatt@pop.walltech.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 01 Feb 2000 23:18:34 -0800 To: sanjay jain , ietf-ldapext From: Bruce Greenblatt Subject: Re: 'mail' attribute syntax In-Reply-To: <3897C2D9.2B1680F8@software.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"F2E0H.A.afD.Hl9l4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Whenever you want to find out what an OID is, please check out Harald Alvestrand's OID Registry. I notice that it has moved since the last time I looked anything up there to: http://www.alvestrand.no/objectid It indicates that 0.9.2342.19200300 is used in RFC 1274 to define OIDs for the "Pilot" schema used in the X.500 directory pilot. Bruce At 09:38 PM 2/1/00 -0800, sanjay jain wrote: > could somebody please point me to the description >of 0.9.2342.19200300.1 > > > >00.3{256attribute ntax. > is 'mail' >attribute >syntax >referred >in >http://www.alternic.com/drafts/drafts-s-t/draft-smith-ldap-inetorgperson-01 .txt thanks >sanjay ============================================== Bruce Greenblatt, Ph. D. Directory Tools and Application Services, Inc. http://www.directory-applications.com From list@netscape.com Wed Feb 2 12:29:25 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA15986 for ; Wed, 2 Feb 2000 12:29:24 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA13674; Wed, 2 Feb 2000 09:26:40 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA05720; Wed, 2 Feb 2000 09:28:16 -0800 (PST) Resent-Date: Wed, 2 Feb 2000 09:28:16 -0800 (PST) Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Wed, 02 Feb 2000 10:27:53 -0700 From: "Mark Meredith" To: , Cc: , , , Subject: Re: I-D ACTION:draft-mmeredit-rootdse-vendor-info-00.txt Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_98C13539.35546CA5" Resent-Message-ID: <"QVbryB.A.GZB.vkGm4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_98C13539.35546CA5 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable I am getting ready to do the second draft for vendor info. In going over all of the responses I have some questions about the = supportedFeature, and whether or not I should include it in this draft? The examples that Helmut asks about at the end: "Supported features: TLS, = Cram-MD5, schema-publishing, LDAP-ACL, Ldap-replication , etc ??" I think that these should be specified in their own specific attributes. I = am afraid that if something like supportedFeatures were present, it could = become a catch all for every new proposal, it may even get to the point = that it would be very hard to sift through the information to find what = you are looking for? So what does everyone think? Should I just go forward with the vendorName = and vendorVersion and let the supportedFeatures be a separate draft if at = all? Or have all three in this draft? -Mark Mark Meredith Novell Inc 122 E. 1700 S. Provo UT 84606 mark_meredith@novell.com 801-861-2645 --------------------- A boat in the harbor is safe,=20 but that is not what boats are for. --John A. Shed --------------------- >>> Helmut Volpers 11/21/99 02:47AM >>> Hi, > "Paul Leach (Exchange)" schrieb: >=20 > > -----Original Message----- > > From: Kurt D. Zeilenga [mailto:kurt@boolean.net] > > Sent: Friday, November 19, 1999 7:27 AM > > To: Mark Smith > > Cc: Peter Strong; Paul Leach (Exchange); Mark Meredith; ietf-ldapext >=20 > > Subject: Re: I-D ACTION:draft-mmeredit-rootdse-vendor-info-00.txt > > > > > > I'm thinking we just need to define an operational attribute for the >=20 > > root DSE: > > > > supportedFeature > > > > The values of this attribute are OBJECT IDENTIFIERs identifying > the > > supported optional or vendor-defined features which the > > server supports. > > > > ( supportedFeatureOID NAME 'supportedFeature' > > SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) > > > > The key is that it lists features directly and eliminates the > > need to maintain out of band feature lists for each vendor version. >=20 > This sounds fine to me. Having vendor name and version is fine, too, > as long as it is _explicitly_ declared that it isn't to be used to > discover features. I agree that the vendor name (or product name) and version is fine to find out with which product and which version I interwork etc. We for example support=20 RFC 1565 (Network Services Monitoring MIB) where all this information is already availible and it will not be a problem to make this information availible to a ldap-client when it retrieves the Root. But I hope we will not encourage client implementors to build there clients that they derive special features of the product from this information. For example: we support schema publishing over ldap but if an administrator set the access control that only special users (administrators) can read the ldapsubschema-subentry then a client have to live without exploring the schema. >=20 > In addition to the above, shouldn't one look at supported controls, > and what classes exist, rather than try to categorize everything as a > "feature"? Can somebody give me a real example for this feature list ? Is it something like: Supported features: TLS, Cram-MD5, schema-publishing, LDAP-ACL, Ldap-replication , etc ?? Bye Helmut --=_98C13539.35546CA5 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable

I am getting ready to do the second draft for vendor info.

In going over all of the responses I have some questions about the supportedFeature, and whether or not I should include it in this draft?

The examples that Helmut asks about at the end: "Supported features: TLS, Cram-MD5, schema-publishing, LDAP-ACL, Ldap-replication , etc ??"

I think that these should be specified in their own specific attributes. I am afraid that if something like supportedFeatures were present, it could become a catch all for every new proposal, it may even get to the point that it would be very hard to sift through the information to find what you are looking for?

So what does everyone think? Should I just go forward with the vendorName and vendorVersion and let the supportedFeatures be a separate draft if at all? Or have all three in this draft?

-Mark

Mark Meredith
Novell Inc
122 E. 1700 S. Provo UT 84606
mark_meredith@novell.com
801-861-2645
---------------------
A boat in the harbor is safe,
but that is not what boats are for.
--John A. Shed
---------------------

>>> Helmut Volpers <Helmut.Volpers@icn.siemens.de> 11/21/99 02:47AM >>>
Hi,

> "Paul Leach (Exchange)" schrieb:
>
> > -----Original Message-----
> > From: Kurt D. Zeilenga [mailto:kurt@boolean.net]
> > Sent: Friday, November 19, 1999 7:27 AM
> > To: Mark Smith
> > Cc: Peter Strong; Paul Leach (Exchange); Mark Meredith; ietf-ldapext
>
> > Subject: Re: I-D ACTION:draft-mmeredit-rootdse-vendor-info-00.txt
> >
> >
> > I'm thinking we just need to define an operational attribute for the
>
> > root DSE:
> >
> > supportedFeature
> >
> >    The values of this attribute are OBJECT IDENTIFIERs identifying
> the
> >    supported optional or vendor-defined features which the
> > server supports.
> >
> >     ( supportedFeatureOID NAME 'supportedFeature'
> >      SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )
> >
> > The key is that it lists features directly and eliminates the
> > need to maintain out of band feature lists for each vendor version.
>
> This sounds fine to me. Having vendor name and version is fine, too,
> as long as it is _explicitly_ declared that it isn't to be used to
> discover features.

I agree that the vendor name (or product name) and version is fine to
find
out with which product and which version I interwork etc. We for example
support
RFC 1565 (Network Services Monitoring MIB) where all this information
is already availible and it will not be a problem to make this
information
availible to a ldap-client when it retrieves the Root.
But I hope we will not encourage client implementors to build there
clients
that they derive special features of the product from this information.
For example: we support schema publishing over ldap but if an
administrator
set the access control that only special users (administrators) can
read
the ldapsubschema-subentry then a client have to live without exploring
the
schema.
>
> In addition to the above, shouldn't one look at supported controls,
> and what classes exist, rather than try to categorize everything as a
> "feature"?

Can somebody give me a real example for this feature list ? Is it
something
like:

Supported features: TLS, Cram-MD5, schema-publishing, LDAP-ACL,
Ldap-replication , etc ??

Bye

Helmut

--=_98C13539.35546CA5-- From list@netscape.com Wed Feb 2 12:40:32 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA16374 for ; Wed, 2 Feb 2000 12:40:28 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA01553; Wed, 2 Feb 2000 09:35:49 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA12709; Wed, 2 Feb 2000 09:39:05 -0800 (PST) Resent-Date: Wed, 2 Feb 2000 09:39:05 -0800 (PST) Message-ID: <38986CE9.87FC48F0@us.oracle.com> Date: Wed, 02 Feb 2000 09:44:09 -0800 From: Lok Sheung Organization: Oracle X-Mailer: Mozilla 4.06 [en] (WinNT; U) MIME-Version: 1.0 To: ietf-ldapext@netscape.com Subject: 'mailGroup' object class Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"CdSE2C.A.TGD.4uGm4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit 'mailGroup' is referenced in ftp://playground.sun.com/pub/laser/laser-1999-02-02.txt. Can someone point me where I can find the specification for 'mailGroup'?

Thanks

Lok From list@netscape.com Wed Feb 2 15:13:43 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA20093 for ; Wed, 2 Feb 2000 15:13:42 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id MAA28369; Wed, 2 Feb 2000 12:09:06 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id MAA20962; Wed, 2 Feb 2000 12:12:23 -0800 (PST) Resent-Date: Wed, 2 Feb 2000 12:12:23 -0800 (PST) Message-ID: From: Gil Kirkpatrick To: "'Mark Meredith'" , paulle@Exchange.Microsoft.com, Helmut.Volpers@icn.siemens.de Cc: kurt@boolean.net, ietf-ldapext@netscape.com, mcs@netscape.com, pestrong@nortelnetworks.com Subject: RE: I-D ACTION:draft-mmeredit-rootdse-vendor-info-00.txt Date: Wed, 2 Feb 2000 13:09:46 -0700 X-Mailer: Internet Mail Service (5.5.2650.21) Resent-Message-ID: <"CO_CQC.A.QHF.m-Im4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Mark, I think you're right. The supportedFeature attribute can be a separate draft. I recommend getting the vendor info stuff done and consider the supportedFeature attr separately. -g Gil Kirkpatrick Director of Engineering NetPro > -----Original Message----- > From: Mark Meredith [SMTP:MMEREDIT@novell.com] > Sent: Wednesday, February 02, 2000 10:28 AM > To: paulle@Exchange.Microsoft.com; Helmut.Volpers@icn.siemens.de > Cc: kurt@boolean.net; ietf-ldapext@netscape.com; mcs@netscape.com; > pestrong@nortelnetworks.com > Subject: Re: I-D ACTION:draft-mmeredit-rootdse-vendor-info-00.txt > > I am getting ready to do the second draft for vendor info. > > In going over all of the responses I have some questions about the > supportedFeature, and whether or not I should include it in this draft? > > The examples that Helmut asks about at the end: "Supported features: TLS, > Cram-MD5, schema-publishing, LDAP-ACL, Ldap-replication , etc ??" > > I think that these should be specified in their own specific attributes. I > am afraid that if something like supportedFeatures were present, it could > become a catch all for every new proposal, it may even get to the point > that it would be very hard to sift through the information to find what > you are looking for? > > So what does everyone think? Should I just go forward with the vendorName > and vendorVersion and let the supportedFeatures be a separate draft if at > all? Or have all three in this draft? > > -Mark > > > Mark Meredith > Novell Inc > 122 E. 1700 S. Provo UT 84606 > mark_meredith@novell.com > 801-861-2645 > --------------------- > A boat in the harbor is safe, > but that is not what boats are for. > --John A. Shed > --------------------- > > >>> Helmut Volpers 11/21/99 02:47AM >>> > Hi, > > > "Paul Leach (Exchange)" schrieb: > > > > > -----Original Message----- > > > From: Kurt D. Zeilenga [mailto:kurt@boolean.net] > > > Sent: Friday, November 19, 1999 7:27 AM > > > To: Mark Smith > > > Cc: Peter Strong; Paul Leach (Exchange); Mark Meredith; ietf-ldapext > > > > > Subject: Re: I-D ACTION:draft-mmeredit-rootdse-vendor-info-00.txt > > > > > > > > > I'm thinking we just need to define an operational attribute for the > > > > > root DSE: > > > > > > supportedFeature > > > > > > The values of this attribute are OBJECT IDENTIFIERs identifying > > the > > > supported optional or vendor-defined features which the > > > server supports. > > > > > > ( supportedFeatureOID NAME 'supportedFeature' > > > SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) > > > > > > The key is that it lists features directly and eliminates the > > > need to maintain out of band feature lists for each vendor version. > > > > This sounds fine to me. Having vendor name and version is fine, too, > > as long as it is _explicitly_ declared that it isn't to be used to > > discover features. > > I agree that the vendor name (or product name) and version is fine to > find > out with which product and which version I interwork etc. We for example > support > RFC 1565 (Network Services Monitoring MIB) where all this information > is already availible and it will not be a problem to make this > information > availible to a ldap-client when it retrieves the Root. > But I hope we will not encourage client implementors to build there > clients > that they derive special features of the product from this information. > For example: we support schema publishing over ldap but if an > administrator > set the access control that only special users (administrators) can > read > the ldapsubschema-subentry then a client have to live without exploring > the > schema. > > > > In addition to the above, shouldn't one look at supported controls, > > and what classes exist, rather than try to categorize everything as a > > "feature"? > > Can somebody give me a real example for this feature list ? Is it > something > like: > > Supported features: TLS, Cram-MD5, schema-publishing, LDAP-ACL, > Ldap-replication , etc ?? > > Bye > > Helmut From list@netscape.com Wed Feb 2 15:41:16 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA20845 for ; Wed, 2 Feb 2000 15:41:15 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id MAA01989; Wed, 2 Feb 2000 12:36:54 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id MAA29429; Wed, 2 Feb 2000 12:40:11 -0800 (PST) Resent-Date: Wed, 2 Feb 2000 12:40:11 -0800 (PST) Message-ID: <389895D5.1E86A581@netscape.com> Date: Wed, 02 Feb 2000 15:38:45 -0500 From: mcs@netscape.com (Mark C Smith) Organization: Netscape Communications X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Gil Kirkpatrick CC: "'Mark Meredith'" , paulle@Exchange.Microsoft.com, Helmut.Volpers@icn.siemens.de, kurt@boolean.net, ietf-ldapext@netscape.com, pestrong@nortelnetworks.com Subject: Re: I-D ACTION:draft-mmeredit-rootdse-vendor-info-00.txt References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"UIQo0.A.jLH.qYJm4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit I agree -- keep your draft focused on the vendor info. stuff. It will be easier to make progress if you limit the scope of your document as much as possible. For the record, I don't like the idea of a general supportedFeature attribute (for the reasons Mark M. mentioned). We already have supportedExtension, supportedControl, supportedSASLMechanisms and so on, which are fairly specific and line up clearly with LDAP protocol extensions. I'd rather see us add additional specific attributes like those (if someone can demonstrate a clear need). -- Mark Smith iPlanet Directory Architect / Sun-Netscape Alliance My words are my own, not my employer's. Got LDAP? Gil Kirkpatrick wrote: > > Mark, I think you're right. The supportedFeature attribute can be a separate > draft. I recommend getting the vendor info stuff done and consider the > supportedFeature attr separately. > > -g > > Gil Kirkpatrick > Director of Engineering > NetPro > > > -----Original Message----- > > From: Mark Meredith [SMTP:MMEREDIT@novell.com] > > Sent: Wednesday, February 02, 2000 10:28 AM > > To: paulle@Exchange.Microsoft.com; Helmut.Volpers@icn.siemens.de > > Cc: kurt@boolean.net; ietf-ldapext@netscape.com; mcs@netscape.com; > > pestrong@nortelnetworks.com > > Subject: Re: I-D ACTION:draft-mmeredit-rootdse-vendor-info-00.txt > > > > I am getting ready to do the second draft for vendor info. > > > > In going over all of the responses I have some questions about the > > supportedFeature, and whether or not I should include it in this draft? > > > > The examples that Helmut asks about at the end: "Supported features: TLS, > > Cram-MD5, schema-publishing, LDAP-ACL, Ldap-replication , etc ??" > > > > I think that these should be specified in their own specific attributes. I > > am afraid that if something like supportedFeatures were present, it could > > become a catch all for every new proposal, it may even get to the point > > that it would be very hard to sift through the information to find what > > you are looking for? > > > > So what does everyone think? Should I just go forward with the vendorName > > and vendorVersion and let the supportedFeatures be a separate draft if at > > all? Or have all three in this draft? > > > > -Mark > > > > > > Mark Meredith > > Novell Inc > > 122 E. 1700 S. Provo UT 84606 > > mark_meredith@novell.com > > 801-861-2645 > > --------------------- > > A boat in the harbor is safe, > > but that is not what boats are for. > > --John A. Shed > > --------------------- > > > > >>> Helmut Volpers 11/21/99 02:47AM >>> > > Hi, > > > > > "Paul Leach (Exchange)" schrieb: > > > > > > > -----Original Message----- > > > > From: Kurt D. Zeilenga [mailto:kurt@boolean.net] > > > > Sent: Friday, November 19, 1999 7:27 AM > > > > To: Mark Smith > > > > Cc: Peter Strong; Paul Leach (Exchange); Mark Meredith; ietf-ldapext > > > > > > > Subject: Re: I-D ACTION:draft-mmeredit-rootdse-vendor-info-00.txt > > > > > > > > > > > > I'm thinking we just need to define an operational attribute for the > > > > > > > root DSE: > > > > > > > > supportedFeature > > > > > > > > The values of this attribute are OBJECT IDENTIFIERs identifying > > > the > > > > supported optional or vendor-defined features which the > > > > server supports. > > > > > > > > ( supportedFeatureOID NAME 'supportedFeature' > > > > SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) > > > > > > > > The key is that it lists features directly and eliminates the > > > > need to maintain out of band feature lists for each vendor version. > > > > > > This sounds fine to me. Having vendor name and version is fine, too, > > > as long as it is _explicitly_ declared that it isn't to be used to > > > discover features. > > > > I agree that the vendor name (or product name) and version is fine to > > find > > out with which product and which version I interwork etc. We for example > > support > > RFC 1565 (Network Services Monitoring MIB) where all this information > > is already availible and it will not be a problem to make this > > information > > availible to a ldap-client when it retrieves the Root. > > But I hope we will not encourage client implementors to build there > > clients > > that they derive special features of the product from this information. > > For example: we support schema publishing over ldap but if an > > administrator > > set the access control that only special users (administrators) can > > read > > the ldapsubschema-subentry then a client have to live without exploring > > the > > schema. > > > > > > In addition to the above, shouldn't one look at supported controls, > > > and what classes exist, rather than try to categorize everything as a > > > "feature"? > > > > Can somebody give me a real example for this feature list ? Is it > > something > > like: > > > > Supported features: TLS, Cram-MD5, schema-publishing, LDAP-ACL, > > Ldap-replication , etc ?? > > > > Bye > > > > Helmut From list@netscape.com Fri Feb 4 06:35:26 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA21903 for ; Fri, 4 Feb 2000 06:35:25 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id DAA03149; Fri, 4 Feb 2000 03:32:38 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id DAA27352; Fri, 4 Feb 2000 03:34:16 -0800 (PST) Resent-Date: Fri, 4 Feb 2000 03:34:16 -0800 (PST) From: zq2qOi7e5@werner.exp-math.uni-essen.de DATE: 04 Feb 00 6:34:14 AM Message-ID: SUBJECT: ==>=>=> FREE PCS Cell Phone! <=<=<== lsdkjd3 Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Apparently-To: Resent-Message-ID: <"ovUaED.A.1qG.2krm4"@glacier> To: ietf-ldapext@netscape.com Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com How to get the 1st and ONLY Free PCS Digital Cell Phone with NO Long Distance and NO Roaming ANYTIME MINUTES. Now Available on the Net! Bad credit... No problem. You will be notified if you need to make a deposit to activate service. That's right! You get a *FREE* PCS Digital Cell Phone. Unprecedented Nationwide, Limited Time Offer!!! Your Free Digital Phone includes the following: * Choice of a Samsung model # SCH-2000 or Qualcomm Thin Phone [These phones would cost you over $200.00 at any retail Cellular store - we have no store overhead so you Save money.] * All NEW phones. * No Activation Fee. * No Up-Front Cost. The first bill is within 30 days from date received. [ All you pay is sales tax on the phone.] * FREE Long Distance and Roaming. * FREE Caller ID. * FREE Call Waiting. * FREE VoiceMail. * FREE Paging. [Get rid of your pager bill] * FREE First Incoming Minute. * FREE Home Charger. * Lightweight -- 6 oz. * Crystal Clear digital NATIONWIDE* PCS service [USA Only] [Nations BEST Digital Carrier] * Choice of Voice Activation on Samsung model only. * FREE Delivery by UPS within 10-15 working days of approval. * 30 day return policy [restrictions may apply]. * There is no better cell phone Deal on the planet! Hi Folks: Want or need a free cell phone? Sure everyone does. Nice to have for emergencies. Easy to qualify. Just fill out the form below & fax it to us. [If you are not approved, you will be notified as to your need for a deposit] TO ORDER and receive your FREE CELL PHONE just print this message and fill out the simple application form. Then fax only the application to the number below. You should have your new cell phone within 10-15 business days of "approval." [Not from the time you fax it.] Sorry, no email orders. Is there any question that this is an incredible opportunity? Apply now for the best wireless phone service for the new millennium and get your new, FREE PCS digital cell phone. You can't lose!!! Don't pass up this incredible offer! Go Ahead And Order Now! If due to the response to this offer the fax lines are busy please try again. Thanks, Bob Waterman Free Cell Phone Agent ------- CUT HERE ------- Fax Order Center: (775) 522-0741 (The fax number IS ACTIVATED...call back immediately!) PLEASE PRINT or TYPE CLEARLY & FAX O N L Y this application page APPLICATION MUST BE COMPLETED OR IT WILL NOT BE PROCESSED. No blank fields. "VERY CLEARLY" TYPE or WRITE YOUR EMAIL ADDRESS HERE:_________________________________ NAME First:__________________ M.I. ____ Last:__________________________ USA Address:______________________________________Apt#.___________ City:_______________________________ST:________ Zip:_________ County:_______________________[NEEDED TO FIND YOUR COVERAGE AREA] (*No coverage in MT, MS, NC, SC, AK) SS#________________________ Date Of Birth:______/_____/___________ DL#:__________________________ Exp. Date:_____/_____/_______ Home Ph#:(___)_______________[NO PAGER NUMBERS] Work Ph#:(____)_____________Ext#:______[NO PAGER NUMBERS] Best Time To Call:_________________________ Time Zone:_____________ YOUR Business or EMPLOYER Information: Check one: ____Self employed ____Employee If Self Employed your business license # ______________ or Sales Tax ID #_____________ COMPANY NAME:________________________________________________ ADDRESS:______________________________________ City:_______________________________ST:________ Zip:_________ Phone #:______________________ Check phone model you want: ___Samsung model # SCH-2000 ___ Qualcomm Thin Phone Calling Plans: Check the one you want. You can upgrade or downgrade at any time. _____$ 29.99/month for 120 ANYTIME MIN.[over plan per min charge $.35 cents] _____$ 49.99/month for 400 ANYTIME MIN.[over plan per min charge $.30 cents] _____$ 69.99/month for 600 ANYTIME MIN.[over plan per min charge $.25 cents] _____$ 99.99/month for 1,000 ANYTIME MIN.[over plan per min charge $.25 cents] _____$ 149.99/month for 1,500 ANYTIME MIN.[over plan per min charge $.25 cents] Signature: (BW) __________________________________ Date:_____/_____/___________ NO UPFRONT MONEY - your first bill within 30 days from receipt of phone. [2 year Air Time contract] BW Authorization for credit check and contract approved by my signature. Check your application status by calling 435-508-1156 Fax Order Center: (775) 522-0741 ------- CUT HERE ------- =-=-=-=-=-=-=-=-=-=-REMOVE INSTRUCTIONS-=-=-=-=-=-=-=-= Please follow the instructions below to be removed from our in-house mailing list. We will immediately take action to remove you from future mailings. Access the website below. If this service page has been shut down, it is because someone actually complained about this service!!! If this is the case, sorry for the inconvenience. http://sede.aecoc.es%647key=removeremoveindex=ixbtl730iq%403522794361/~joe b/remove/21268.htm From list@netscape.com Fri Feb 4 09:24:58 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA27818 for ; Fri, 4 Feb 2000 09:24:57 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id GAA13988; Fri, 4 Feb 2000 06:20:54 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id GAA28558; Fri, 4 Feb 2000 06:22:32 -0800 (PST) Resent-Date: Fri, 4 Feb 2000 06:22:32 -0800 (PST) Message-Id: <3.0.3.32.20000204142450.006fb394@mailhome.rdg.opengroup.org> X-Sender: cjh@mailhome.rdg.opengroup.org X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Fri, 04 Feb 2000 14:24:50 +0000 To: directory@opengroup.org, ietf-ldapext@netscape.com From: Chris Harding Subject: (c.harding 38467) bug in blits Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"jWigS.A.89G.nCum4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Hi - It seems a bit surprising that this hasn't come up before. Should we change BLITS as suggested? >From: Christopher Oliva >To: "'capple@att.com'" , > "'c.harding@opengroup.org'" > , > "'ludovic.poitou@france.sun.com'" > >Subject: (c.harding 38467) bug in blits >Date: Thu, 3 Feb 2000 14:26:36 -0500 >X-Mailer: Internet Mail Service (5.5.2650.21) >Comments: (c.harding 38467) > >Hi, > >I have a bug report for the following tests in the BLITS suite: > >3.3.2.9.2 >3.3.2.9.3 >3.3.2.9.4 > >They are testing the ldap server response to a search where no entries match >the search filter. They require the "noSuchObject" error to be returned. In >reality, this is not correct. I can tell you that from working with many >(commercial release) directory products that none of them return this error. >The correct response from the server is a "success" code with no matching >search result entries i.e. there will be no matches and the search completes >successfully. > >The reason is in X.500. Clause 10.2.3 of X.511 (1997) says this: > >The search request succeeds if the baseObject is located, regardless of >whether there are any subordinates to return. > >Furthermore, noSuchObject is defined as follows in clause 12 of X.511: > >noSuchObject - The name supplied does not match the name of any object > >Applied to the search operation, this means the base object parameter of the >search (if it cannot be located) will result in this error. > >This is substantiated by the description of how an LDAPResult is constructed >in RFC 2251 4.1.10. > >As a result of this, I think the BLITS test should be changed. I think some >directory implementations may code the incorrect behaviour into their >products unless this is changed. > >Please let me know what you think. > >Chris. > > > Regards, Chris +++++ ------------------------------------------------------------------------- Chris Harding T H E Directory Program Manager O P E N Apex Plaza, Forbury Road, Reading RG1 1AX, UK G R O U P Mailto:c.harding@opengroup.org Ph: +44 118 950 8311 x2262 WWW: http://www.opengroup.org Fx: +44 118 950 0110 OSF/1, Motif, UNIX and the "X" device are registered trademarks in the US and other countries, and IT DialTone and The Open Group are trademarks of The Open Group. ------------------------------------------------------------------------- From list@netscape.com Fri Feb 4 10:03:34 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA29293 for ; Fri, 4 Feb 2000 10:03:34 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id HAA18982; Fri, 4 Feb 2000 07:00:51 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id HAA12016; Fri, 4 Feb 2000 07:02:29 -0800 (PST) Resent-Date: Fri, 4 Feb 2000 07:02:29 -0800 (PST) Message-ID: <389AE9BE.ACF64678@netscape.com> Date: Fri, 04 Feb 2000 10:01:18 -0500 From: mcs@netscape.com (Mark C Smith) Organization: iPlanet E-Commerce Solutions X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Chris Harding CC: directory@opengroup.org, ietf-ldapext@netscape.com Subject: Re: (c.harding 38467) bug in blits References: <3.0.3.32.20000204142450.006fb394@mailhome.rdg.opengroup.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"jConCB.A.e7C.Eoum4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Yes, it sounds to me like BLITS should be changed as Chris O. suggests. -- Mark Smith Directory & Security Group / iPlanet E-Commerce Solutions My words are my own, not my employer's. Got LDAP? Chris Harding wrote: > > Hi - > > It seems a bit surprising that this hasn't come up before. Should we change > BLITS as suggested? > > >From: Christopher Oliva > >To: "'capple@att.com'" , > > "'c.harding@opengroup.org'" > > , > > "'ludovic.poitou@france.sun.com'" > > > >Subject: (c.harding 38467) bug in blits > >Date: Thu, 3 Feb 2000 14:26:36 -0500 > >X-Mailer: Internet Mail Service (5.5.2650.21) > >Comments: (c.harding 38467) > > > >Hi, > > > >I have a bug report for the following tests in the BLITS suite: > > > >3.3.2.9.2 > >3.3.2.9.3 > >3.3.2.9.4 > > > >They are testing the ldap server response to a search where no entries match > >the search filter. They require the "noSuchObject" error to be returned. In > >reality, this is not correct. I can tell you that from working with many > >(commercial release) directory products that none of them return this error. > >The correct response from the server is a "success" code with no matching > >search result entries i.e. there will be no matches and the search completes > >successfully. > > > >The reason is in X.500. Clause 10.2.3 of X.511 (1997) says this: > > > >The search request succeeds if the baseObject is located, regardless of > >whether there are any subordinates to return. > > > >Furthermore, noSuchObject is defined as follows in clause 12 of X.511: > > > >noSuchObject - The name supplied does not match the name of any object > > > >Applied to the search operation, this means the base object parameter of the > >search (if it cannot be located) will result in this error. > > > >This is substantiated by the description of how an LDAPResult is constructed > >in RFC 2251 4.1.10. > > > >As a result of this, I think the BLITS test should be changed. I think some > >directory implementations may code the incorrect behaviour into their > >products unless this is changed. > > > >Please let me know what you think. > > > >Chris. > > > > > From list@netscape.com Fri Feb 4 10:27:12 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA00037 for ; Fri, 4 Feb 2000 10:27:05 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id HAA21460; Fri, 4 Feb 2000 07:24:11 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id HAA19652; Fri, 4 Feb 2000 07:25:50 -0800 (PST) Resent-Date: Fri, 4 Feb 2000 07:25:50 -0800 (PST) Sender: vinnie@oasis.ireland.Sun.COM Message-ID: <389AEE8D.2E4A19C6@Ireland.Sun.COM> Date: Fri, 04 Feb 2000 15:21:49 +0000 From: Vincent Ryan Organization: Sun Microsystems X-Mailer: Mozilla 4.7 [en] (X11; I; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: Chris Harding CC: directory@opengroup.org, ietf-ldapext@netscape.com Subject: Re: (c.harding 38467) bug in blits References: <3.0.3.32.20000204142450.006fb394@mailhome.rdg.opengroup.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"IJ8ALB.A.yyE.99um4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit The tests listed below all attempt to perform a search at a non-existent entry. It is correct to expect a noSuchObject error to be returned. Admittedly, the Procedure clause in each of the test specifications is a little misleading and could be replaced with: Submit a {subtree | single-level | base-level} search request where the base object does not exist. Chris Harding wrote: > > Hi - > > It seems a bit surprising that this hasn't come up before. Should we change > BLITS as suggested? > > >From: Christopher Oliva > >To: "'capple@att.com'" , > > "'c.harding@opengroup.org'" > > , > > "'ludovic.poitou@france.sun.com'" > > > >Subject: (c.harding 38467) bug in blits > >Date: Thu, 3 Feb 2000 14:26:36 -0500 > >X-Mailer: Internet Mail Service (5.5.2650.21) > >Comments: (c.harding 38467) > > > >Hi, > > > >I have a bug report for the following tests in the BLITS suite: > > > >3.3.2.9.2 > >3.3.2.9.3 > >3.3.2.9.4 > > > >They are testing the ldap server response to a search where no entries match > >the search filter. They require the "noSuchObject" error to be returned. In > >reality, this is not correct. I can tell you that from working with many > >(commercial release) directory products that none of them return this error. > >The correct response from the server is a "success" code with no matching > >search result entries i.e. there will be no matches and the search completes > >successfully. > > > >The reason is in X.500. Clause 10.2.3 of X.511 (1997) says this: > > > >The search request succeeds if the baseObject is located, regardless of > >whether there are any subordinates to return. > > > >Furthermore, noSuchObject is defined as follows in clause 12 of X.511: > > > >noSuchObject - The name supplied does not match the name of any object > > > >Applied to the search operation, this means the base object parameter of the > >search (if it cannot be located) will result in this error. > > > >This is substantiated by the description of how an LDAPResult is constructed > >in RFC 2251 4.1.10. > > > >As a result of this, I think the BLITS test should be changed. I think some > >directory implementations may code the incorrect behaviour into their > >products unless this is changed. > > > >Please let me know what you think. > > > >Chris. > > > > > > > > Regards, > > Chris > +++++ > > ------------------------------------------------------------------------- > Chris Harding > T H E Directory Program Manager > O P E N Apex Plaza, Forbury Road, Reading RG1 1AX, UK > G R O U P Mailto:c.harding@opengroup.org Ph: +44 118 950 8311 x2262 > WWW: http://www.opengroup.org Fx: +44 118 950 0110 > > OSF/1, Motif, UNIX and the "X" device are registered trademarks in > the US and other countries, and IT DialTone and The Open Group are > trademarks of The Open Group. > ------------------------------------------------------------------------- From list@netscape.com Sun Feb 6 13:53:12 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA11390 for ; Sun, 6 Feb 2000 13:53:12 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA11111; Sun, 6 Feb 2000 10:50:22 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA22224; Sun, 6 Feb 2000 10:51:56 -0800 (PST) Resent-Date: Sun, 6 Feb 2000 10:51:56 -0800 (PST) Message-Id: <4.2.2.20000206124644.00a4b580@popmail2.austin.ibm.com> X-Sender: stokes@popmail2.austin.ibm.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sun, 06 Feb 2000 12:52:26 -0600 To: internet-drafts@ietf.org, Patrik =?iso-8859-1?Q?F=E4ltstr=F6m?= , Steve Coya From: Ellen Stokes Subject: please publish - draft-ietf-ldapext-acl-reqts-03.txt Cc: Keith Moore , Ned Freed , ietf-ldapext@netscape.com In-Reply-To: <234079.3158829413@[192.168.111.25]> References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_7255096==_" Resent-Message-ID: <"n8FwDC.A.-aF.KLcn4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com --=====================_7255096==_ Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Please publish - it reflects the changes requested per IESG comments: 1. RFC2119 references: - used RFC 2696 as a model - modified the abstract to reflect the accepted wording - added a reference to RFC 2119 in the reference section ([bradner97] 2. Renamed reference [2] to [ecma] and reworded its reference in the glossary section. And yes, we used some of the definitions from the ECMA glossary, but only those pertinent to this requirements document. 3. Put in the correct 'Status of Memo' and 'Copyright' stuff and in the=20 same order as RFC 2696. Ellen At 12:36 PM 2/6/00 +0100, Patrik F=E4ltstr=F6m wrote: >--On 2000-02-04 12.27 -0500, Steve Coya wrote: > > > Ellen, > > > > You'll be submitting the update as an new I-D, right? > >Ellen, can you please see that you send in the new version of the document >to internet-drafts@ietf.org, and let me know when you see the announcement? > > Patrik > --=====================_7255096==_ Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="draft-ietf-ldapext-acl-reqts-03.txt" Content-Transfer-Encoding: quoted-printable LDAP Extensions Working Group E. Stokes Internet Draft D. Byrne Intended Category: Informational IBM Expires: 6 August 2000 B. Blakley Dascom P. Behera Netscape 6 February 2000 Access Control Requirements for LDAP STATUS OF THIS MEMO This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Comments and suggestions on this document are encouraged. Comments on this document should be sent to the LDAPEXT working group discussion list: ietf-ldapext@netscape.com COPYRIGHT NOTICE Copyright (C) The Internet Society (1997). All Rights Reserved. Stokes, et al. Expires 6 August 2000 [Page 1] =0C Internet Draft ACI Requirements February 2000 ABSTRACT This document describes the fundamental requirements of an access control list (ACL) model for the Lightweight Directory Application Protocol (LDAP) directory service. It is intended to be a gathering place for access control requirements needed to provide authorized access to and interoperability between directories. The keywords "MUST", "SHOULD", and "MAY" used in this document are to be interpreted as described in [bradner97]. 1. Introduction The ability to securely access (replicate and distribute) directory information throughout the network is necessary for successful deployment. LDAP's acceptance as an access protocol for directory information is driving the need to provide an access control model definition for LDAP directory content among servers within an enterprise and the Internet. Currently LDAP does not define an access control model, but is needed to ensure consistent secure access across heterogeneous LDAP implementations. The requirements for access control are critical to the successful deployment and acceptance of LDAP in the market place. The RFC 2119 terminology is used in this document. 2. Objectives The major objective is to provide a simple, but secure, highly efficient access control model for LDAP while also providing the appropriate flexibility to meet the needs of both the Internet and enterprise environments and policies. This generally leads to several general requirements that are discussed below. Stokes, et al. Expires 6 August 2000 [Page 2] =0C Internet Draft ACI Requirements February 2000 3. Requirements This section is divided into several areas of requirements: general, semantics/policy, usability, and nested groups (an unresolved issue). The requirements are not in any priority order. Examples and explanatory text is provided where deemed necessary. Usability is perhaps the one set of requirements that is generally overlooked, but must be addressed to provide a secure system. Usability is a security issue, not just a nice design goal and requirement. If it is impossible to set and manage a policy for a secure situation that a human can understand, then what was set up will probably be non-secure. We all need to think of usability as a functional security requirement. 3.1 General G1. Model SHOULD be general enough to support extensibility to add desirable features in the future. G2. When in doubt, safer is better, especially when establishing defaults. G3. ACL administration SHOULD be part of the LDAP protocol. Access control information MUST be an LDAP attribute. G4. Object reuse protection SHOULD be provided and MUST NOT inhibit implementation of object reuse. The directory SHOULD support policy controlling the re-creation of deleted DNs, particularly in cases where they are re- created for the purpose of assigning them to a subject other than the owner of the deleted DN. 3.2 Semantics / Policy S1. Omitted as redundant; see U8. S2. More specific policies must override less specific ones (e.g. individual user entry in ACL SHOULD take precedence over group entry) for the evaluation of an ACL. S3. Multiple policies of equal specificity SHOULD be Stokes, et al. Expires 6 August 2000 [Page 3] =0C Internet Draft ACI Requirements February 2000 combined in some easily-understood way (e.g. union or intersection). This is best understood by example. Suppose user A belongs to 3 groups and those 3 groups are listed on the ACL. Also suppose that the permissions for each of those groups are not identical. Each group is of equal specificity (e.g. each group is listed on the ACL) and the policy for granting user A access (given the example) SHOULD be combined in some easily understood way, such as by intersection or union. For example, an intersection policy here may yield a more limited access for user A than a union policy. S4. Newly created directory entries SHOULD be subject to a secure default policy. S5. Access policy SHOULD NOT be expressed in terms of attributes which the directory administrator or his organization cannot administer (e.g. groups whose membership is administered by another organization). S6. Access policy SHOULD NOT be expressed in terms of attributes which are easily forged (e.g. IP addresses). There may be valid reasons for enabling access based on attributes that are easily forged and the behavior/implications of doing that should be documented. S7. Humans (including administrators) SHOULD NOT be required to manage access policy on the basis of attributes which are not "human-readable" (e.g. IP addresses). S8. It MUST be possible to deny a subject the right to invoke a directory operation. The system SHOULD NOT require a specific implementation of denial (e.g. explicit denial, implicit denial). S9. The system MUST be able (semantically) to support either default-grant or default-deny semantics (not simultaneously). S10. The system MUST be able to support either union semantics or intersection semantics for aggregate subjects (not simultaneously). S11. Absence of policy SHOULD be interpretable as grant Stokes, et al. Expires 6 August 2000 [Page 4] =0C Internet Draft ACI Requirements February 2000 or deny. Deny takes precedence over grant among entries of equal specificity. S12. ACL policy resolution MUST NOT depend on the order of entries in the ACL. S13. Rights management MUST have no side effects. Granting a subject one right to an object MUST NOT implicitly grant the same or any other subject a different right to the same object. Granting a privilege attribute to one subject MUST NOT implicitly grant the same privilege attribute to any other subject. Granting a privilege attribute to one subject MUST NOT implicitly grant a different privilege attribute to the same or any other subject. Definition: An ACL's "scope" is defined =20 as the set of directory objects governed by the policy it defines; this set of objects is a sub-tree of the directory. Changing the policy asserted by an ACL (by changing one or more of its entries) MUST NOT implicitly change the policy governed by an ACL in a different scope. S14. It SHOULD be possible to apply a single policy to multiple directory entries, even if those entries are in different subtrees. Applying a single policy to multiple directory entries SHOULD NOT require creation and storage of multiple copies of the policy data. The system SHOULD NOT require a specific implementation (e.g. nested groups, named ACLs) of support for policy sharing. 3.3 Usability (Manageability) U1. When in doubt, simpler is better, both at the interface and in the implementation. U2. Subjects MUST be drawn from the "natural" LDAP namespace; they should be DNs. U3. It SHOULD NOT be possible via ACL administration to lock all users, including all administrators, out of the directory. U4. Administrators SHOULD NOT be required to evaluate arbitrary Boolean predicates in order to create or understand policy. Stokes, et al. Expires 6 August 2000 [Page 5] =0C Internet Draft ACI Requirements February 2000 U5. Administrators SHOULD be able to administer access to directories and their attributes based on their sensitivity, without having to understand the semantics of individual schema elements and their attributes (see U9). U6. Management of access to resources in an entire subtree SHOULD require only one ACL (at the subtree root). Note that this makes access control based explicitly on attribute types very hard, unless you constrain the types of entries in subtrees. For example, another attribute is added to an entry. That attribute may fall outside the grouping covered by the ACL and hence require additional administration where the desired affect is indeed a different ACL. Access control information specified in one administrative area MUST NOT have jurisdiction in another area. You SHOULD NOT be able to control access to the aliased entry in the alias. You SHOULD be able to control access to the alias name. U7. Override of subtree policy MUST be supported on a per-directory-entry basis. U8. Control of access to individual directory entry attributes (not just the whole directory entry) MUST be supported. U9. Administrator MUST be able to coarsen access policy granularity by grouping attributes with similar access sensitivities. U10. Control of access on a per-user granularity MUST be supported. U11. Administrator MUST be able to aggregate users (for example, by assigning them to groups or roles) to simplify administration. U12. It MUST be possible to review "effective access" of any user, group, or role to any entry's attributes. This aids the administrator in setting the correct policy. U13. A single administrator SHOULD be able to define policy for the entire directory tree. An administrator MUST be able to delegate policy administration for Stokes, et al. Expires 6 August 2000 [Page 6] =0C Internet Draft ACI Requirements February 2000 specific subtrees to other users. This allows for the partitioning of the entire directory tree for policy administration, but still allows a single policy to be defined for the entire tree independent of partitioning. (Partition in this context means scope of administration). An administrator MUST be able to create new partitions at any point in the directory tree, and MUST be able to merge a superior and subordinate partition. An administrator MUST be able to configure whether delegated access control information from superior partitions is to be accepted or not. U14. It MUST be possible to authorize users to traverse directory structure even if they are not authorized to examine or modify some traversed entries; it MUST also be possible to prohibit this. The tree structure MUST be able to be protected from view if so desired by the administrator. U15. It MUST be possible to create publicly readable entries, which may be read even by unauthenticated clients. U16. The model for combining multiple access control list entries referring to a single individual MUST be easy to understand. U17. Administrator MUST be able to determine where inherited policy information comes from, that is, where ACLs are located and which ACLs were applied. Where inheritance of ACLs is applied, it must be able to be shown how/where that new ACL is derived from. U18. It SHOULD be possible for the administrator to configure the access control system to permit users to grant additional access control rights for entries which they create. 4. Security Considerations Access control is a security consideration. This documents addresses the requirements. Stokes, et al. Expires 6 August 2000 [Page 7] =0C Internet Draft ACI Requirements February 2000 5. Glossary This glossary is intended to aid the novice not versed in depth about access control. It contains a list of terms and their definitions that are commonly used in discussing access control [emca]. Access control - The prevention of use of a resource by unidentified and/or unauthorized entities in any other that an authorized manner. Access control list - A set of control attributes. It is a list, associated with a security object or a group of security objects. The list contains the names of security subjects and the type of access that may be granted. Access control policy - A set of rules, part of a security policy, by which human users, or their representatives, are authenticated and by which access by these users to applications and other services and security objects is granted or denied. Access context - The context, in terms of such variables as location, time of day, level of security of the underlying associations, etc., in which an access to a security object is made. Authorization - The granting of access to a security object. Authorization policy - A set of rules, part of an access control policy, by which access by security subjects to security objects is granted or denied. An authorization policy may be defined in terms of access control lists, capabilities, or attributes assigned to security subjects, security objects, or both. Control attributes - Attributes, associated with a security object that, when matched against the privilege attributes of a security subject, are used to grant or deny access to the security object. An access control list or list of rights or time of day range are examples of control attributes. Stokes, et al. Expires 6 August 2000 [Page 8] =0C Internet Draft ACI Requirements February 2000 Credentials - Data that serve to establish the claimed identity of a security subject relative to a given security domain. Privilege attributes - Attributes, associated with a security subject that, when matched against control attributes of a security object, are used to grant or deny access to that subject. Group and role memberships are examples of privilege attributes. Security attributes - A general term covering both privilege attributes and control attributes. The use of security attributes is defined by a security policy. Security object - An entity in a passive role to which a security policy applies. Security policy - A general term covering both access control policies and authorization policies. Security subject - An entity in an active role to which a security policy applies. 6. References [ldap] Steve Kille, Tim Howes, M. Wahl, "Lightweight Directory Access Protocol (v3)", RFC 2251, August 1997. [ecma] ECMA, "Security in Open Systems: A Security Framework" ECMA TR/46, July 1988 [bradner97] Bradner, S., "Key Words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. AUTHOR(S) ADDRESS Bob Blakley Ellen Stokes Dascom IBM 5515 Balcones Drive 11400 Burnet Rd Austin, TX 78731 Austin, TX 78758 USA USA mail-to: blakley@dascom.com mail-to:= stokes@austin.ibm.com Stokes, et al. Expires 6 August 2000 [Page 9] =0C Internet Draft ACI Requirements February 2000 phone: +1 512 458 4037 ext 5012 phone: +1 512 838 3725 fax: +1 512 458 2377 fax: +1 512 838 0156 Debbie Byrne Prasanta Behera IBM Netscape 11400 Burnet Rd 501 Ellis Street Austin, TX 78758 Mountain View, CA 94043 USA USA mail-to: djbyrne@us.ibm.com mail-to:= prasanta@netscape.com phone: +1 512 838 1930 phone: +1 650 937 4948 fax: +1 512 838 8597 fax: +1 650 528-4164 Stokes, et al. Expires 6 August 2000 [Page 10] =0C Internet Draft ACI Requirements February 2000 7. Full Copyright Statement Copyright (C) The Internet Society (1999).=A0 All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works.=A0 However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Stokes, et al. Expires 6 August 2000 [Page 11] =0C --=====================_7255096==_-- From list@netscape.com Sun Feb 6 16:33:38 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA12672 for ; Sun, 6 Feb 2000 16:33:37 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id NAA11677; Sun, 6 Feb 2000 13:29:05 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id NAA11596; Sun, 6 Feb 2000 13:32:29 -0800 (PST) Resent-Date: Sun, 6 Feb 2000 13:32:29 -0800 (PST) Message-Id: <3.0.5.32.20000206133217.0096f100@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sun, 06 Feb 2000 13:32:17 -0800 To: ietf-ldapext@netscape.com From: "Kurt D. Zeilenga" Subject: attributeTypes for AttributeDescriptions Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"ogch0B.A.20C.shen4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com RFC2252 appears to allow attributeTypes values such as: ( 1.2.3 NAME 'userCertificate;binary' SUP userCertificate SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) Is this an intended use? What are intended uses of attributeTypes values which name attribute descriptions? I assume that OID should be unique to the attributeTypes value and not that of the associated attribute type. Kurt From list@netscape.com Mon Feb 7 09:17:16 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA09888 for ; Mon, 7 Feb 2000 09:17:16 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id GAA02235; Mon, 7 Feb 2000 06:14:24 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id GAA24278; Mon, 7 Feb 2000 06:16:05 -0800 (PST) Resent-Date: Mon, 7 Feb 2000 06:16:05 -0800 (PST) From: FRANK@XGLOBE.COM To: Date: Wed, 9 Feb 2000 01:20:09 Message-Id: <548.893204.468935@mail.mindspring.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Resent-Message-ID: <"yRE7R.A.E7F.kOtn4"@glacier> Resent-From: ietf-ldapext@netscape.com Subject: Unidentified subject! X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit web sites offered for only 12.95 per month with a 40.00 set up. service includes hosting your own domain with your own "yourname@yourname.com" email address. all sites are prepaid annually in advance with a 90 day money back guarantee. all sites start at 5 megs. dial 1 888 248 0765 for more information. "." From list@netscape.com Mon Feb 7 12:41:16 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA16559 for ; Mon, 7 Feb 2000 12:41:15 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA25170; Mon, 7 Feb 2000 09:38:28 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA19625; Mon, 7 Feb 2000 09:40:10 -0800 (PST) Resent-Date: Mon, 7 Feb 2000 09:40:10 -0800 (PST) Message-Id: <3.0.5.32.20000207094004.009392d0@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 07 Feb 2000 09:40:04 -0800 To: ietf-ldapext@netscape.com From: "Kurt D. Zeilenga" Subject: RFC2251: RootDSE subschemasubentry issue Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"80IvXB.A.XyE.5Nwn4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com As previously noted <8525679B.003DD02B.00@D51MTA04.pok.ibm.com>, RFC 2251 states subschemaSubentry attribute type within the Root DSE may contain multiple values though the attribute type is single valued. I do not believe it necessary to provide a mechanism to allow clients to obtain a complete list of subschema entries (or subentries) known to this server. This list could be quite large and, IMO, rather useless. Applications need to known which subschema controls which entries. I suggest that applications obtain the DN of the subschema entry (subentry) from either the entry(ies) they intend to access or from the entry at the root of the naming context. To resolve this issue, I suggest: RFC 2251, 3.4 "--subsubschemaSubentry" subsection be removed and that a note be added to the end of the section: Note: the subsubschemaSubentry attribute type, if present, contains the Distinguished Name of the subschema entry (or subentry) which controls the schema for the Root DSE. Comments? Kurt From list@netscape.com Mon Feb 7 13:16:44 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA18015 for ; Mon, 7 Feb 2000 13:16:42 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA03359; Mon, 7 Feb 2000 10:13:52 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA09618; Mon, 7 Feb 2000 10:15:34 -0800 (PST) Resent-Date: Mon, 7 Feb 2000 10:15:34 -0800 (PST) Message-ID: From: "Salter, Thomas A" To: ietf-ldapext@netscape.com Subject: RE: attributeTypes for AttributeDescriptions Date: Mon, 7 Feb 2000 13:16:28 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Resent-Message-ID: <"f61lnB.A.AWC.Fvwn4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com RFC2252 allows this, but it's not consistent with the definition of ;binary. Both RFC 2251 and 2252 say that the binary option applies to the way the attribute value is transfered in protocol, not the way it is stored. That being the case, it wouldn't make sense to define two different OIDs for the same attribute. Your example also changes the syntax of the derived attribute. In X.500 that is illegal. X.501, 12.4.2 says "If the attribute syntax is indicated and the attribute has a direct supertype, the indicated syntax must be compatible with the supertype's syntax, i.e. every possible value satisfying the attribute's syntax must also satisfy the supertype's syntax." This is just expressing the usual notions of inheritance. There is also a statement about matching rules of the supertype applying to the subtype. I think these restrictions are all here to allow searching for the supertype to work as expected. > -----Original Message----- > From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] > Sent: Sunday, February 06, 2000 4:32 PM > To: ietf-ldapext@netscape.com > Subject: attributeTypes for AttributeDescriptions > > > RFC2252 appears to allow attributeTypes values such as: > ( 1.2.3 NAME 'userCertificate;binary' SUP userCertificate > SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) > > Is this an intended use? What are intended uses of attributeTypes > values which name attribute descriptions? I assume that OID > should be unique to the attributeTypes value and not that of > the associated attribute type. > > Kurt > From list@netscape.com Mon Feb 7 13:41:07 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA18576 for ; Mon, 7 Feb 2000 13:41:06 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA08616; Mon, 7 Feb 2000 10:37:45 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA22052; Mon, 7 Feb 2000 10:39:27 -0800 (PST) Resent-Date: Mon, 7 Feb 2000 10:39:27 -0800 (PST) Message-Id: <3.0.5.32.20000207103909.00986c80@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 07 Feb 2000 10:39:09 -0800 To: "Salter, Thomas A" From: "Kurt D. Zeilenga" Subject: RE: attributeTypes for AttributeDescriptions Cc: ietf-ldapext@netscape.com In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"d9kqlD.A.SYF.fFxn4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com So, I ask: > > What are intended uses of attributeTypes values which > > name attribute descriptions? From list@netscape.com Mon Feb 7 15:07:42 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA20523 for ; Mon, 7 Feb 2000 15:07:40 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id MAA12231; Mon, 7 Feb 2000 12:03:07 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id MAA15827; Mon, 7 Feb 2000 12:06:29 -0800 (PST) Resent-Date: Mon, 7 Feb 2000 12:06:29 -0800 (PST) Message-ID: From: "Salter, Thomas A" To: ietf-ldapext@netscape.com Subject: RE: attributeTypes for AttributeDescriptions Date: Mon, 7 Feb 2000 15:07:14 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Resent-Message-ID: <"EC08C.A.n2D.DXyn4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com maybe its different with language codes ? > -----Original Message----- > From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] > Sent: Monday, February 07, 2000 1:39 PM > To: Salter, Thomas A > Cc: ietf-ldapext@netscape.com > Subject: RE: attributeTypes for AttributeDescriptions > > > So, I ask: > > > What are intended uses of attributeTypes values which > > > name attribute descriptions? > > From list@netscape.com Mon Feb 7 15:38:00 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA21139 for ; Mon, 7 Feb 2000 15:37:58 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id MAA01203; Mon, 7 Feb 2000 12:35:07 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id MAA00829; Mon, 7 Feb 2000 12:36:50 -0800 (PST) Resent-Date: Mon, 7 Feb 2000 12:36:50 -0800 (PST) From: smd@iris.com Subject: Search reference question To: ietf-ldapext@netscape.com X-Mailer: Lotus Notes Build V60_01192000 January 19, 2000 Message-ID: Date: Mon, 7 Feb 2000 15:36:14 -0500 X-MIMETrack: Serialize by Router on Arista/Iris(Release 5.0.2b |December 16, 1999) at 02/07/2000 03:37:20 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Resent-Message-ID: <"sgGSuD.A.tM.hzyn4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Section 4.5.3. of RFC 2251 states: In order to complete the search, the client MUST issue a new search operation for each SearchResultReference that is returned. Can someone help me with the interpretation. Does this mean that if a client receives a SearchResultReference it MUST issue a new search operation to the referenced server? Or rather, if the client wishes to complete the search it MUST (really should) issue a new search operation? Thanks, Scott M Davidson Iris Associates smd@iris.com (978) 392-5436 Five Technology Park Drive Westford, MA 01886 From list@netscape.com Mon Feb 7 15:46:33 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA21306 for ; Mon, 7 Feb 2000 15:46:31 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id MAA18513; Mon, 7 Feb 2000 12:41:57 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id MAA05961; Mon, 7 Feb 2000 12:45:15 -0800 (PST) Resent-Date: Mon, 7 Feb 2000 12:45:15 -0800 (PST) Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Mon, 07 Feb 2000 13:44:53 -0700 From: "Roger Harrison" To: , Subject: Re: Search reference question Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Resent-Message-ID: <"WFZXpD.A.3cB.b7yn4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id PAA21306 Your second interpretation is correct. I think the sticking point here is what it meant by "complete." I believe that the authors are using the term complete to mean the entire set of entries for the given search (as opposed to the completion of a given search request). The fact that a SearchResultReference was sent by the server means that one or more entries will be missing from the set unless the client issues a new search operation for the SearchResultReference. Thus, the search will not be complete unless a new search operation is issued for the SearchResultReference. The client is not required to issue the new search request for each SearchResultReference, but the expected set of entries won't be complete until it does. Roger Harrison roger_harrison@novell.com Novell, Inc. >>> 02/07/00 01:37PM >>> Section 4.5.3. of RFC 2251 states: In order to complete the search, the client MUST issue a new search operation for each SearchResultReference that is returned. Can someone help me with the interpretation. Does this mean that if a client receives a SearchResultReference it MUST issue a new search operation to the referenced server? Or rather, if the client wishes to complete the search it MUST (really should) issue a new search operation? Thanks, Scott M Davidson Iris Associates smd@iris.com (978) 392-5436 Five Technology Park Drive Westford, MA 01886 From list@netscape.com Mon Feb 7 16:14:17 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA21921 for ; Mon, 7 Feb 2000 16:14:12 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id NAA23256; Mon, 7 Feb 2000 13:09:25 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id NAA21244; Mon, 7 Feb 2000 13:12:51 -0800 (PST) Resent-Date: Mon, 7 Feb 2000 13:12:51 -0800 (PST) Message-Id: <3.0.5.32.20000207131242.00987aa0@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 07 Feb 2000 13:12:42 -0800 To: smd@iris.com From: "Kurt D. Zeilenga" Subject: Re: Search reference question Cc: ietf-ldapext@netscape.com In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"InBiWB.A.qLF.SVzn4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 03:36 PM 2/7/00 -0500, smd@iris.com wrote: >Section 4.5.3. of RFC 2251 states: > In order to complete the search, the client MUST issue a new search > operation for each SearchResultReference that is returned. > >Can someone help me with the interpretation. Does this mean that if a >client receives a SearchResultReference it MUST issue a new search >operation to the referenced server? Or rather, if the client wishes to >complete the search it MUST (really should) issue a new search operation? The MUST does not require the operation to be completed nor state when the client should attempt to complete the operation. The MUST says what the client MUST do to complete the operation. The client may choose (or be required*) not to complete any operation. * RFC 2251, Section 6.2. They [clients] MUST NOT repeatedly contact the same server for the same request with the same target entry name, scope and filter. Note: the first sentence of 6.2: Clients which request referrals MUST ensure that they do not loop between servers. should, IMO, be reworded in RFC 2251bis to: Clients which chase referrals and/or references MUST ensure that type do not loop between servers. From list@netscape.com Mon Feb 7 22:10:11 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA26826 for ; Mon, 7 Feb 2000 22:10:10 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id TAA04801; Mon, 7 Feb 2000 19:05:39 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id TAA10302; Mon, 7 Feb 2000 19:09:04 -0800 (PST) Resent-Date: Mon, 7 Feb 2000 19:09:04 -0800 (PST) From: spy2@post.com Reply-To: spy2@post.com Date: Sun, 07 Nov 1999 19:08:57 -0800 Message-Id: To: wefr@yeys.ua.netscape.com Subject: INTERNET SPY! Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7BIT X-SMTP-HELO: tryout X-SMTP-MAIL-FROM: spy2@post.com X-SMTP-RCPT-TO: ietf-run@mailbag.cps.intel.com,ietf-ldapext@netscape.com,ietf-l2tp@aptis.com,ietf-hosts@nnsc.nsf.net,ietf-charsets@innosoft.comnov,ietf-charsets@innosoft.com,ietech@mindspring.com,ietco@sympatico.ca,ietcnzix@fbs.cz,ietc@ietc-team.com,ietaosnsgz@ezoh.au,ietam@asuacad.bitnet,ietagqnhlkok@jmdwiie.cr,ietaadri@sirius.ceu.hu,iet@vflsiyf.de,iet@vcomm.net,iet@uvcs.uvic.ca,iet@sonic.net,iet@portti.edita.fi,iet@myservice.com X-SMTP-PEER-INFO: [194.134.96.21] Resent-Message-ID: <"CeItxB.A.sgC.Pj4n4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7BIT

internet spy



 
INTERNET 
SPY ORDER FORM!!



////////////////////////////////////////
This is a one time mailing! No need to be removed. 
////////////////////////////////////////

CONFIDENTIAL INFORMATION YOU WANT TO KNOW.

This is the software they want banned from the INTERNET!

"The Internet Desktop Spy" shows you how to get the facts on anyone using the 

Internet.

LOCATE MISSING PERSONS, find lost relatives, obtain addresses and phone 
numbers of old school friends, even skip trace dead beat spouses.  This is 
not a Private Investigator, but a SOFTWARE program DESIGNED to automatically 
CRACK YOUR CASE with links to thousands of Public Record Databases

Find out SECRETS about your relatives, friends, enemies, and everyone else! 
-- even your spouse! With the New - "Internet Desktop SPY"

You will be AMAZED at what you can discover:

LICENSE PLATE NUMBER - Get anyone's name and address with just a license 
plate number! (Find that girl you met in traffic!)

DRIVING RECORD - Get anyone's driving record!

SOCIAL SECURITY NUMBER - Trace anyone by social security number!

ADDRESS - Get anyone's address with just a name!

UNLISTED PHONE NUMBERS - Get anyone's phone number with just a name- even 
unlisted numbers!

LOCATE - Long lost friends, relatives, a past lover who broke your heart!

E-MAIL - Send anyone anonymous e-mail that's completely untraceable!

DIRTY SECRETS - Discover dirty secrets your in-laws don't want you to know!

INVESTIGATE ANYONE - Use the sources that private investigators use (all on 
the Internet) secretly!

EX-SPOUSE - Learn how to get information on an ex-spouse that will help you 
win in court! (Dig up old skeletons)

CRIMINAL SEARCH - BACKGROUND CHECK - Find out about your daughter's 
boyfriend! (or her husband)

FIND OUT - If you are being investigated!

NEIGHBORS - Learn all about your mysterious neighbors!  Find out what they 
have to hide!

PEOPLE YOU WORK WITH - Be astonished by what you'll learn about the people 
you work with!

EDUCATION VERIFICATION - Did he really graduate college?  Find out!

"The Internet Desktop Spy" will help you discover ANYTHING about anyone, with 

clickable hyperlinks and no typing in Internet addresses!  Just download the 
software and go!  You will be shocked and amazed by the secrets that can 
be discovered about absolutely everyone!  Find out the secrets they don't 
want you to know!  About others, about yourself!

LIMITED TIME OFFER -- ORDER TODAY!  ONLY $20 (US)

You can dowmload the  "The Internet DeskTop Spy" software NOW so you can 
begin 
discovering all the secrets you ever wanted to know!  You can know EVERYTHING 

about ANYONE with "The Internet DeskTop Spy" software.  

- Works with all browsers and all versions of AOL
- PC Versions available Only!

DON'T WAIT TO GET STARTED� It's as easy as 1, 2, 3.  
ORDER TODAY - While this software is still legal!

VISA/MC ONLY

For Credit Card Orders, Click on the link below:

Click
Here To Order!

NOTES:
- This program will not work on Windows 3.11 and older
- DISCLAIMER - The seller of this powerful software resource will not be held 

responsible for how the purchaser chooses to use its resources.

From list@netscape.com Tue Feb 8 03:31:12 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA12404 for ; Tue, 8 Feb 2000 03:31:10 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id AAA25523; Tue, 8 Feb 2000 00:26:30 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id AAA00490; Tue, 8 Feb 2000 00:29:55 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 00:29:55 -0800 (PST) X-Authentication-Warning: perq.cac.washington.edu: rlmorgan owned process doing -bs Date: Tue, 8 Feb 2000 00:30:22 -0800 (PST) From: "RL 'Bob' Morgan" X-Sender: rlmorgan@perq.cac.washington.edu Reply-To: "RL 'Bob' Morgan" To: IETF ldapext WG Subject: what ldapext-locate is about Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"OGY69B.A.YH.DQ9n4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com During the recent thread of comments on draft-ietf-ldapext-locate-01.txt Bruce Greenblatt asked this question: > Can this same mechanism be used to find an LDAP server from an email > address? It seems like you should be able to find the appropriate SRV > record from an email address just as easy as you can from a DN that > conforms to the DC naming principles. and I think others asked it too, more or less. I think this question is based on a misconception of the issue that draft-ietf-ldapext-locate-01.txt is addressing. Since I was confused about this too and only came to understand it after some reflection, let me argue the point here so we can all (I hope) be clear about it. (I've also submitted text to the document authors along this line.) The first parameter of the Search operation is the baseObject, "the LDAPDN that is the base object entry relative to which the search is to be performed." All other substantive LDAP operations, ie Modify, Add, Delete, ModifyDN, and Compare also all have a DN as the first parameter, in each case specifying the directory object on which the operation is to be performed. To successfully perform any of these operations, the request must eventually be processed by a server that stores that DN (or the subtree, in the case of Search) locally. Finding that server, based on the DN in the request, is precisely what this document is about, no more, no less. This is an *internal* directory function that has to happen for any LDAP operation to be carried out. Whether it is done by the client or the server doesn't matter for this discussion. The fact that in practice, these days, this function is almost always null -- because servers don't know anything about other servers, and clients are configured only to talk to particular servers for particular data and never ask about anything else -- tends to obscure this point; but opening up the current narrow-focus nature of LDAP directory usage is exactly what this spec is about. On the other hand, finding a directory entry for a person who has a particular email address, as above, is an *application* that uses the directory, not an internal functional component of the directory itself. It's the same kind of thing as finding all entries of people at UW with the surname "Lee", or using the directory to route email, or any of the other million directory-enabled apps that specify what the DS client should do (construct request 'R' using DN 'D', use the value of attribute 'X' to do 'Y', etc), and what schema and data should be in the DIT to support the app. These sorts of things certainly need to be documented, but in their own docs. The observation that, when looking up info about a DNS-named thing, the DNS name is first turned into a DC-name-based DN, then back into a DNS name to do the SRV lookup, might lead one to believe that the DN is superfluous and can just be skipped but clearly this isn't so. Note that it's the client application that does the DNS-to-DN to construct the request, while it will likely be the server, doing chaining or referral, that does the DN-to-DNS before doing the SRV record lookup. Agreed? - RL "Bob" From list@netscape.com Tue Feb 8 06:33:50 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA13759 for ; Tue, 8 Feb 2000 06:33:50 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id DAA01638; Tue, 8 Feb 2000 03:30:58 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id DAA28827; Tue, 8 Feb 2000 03:32:41 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 03:32:41 -0800 (PST) Message-Id: <200002081132.GAA13712@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-ldapext@netscape.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ldapext-acl-reqts-03.txt Date: Tue, 08 Feb 2000 06:32:37 -0500 Sender: nsyracus@cnri.reston.va.us Resent-Message-ID: <"3eTVGD.A.JCH.X7_n4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the LDAP Extension Working Group of the IETF. Title : Access Control Requirements for LDAP Author(s) : E. Stokes, D. Byrne, B. Blakley, P. Behera Filename : draft-ietf-ldapext-acl-reqts-03.txt Pages : 11 Date : 07-Feb-00 This document describes the fundamental requirements of an access control list (ACL) model for the Lightweight Directory Application Protocol (LDAP) directory service. It is intended to be a gathering place for access control requirements needed to provide authorized access to and interoperability between directories. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ldapext-acl-reqts-03.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ldapext-acl-reqts-03.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ldapext-acl-reqts-03.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000207125741.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ldapext-acl-reqts-03.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ldapext-acl-reqts-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000207125741.I-D@ietf.org> --OtherAccess-- --NextPart-- From list@netscape.com Tue Feb 8 14:22:51 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA08438 for ; Tue, 8 Feb 2000 14:22:50 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA24592; Tue, 8 Feb 2000 11:18:15 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA13805; Tue, 8 Feb 2000 11:21:41 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 11:21:41 -0800 (PST) Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Tue, 08 Feb 2000 12:20:34 -0700 From: "Mark Meredith" To: Cc: Subject: please publish draft-mmeredith-rootdse-vendor-info-01.txt Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=_3861ADA4.EE8FBB57" Resent-Message-ID: <"rfBqQD.A.ZXD.DzGo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_3861ADA4.EE8FBB57 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Please publish - this reflects the changes requested via feed back on = draft-00. Please review this draft and submit comments. -Mark Mark Meredith Novell Inc 122 E. 1700 S. Provo UT 84606 mark_meredith@novell.com 801-861-2645 --------------------- A boat in the harbor is safe,=20 but that is not what boats are for. --John A. Shed --------------------- --=_3861ADA4.EE8FBB57 Content-Type: text/plain Content-Disposition: attachment; filename="draft-mmeredith-rootdse-vendor-info-01.txt" Individual Submission to the LDAPExt Working Group Mark Meredith Internet Draft Novell Inc. Document: draft-mmeredith-rootdse-vendor-info-01.txt February 7, 2000 Category: Proposed Standard Storing Vendor Information in the root DSE Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of [RFC2026]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Comments and suggestions on this document are encouraged. Comments on this document should be sent to the LDAPEXT working group discussion list ietf-ldapext@netscape.com or the author. 1. Abstraction This document specifies two new attributes, vendorName and vendorVersion that can be included in the root DSE to contain vendor-specific information. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC-2219] 3. Overview The root DSE query is a mechanism used by clients to find out what controls, extensions, etc. is available from a given LDAP server. It is useful to be able to query an LDAP server to determine the vendor of that server and see what version of that vendor�s code is currently installed. Since vendors can implement X- options for attributes, classes, and syntaxes (described in section 4 of [RFC2251] and section 4 of [RFC2252] ) that may or may not be published, this would allow users or applications to be able to determine if these features are available from a given server. It is also possible for vendors to have an LDAP server implementation to be incomplete in some respect or to have M. Meredith Expires August-2000 1 LDAP root DSE to display vendor information February 2000 implementation quirks that must be worked around until they can be fixed in the subsequent release. The vendorName and vendorVersion allow client developers to identify a specific implementation of LDAP and work around any shortcomings of that implementation as needed. 4. Vendor specific information This is an addition to the Server-specific Data Requirements defined in section 3.4 of [RFC-2251] and the associated syntaxes defined in section 4 of [RFC-2252]. - vendorName All LDAP server implementations SHOULD maintain a vendorName, which is generally the name of the company that wrote the LDAP Server code like "Novell, Inc." This is single-valued so that it will only have one vendor. ( 2.16.840.1.113719.1.27.4.43 NAME 'vendorName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 NO-USER-MODIFICATION SINGLE-VALUE USAGE dSAOperation ) - vendorVersion All LDAP server implementations SHOULD maintain a vendorVersion, which is the release number of the LDAP server product, (as opposed to the supportedLDAPVersion, which specifies the version of the LDAP protocol supported by this server). This is single- valued so that it will only have one version number. ( 2.16.840.1.113719.1.27.4.44 NAME 'vendorVersion' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 NO-USER-MODIFICATION SINGLE-VALUE USAGE dSAOperation ) 5. Notes to Implementers Implementers may want to consider tying the vendorVersion attribute value to the build mechanism so that it is automatically updated when the version number changes. 6. Notes to Client Developers The use of vendorName and vendorVersion SHOULD NOT be used to discover features. It is just an informational attribute. If a client relies on a vendorVersion number then that client MUST be coded to work with later versions and not just one version and no other. 7. Security Considerations The vendorName and vendorVersion attributes are provided only as an aid to help client implementers assess what features may or may not exist in a given server implementation. Server and application implementers should realize that the existence of a given value in the vendorName or vendorVersion attribute is no guarantee that the server was actually built by the asserted vendor or that its version is the asserted version and should act accordingly. M. Meredith Expires August-2000 2 LDAP root DSE to display vendor information February 2000 8. References RFC-2219 Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 RFC-2026 Bradner, S., "The Internet Standards Process-Revision 3", BCP 9, RFC 2026, October 1996. RFC-2251 Wahl, M., Howes, T., Kille, S., "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997 RFC-2252 Wahl, M., Coulbeck, A., Howes, T., Kille, S., "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997 9. Acknowledgments The author would like to thank the generous input and review by individuals at Novell including but not limited to Jim Sermersheim, Mark Hinckley, Renea Campbell, and Roger Harrison. 10. Author�s Addresses Mark Meredith Novell Inc. 122 E. 1700 S. Provo, UT 84606 Phone: 801-861-2645 Email: mark_meredith@novell.com Full Copyright Statement Copyright (c) The Internet Society (1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MER-CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. M. Meredith Expires August-2000 3 --=_3861ADA4.EE8FBB57-- From list@netscape.com Tue Feb 8 14:34:57 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA08897 for ; Tue, 8 Feb 2000 14:34:56 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA02043; Tue, 8 Feb 2000 11:32:02 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA27088; Tue, 8 Feb 2000 11:33:45 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 11:33:45 -0800 (PST) Message-Id: <3.0.5.32.20000208113335.0095d8a0@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 08 Feb 2000 11:33:35 -0800 To: ietf-ldapext@netscape.com From: "Kurt D. Zeilenga" Subject: substring matching rules Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"XA4PPD.A.wmG.Y-Go4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com RFC 2252, 8.3 says: The Substring Assertion syntax is used only as the syntax of assertion values in the extensible match. It is not used as the syntax of attributes, or in the substring filter. ( 1.3.6.1.4.1.1466.115.121.1.58 DESC 'Substring Assertion' ) [...] Servers SHOULD be capable of performing the following matching rules, which are used in substring filters. ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) I find this a bit confusing. The SYNTAX should not be used as part of substring filters but then is used to specify the syntax used with substring filters. Shouldn't the syntax of caseIgnoreSubstringsMatch, for use with substring filters, have a syntax of DirectoryString like other caseIngore*Match filters and that a separate matching rule be defined specifically for use extended filters? Is it safe to presume that the syntax of asserted substring components are of the same syntax as the attribute value being tested? From list@netscape.com Tue Feb 8 14:43:26 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA09150 for ; Tue, 8 Feb 2000 14:43:25 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA29205; Tue, 8 Feb 2000 11:38:47 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA01456; Tue, 8 Feb 2000 11:42:15 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 11:42:15 -0800 (PST) From: kime@freeservers.com Message-Id: <200002081939.OAA09063@ec1.maxime.net> Date: Tue, 08 Feb 2000 13:35:33 To: X-Mailer: Microsoft Outlook Express 4.72.3110.7 Subject: Professional email services. MIME-Version: 1.0 Content-Type: text/plain X-In-Response-To: 087D4275A MessageID: <5f1sh5f7ucvivtt.080220001335@LocalHost> X-See-Also: 08760D117 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Resent-Message-ID: <"kHnpCC.A.eW.WGHo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Thanks to the invention of the Internet. Anyone can now market their ideas and products to millions of people. Imagine having a product or idea and selling it for only $10. Now imagine sending an ad for your product or idea to 25 million people! If you only get a 1/10 of 1% response you have just made $250,000!! You hear about people getting rich off the Internet everyday on TV, now is the perfect time for you to jump in on all the action. Targeted email works!! Email marketing is the most cost effective form of marketing available. Call now to order 702-248-1057 We are terribly sorry if you have received this message in error. If you wish to be removed go to 721064@caramail.com and type in the word "REMOVE" From list@netscape.com Tue Feb 8 15:31:35 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10389 for ; Tue, 8 Feb 2000 15:31:34 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id MAA13240; Tue, 8 Feb 2000 12:28:46 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id MAA26419; Tue, 8 Feb 2000 12:30:28 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 12:30:28 -0800 (PST) Message-Id: <3.0.5.32.20000208123016.0092f490@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 08 Feb 2000 12:30:16 -0800 To: "Mark Meredith" From: "Kurt D. Zeilenga" Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt Cc: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"j-wG.A.gcG.jzHo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Mark, a few comments: I suggest that this draft be a informational elective feature. I believe that prior operational experience with such features have proven to be source of numerous interoperability problems. You'll end up with clients that only support select versions of select vendor products and other vendors resorting to spoofing the vendor names/versions. (We've already have received requests (and patches) from users to do exactly this!). I suggest adding an applicability statement to the overview, such as: This document describes an elective feature which LDAP servers MAY implement. I then suggest that the applicability statement in each attribute descriptions be replaced with a technical specification. The value of vendorName contains the name of the vendor producing or providing server implementation. Example: "Novell, Inc." Likewise for vendorVersion: The value of vendorVersion contains the string indicating the version of the directory implementation. Example: "NDS 2100-r1.2.3/NT4SP3/US-crypto-128-1.1/TurboBlaster-v2 compat FooDir" No matching rules are defined. An EQUALITY matching rule should minimally be defined. I suggest caseExactMatch. Security Considerations: You may want to add a note publishing specific vendor information may be used by clients to determine what security holes a server provides (by feature or flaw). You may note that servers MAY restrict access to vendorName/vendorVersion and clients SHOULD NOT expect such attribute to be available. From list@netscape.com Tue Feb 8 15:45:54 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10729 for ; Tue, 8 Feb 2000 15:45:51 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id MAA15900; Tue, 8 Feb 2000 12:43:02 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id MAA01881; Tue, 8 Feb 2000 12:44:46 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 12:44:46 -0800 (PST) From: "Alexis Bor" To: "Mark Meredith" Cc: Subject: RE: please publish draft-mmeredith-rootdse-vendor-info-01.txt Date: Tue, 8 Feb 2000 12:43:50 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Resent-Message-ID: <"aZ3-b.A.Hd.9AIo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Mark, An initial reading of your draft raises lots of questions and concerns. I agree that from a client perspective, it would help to know how to behave in specific situations. At the same time, a server may want to also know how to behave when communicating with another server. It is a sad statement when client applications have to build up a knowledge base to be able to work in every LDAP Server environment. This raises the value of groups like the Directory Interoperability Forum (DIF) - which Novell and many others are members of. I went to the last DIF meeting in San Diego and wasn't fully convinced of their long-term relevance. However, I am now convinced that we need such an industry group to solve/document interoperability issues. Just think, when we have a directory of LDAP servers, you can quickly connect to each server and build a profile of the brands that are out there and maintain a census of brands and versions. I don't know if this is good or bad - but when I was a senior at UC Irvine, we had to take a class on the "Social Impacts of Computing on Society". This certainly would have been a discussion topic. Unfortunately, I don't see any other way for an application to manage its behavior based on which vendor product it is connected to. The current process for LDAP standards has intentionally built a loose protocol that makes behavior inconsistent between vendors. This is chaos that most of us are willing to live with. Too bad... -- Alexis Alexis Bor Directory Works, Inc. alexis.bor@directoryworks.com http://www.directoryworks.com -----Original Message----- From: Mark Meredith [mailto:MMEREDIT@novell.com] Sent: Tuesday, February 08, 2000 11:21 AM To: internet-drafts@ietf.org Cc: ietf-ldapext@netscape.com Subject: please publish draft-mmeredith-rootdse-vendor-info-01.txt Please publish - this reflects the changes requested via feed back on draft-00. Please review this draft and submit comments. -Mark Mark Meredith Novell Inc 122 E. 1700 S. Provo UT 84606 mark_meredith@novell.com 801-861-2645 --------------------- A boat in the harbor is safe, but that is not what boats are for. --John A. Shed --------------------- From list@netscape.com Tue Feb 8 18:08:42 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA13278 for ; Tue, 8 Feb 2000 18:08:41 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id PAA09659; Tue, 8 Feb 2000 15:05:54 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id PAA00989; Tue, 8 Feb 2000 15:07:33 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 15:07:33 -0800 (PST) From: "David Chadwick" Organization: University of Salford To: "Kurt D. Zeilenga" , ietf-ldapext@netscape.com Date: Tue, 8 Feb 2000 23:07:04 -0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: RFC2251: RootDSE subschemasubentry issue Reply-to: d.w.chadwick@salford.ac.uk Priority: normal In-reply-to: <3.0.5.32.20000207094004.009392d0@infidel.boolean.net> X-mailer: Pegasus Mail for Win32 (v3.12b) Message-Id: Resent-Message-ID: <"EZzfC.A.LP.0GKo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7BIT Date forwarded: Mon, 7 Feb 2000 09:40:11 -0800 (PST) Date sent: Mon, 07 Feb 2000 09:40:04 -0800 To: ietf-ldapext@netscape.com From: "Kurt D. Zeilenga" Subject: RFC2251: RootDSE subschemasubentry issue Forwarded by: ietf-ldapext@netscape.com > As previously noted <8525679B.003DD02B.00@D51MTA04.pok.ibm.com>, > RFC 2251 states subschemaSubentry attribute type within the > Root DSE may contain multiple values though the attribute type > is single valued. Sorry, I dont follow this. What do you mean by "THe attribute type is single valued." Do you mean the attribute type definition mandates a single valued attribute? This is surely wrong, as the definition must allow for multiple values. > > I do not believe it necessary to provide a mechanism to allow > clients to obtain a complete list of subschema entries (or > subentries) known to this server. This is part of the confusion, and is due to poor wording in 2251. What the RFC is trying to say is "subschema entries known to be controlling the entries held in this server". It does not mean subschema entries anywhere in the world that this server happens to know about. If you read further in the RFC you will find some limited clarification about subschema subentries for master and copy entries viz: If the server does not master entries and does not know the locations of schema information, the subschemaSubentry attribute is not present in the root DSE. If the server masters directory entries under one or more schema rules, there may be any number of values of the subschemaSubentry attribute in the root DSE. Again, this is ambiguously worded, as "may be any number of values" should really be "will be an equivalent number of values" > This list could be quite > large and, IMO, rather useless. Applications need to known > which subschema controls which entries. Agreed. This is due to a wrong interpretation of the RFC (due to ambiguous wording) > > I suggest that applications obtain the DN of the subschema entry > (subentry) from either the entry(ies) they intend to access or > from the entry at the root of the naming context. In general a client may not know the root of the naming context, but will know the root of the DIT, hence the ability to find the subschema entry from the root. > > To resolve this issue, I suggest: > > RFC 2251, 3.4 "--subsubschemaSubentry" subsection be removed > and that a note be added to the end of the section: I disagree, but a better wording should be used. > > Note: the subsubschemaSubentry attribute type, if > present, contains the Distinguished Name of the > subschema entry (or subentry) which controls the > schema for the Root DSE. This is wrong. The subschema subentry does not control the schema of the root DSE - nothing does. Rather it controls the schema of a naming context. David > > Comments? > > Kurt > > > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** From list@netscape.com Tue Feb 8 18:44:02 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA13592 for ; Tue, 8 Feb 2000 18:44:02 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id PAA05377; Tue, 8 Feb 2000 15:39:31 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id PAA14888; Tue, 8 Feb 2000 15:42:53 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 15:42:53 -0800 (PST) Message-Id: <3.0.5.32.20000208154242.009699c0@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 08 Feb 2000 15:42:42 -0800 To: d.w.chadwick@salford.ac.uk From: "Kurt D. Zeilenga" Subject: Re: RFC2251: RootDSE subschemasubentry issue Cc: ietf-ldapext@netscape.com In-Reply-To: References: <3.0.5.32.20000207094004.009392d0@infidel.boolean.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"QSayn.A.JoD.7nKo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 11:07 PM 2/8/00 -0000, David Chadwick wrote: >> As previously noted <8525679B.003DD02B.00@D51MTA04.pok.ibm.com>, >> RFC 2251 states subschemaSubentry attribute type within the >> Root DSE may contain multiple values though the attribute type >> is single valued. > >Sorry, I dont follow this. What do you mean by "THe attribute type is >single valued." Do you mean the attribute type definition mandates a >single valued attribute? Yes. RFC 2252, 5.1.5. subschemaSubentry The value of this attribute is the name of a subschema entry (or subentry if the server is based on X.500(93)) in which the server makes available attributes specifying the schema. ( 2.5.18.10 NAME 'subschemaSubentry' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION SINGLE-VALUE USAGE directoryOperation ) >This is surely wrong, as the definition must >allow for multiple values. I believe SINGLE-VALUED is appropriate as an entry can only have one controlling subschema subentry. I believe the use of this attribute type when the RootDSE to list available subschema subentries is inappropriate as it imparts no knowledge to the client as to which value controls which entries. >If the server does not master entries and does >not know the locations > of schema information, the subschemaSubentry >attribute is not present > in the root DSE. If the server masters >directory entries under one > or more schema rules, there may be any number >of values of the > subschemaSubentry attribute in the root DSE. Which implies that the subschema controlling an entry may not be listed in the RootDSE whilst other subschemesubentries are listed, such as when the entry is not mastered by the server (and subschema not published this slaves), yet other name contexts are. >Again, this is ambiguously worded, as "may be any >number of values" should really be "will be an >equivalent number of values" In the Root DSE, which subschemasubentry value(s) belongs to which namingContexts value(s)? >> To resolve this issue, I suggest: >> >> RFC 2251, 3.4 "--subsubschemaSubentry" subsection be removed >> and that a note be added to the end of the section: > >I disagree, but a better wording should be used. > >> >> Note: the subsubschemaSubentry attribute type, if >> present, contains the Distinguished Name of the >> subschema entry (or subentry) which controls the >> schema for the Root DSE. > >This is wrong. The subschema subentry does not control the >schema of the root DSE - nothing does. Something must... a client should be able to determine the schema of attributes provided in the RootDSE and should have some mechanism to determine which schema controls the RootDSE. >Rather it controls the >schema of a naming context. Which naming context? A server can support multiple naming contexts each with different controlling subschemas. The subschemasubentry values of the RootDSE are fairly worthless without knownledge of which value controls which naming context. From list@netscape.com Tue Feb 8 20:58:23 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA14667 for ; Tue, 8 Feb 2000 20:58:20 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id RAA05642; Tue, 8 Feb 2000 17:55:04 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id RAA05679; Tue, 8 Feb 2000 17:56:41 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 17:56:41 -0800 (PST) Message-Id: <3.0.5.32.20000208175632.00960270@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 08 Feb 2000 17:56:32 -0800 To: ietf-ldapext@netscape.com From: "Kurt D. Zeilenga" Subject: Re: substring matching rules In-Reply-To: <3.0.5.32.20000208113335.0095d8a0@infidel.boolean.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"BL5c5.A.dYB.YlMo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 11:33 AM 2/8/00 -0800, Kurt D. Zeilenga wrote: >RFC 2252, 8.3 says: > ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) > Interesting enough, the inetOrgPerson draft says: 13.3.3. Additional matching rules from X.520 ( 2.5.13.5 NAME 'caseExactMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( 2.5.13.7 NAME 'caseExactSubstringsMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) I don't have a copy of X.520 to confirm correctness. But appear so. When used in a substrings filter, the asserted substrings are each of directoryString syntax, not each a substringsAssertion syntax. The caseIgnoreSubstringsMatch implies that in a substrings filter, each of the asserted substrings are each of substringsAssertion syntax. This is incorrect. Each should be a directoryString. I believe two matching rules, one for substrings filters and one for extended matching using substrings assertions, are needed for every match algorithm. That is: ( .1 NAME 'mySubstringsMatch' DESC 'for use with substring filters' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( .2 NAME 'mySubstringsExtendedMatch' DESC 'for use with extended match filters' SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) (where is replaced with some valid OID). From list@netscape.com Wed Feb 9 00:25:38 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA18827 for ; Wed, 9 Feb 2000 00:24:29 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id VAA21958; Tue, 8 Feb 2000 21:21:29 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id VAA25953; Tue, 8 Feb 2000 21:23:00 -0800 (PST) Resent-Date: Tue, 8 Feb 2000 21:23:00 -0800 (PST) Message-ID: <007b01bf72bd$f47a3ba0$90071896@sktelecom.com> From: =?ks_c_5601-1987?B?wMy1v7Hi?= To: Subject: Question about OID(Object Identifier) Date: Wed, 9 Feb 2000 14:24:20 +0900 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0072_01BF7309.5A90C440" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Resent-Message-ID: <"DrnvWC.A._UG.vmPo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com This is a multi-part message in MIME format. ------=_NextPart_000_0072_01BF7309.5A90C440 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 DQooMi41LjQuMjAgIE5BTUUgoa50ZWxlcGhvbmVOdW1iZXKhryBFUVVBTElUWSB0ZWxlcGhvbmVO dW1iZXJNYXRjaA0KU1VCU1RSIHRlbGVwaG9uZU51bWJlclN1YnN0cmluZ3NNYXRjaA0KU1lOVEFY IDEuMy42LjEuNC4xLjE0NjYuMTE1LjEyMS4xLjE1ezMyfSkpDQoNCkFib3ZlIGlzIHRha2VuIGZy b20gTERBUCB2MyBSRkMgMjU1Mi4gSSdkIGxpa2UgdG8ga25vdyB3aGVyZSBjYW4gSSBmaW5kIHRo ZSBkb2N1bWVudHMgYWJvdXQgbmFtaW5nIGNvbnZlbnRpb25zLiBGb3IgZXhhbXBsZSAyLjUuNC4y MCwgd2hhdCBkb2VzIDIsIDUsIDQsIDIwIGVhY2ggcmVwcmVzZW50PyBBbmQgYWxzbyB3aGljaCBk b2N1bWVudCBkb2VzIGhhdmUgaW5mb3JtYXRpb24gYWJvdXQgZWFjaCBkZWNpbWFsIG51bWJlciBv ZiBjbGFzcyBpZGVudGlmaWVyPyAoSSBrbm93IGZyb20gYSBsaXR0bGUgZXhwZXJpZW5jZSBvZiBT Tk1QIHRoYXQgMSBtZWFucyBJU08sICBhbmQgc29tZXRoaW5nIG1lYW5zIERPRCwgYW5kIHNvbWV0 aGluZyBtZWFucyBJbnRlcm5ldCwgUHJpdmF0ZSAuLi4uKSANCkFueSBoZWxwIHdpbGwgYmUgZ3Jl YXRseSBhcHByZWNpYXRlZC4NCg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0K Z2FsYWhhZEBuZXRzZ28uY29tDQpEb25na2llIExlaWdoDQpNb2JpbGU6KzgyLTExLTc1OC00MzU5 DQpDb3JlIE5ldHdvcmsgRGV2ZWxvcG1lbnQgVGVhbQ0KU0sgVGVsZWNvbQ0KPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09DQo= ------=_NextPart_000_0072_01BF7309.5A90C440 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PWtz X2NfNTYwMS0xOTg3IiBodHRwLWVxdWl2PUNvbnRlbnQtVHlwZT4NCjxNRVRBIGNvbnRlbnQ9Ik1T SFRNTCA1LjAwLjI5MTkuNjMwNyIgbmFtZT1HRU5FUkFUT1I+DQo8U1RZTEU+PC9TVFlMRT4NCjwv SEVBRD4NCjxCT0RZIGJnQ29sb3I9I2ZmZmZmZj4NCjxESVY+PEZPTlQgc2l6ZT0yPjwvRk9OVD4m bmJzcDs8L0RJVj4NCjxESVY+PEZPTlQgc2l6ZT0yPigyLjUuNC4yMCZuYnNwOyBOQU1FIKGudGVs ZXBob25lTnVtYmVyoa8gRVFVQUxJVFkgDQp0ZWxlcGhvbmVOdW1iZXJNYXRjaDxCUj5TVUJTVFIg dGVsZXBob25lTnVtYmVyU3Vic3RyaW5nc01hdGNoPEJSPlNZTlRBWCANCjEuMy42LjEuNC4xLjE0 NjYuMTE1LjEyMS4xLjE1ezMyfSkpPC9GT05UPjwvRElWPg0KPERJVj48Rk9OVCBzaXplPTI+PC9G T05UPiZuYnNwOzwvRElWPg0KPERJVj48Rk9OVCBzaXplPTI+QWJvdmUgaXMgdGFrZW4gZnJvbSBM REFQIHYzIFJGQyAyNTUyLiBJJ2QgbGlrZSB0byBrbm93IHdoZXJlIA0KY2FuIEkgZmluZCB0aGUg ZG9jdW1lbnRzIGFib3V0IG5hbWluZyBjb252ZW50aW9ucy4gRm9yIGV4YW1wbGUgMi41LjQuMjAs IHdoYXQgDQpkb2VzIDIsIDUsIDQsIDIwIGVhY2ggcmVwcmVzZW50PyBBbmQgYWxzbyZuYnNwO3do aWNoIGRvY3VtZW50IGRvZXMgaGF2ZSANCmluZm9ybWF0aW9uIGFib3V0IGVhY2ggZGVjaW1hbCBu dW1iZXIgb2YgY2xhc3MgaWRlbnRpZmllcj8gKEkga25vdyZuYnNwO2Zyb20gYSANCmxpdHRsZSBl eHBlcmllbmNlIG9mIFNOTVAgdGhhdCAxIG1lYW5zIElTTywgIGFuZCBzb21ldGhpbmcgbWVhbnMg RE9ELCBhbmQgDQpzb21ldGhpbmcgbWVhbnMgSW50ZXJuZXQsIFByaXZhdGUgLi4uLikgPC9GT05U PjwvRElWPg0KPERJVj48Rk9OVCBzaXplPTI+QW55IGhlbHAgd2lsbCBiZSBncmVhdGx5IGFwcHJl Y2lhdGVkLjwvRElWPjwvRk9OVD4NCjxESVY+PEZPTlQgc2l6ZT0yPiZuYnNwOzwvRElWPjwvRk9O VD4NCjxESVY+PEZPTlQgc2l6ZT0yPj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT08 QlI+PEEgDQpocmVmPSJtYWlsdG86Z2FsYWhhZEBuZXRzZ28uY29tIj5nYWxhaGFkQG5ldHNnby5j b208L0E+PEJSPkRvbmdraWUgDQpMZWlnaDxCUj5Nb2JpbGU6KzgyLTExLTc1OC00MzU5PEJSPkNv cmUgTmV0d29yayBEZXZlbG9wbWVudCBUZWFtPEJSPlNLIA0KVGVsZWNvbTxCUj49PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT08L0ZPTlQ+PC9ESVY+PC9CT0RZPjwvSFRNTD4NCg== ------=_NextPart_000_0072_01BF7309.5A90C440-- From list@netscape.com Wed Feb 9 08:26:17 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA05525 for ; Wed, 9 Feb 2000 08:26:16 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id FAA20519; Wed, 9 Feb 2000 05:23:29 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id FAA21736; Wed, 9 Feb 2000 05:25:11 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 05:25:11 -0800 (PST) Date: Wed, 09 Feb 2000 07:24:05 -0600 From: Mark Wahl Subject: Re: RFC2251: RootDSE subschemasubentry issue In-reply-to: "Your message of Mon, 07 Feb 2000 09:40:04 PST." <3.0.5.32.20000207094004.009392d0@infidel.boolean.net> Sender: Mark.Wahl@INNOSOFT.COM To: "Kurt D. Zeilenga" Cc: ietf-ldapext@netscape.com Message-id: <7078.950102645@threadgill.austin.innosoft.com> Resent-Message-ID: <"2Yx4-C.A.WTF.2qWo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com The role of the subschemaSubentry attribute of the root DSE was discussed on the IETF-ASID mailing list during the design of LDAPv3. It provides an important adminstrative function to allow management clients to determine the capabilities of an LDAP server and the data it contains. Mark Wahl, Directory Product Architect Innosoft International, Inc. From list@netscape.com Wed Feb 9 08:29:05 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA05561 for ; Wed, 9 Feb 2000 08:29:05 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id FAA03711; Wed, 9 Feb 2000 05:24:33 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id FAA22633; Wed, 9 Feb 2000 05:27:56 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 05:27:56 -0800 (PST) Date: Wed, 09 Feb 2000 07:26:51 -0600 From: Mark Wahl Subject: Re: substring matching rules In-reply-to: "Your message of Tue, 08 Feb 2000 17:56:32 PST." <3.0.5.32.20000208175632.00960270@infidel.boolean.net> Sender: Mark.Wahl@INNOSOFT.COM To: "Kurt D. Zeilenga" Cc: ietf-ldapext@netscape.com Message-id: <7416.950102811@threadgill.austin.innosoft.com> Resent-Message-ID: <"S3Yw6D.A.XhF.btWo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Thanks for pointing out this discrepancy in inetorgperson section 13.3.3. I'll check with X.501/X.520 and suggest a change to Mark Smith. Mark Wahl, Directory Product Architect Innosoft International, Inc. From list@netscape.com Wed Feb 9 10:06:00 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA07646 for ; Wed, 9 Feb 2000 10:05:59 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id HAA10464; Wed, 9 Feb 2000 07:01:48 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id HAA14695; Wed, 9 Feb 2000 07:05:17 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 07:05:17 -0800 (PST) Message-ID: <38A181E4.C683919C@netscape.com> Date: Wed, 09 Feb 2000 10:04:04 -0500 From: mcs@netscape.com (Mark C Smith) Organization: iPlanet E-Commerce Solutions X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Mark Wahl CC: "Kurt D. Zeilenga" , ietf-ldapext@netscape.com Subject: Re: substring matching rules References: <7416.950102811@threadgill.austin.innosoft.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"JA1JBC.A.VlD.sIYo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Mark Wahl wrote: > > Thanks for pointing out this discrepancy in inetorgperson section 13.3.3. > I'll check with X.501/X.520 and suggest a change to Mark Smith. Yes, this looks like a bug in the inetOrgPerson document... to match X.520, the definition of caseExactSubstringsMatch should be: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) I replaced the DirectoryString syntax OID with the OID for SubstringAssertion. Correct? According to X.520, the values that make up a Substring Assertion are each of syntax DirectoryString: 6.1.3 Case Ignore Substrings Match The Case Ignore Substrings Match rule determines whether a presented value is a substring of an attribute value of type DirectoryString, without regard to the case (upper or lower) of the strings. caseIgnoreSubstringsMatch MATCHING-RULE ::= { SYNTAX SubstringAssertion ID id-mr-caseIgnoreSubstringsMatch } SubstringAssertion ::= SEQUENCE OF CHOICE { initial [0] DirectoryString {ub-match}, any [1] DirectoryString {ub-match}, final [2] DirectoryString {ub-match} } -- at most one initial and one final component Kurt, I think the syntaxes associated with matching rules refer to the syntax of a presented value, e.g., a value that is in a search filter. That's how I think about it anyway.... -- Mark Smith Directory Product Development / iPlanet E-Commerce Solutions My words are my own, not my employer's. Got LDAP? From list@netscape.com Wed Feb 9 10:08:34 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA07675 for ; Wed, 9 Feb 2000 10:08:33 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id HAA10966; Wed, 9 Feb 2000 07:04:02 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id HAA15550; Wed, 9 Feb 2000 07:07:31 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 07:07:31 -0800 (PST) From: "Peter Strong" To: "Kurt D. Zeilenga" , Mark Meredith Cc: ietf-ldapext Subject: RE: please publish draft-mmeredith-rootdse-vendor-info-01.txt Date: Wed, 9 Feb 2000 10:10:06 -0500 Message-ID: <002401bf730f$bf525190$3750fb8d@net-pstrong.corpnorth.baynetworks.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 In-Reply-To: <3.0.5.32.20000208123016.0092f490@infidel.boolean.net> Resent-Message-ID: <"ySUQRB.A.syD.zKYo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Kurt/Mark > From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] > Sent: Tuesday, February 08, 2000 3:30 PM > To: Mark Meredith > Cc: ietf-ldapext > Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt > > Mark, a few comments: > > I suggest that this draft be a informational elective feature. As a designer of products that have to support multiple directory implementations, I have to disagree. Vendor identification information should be mandatory in all directory implementations until such time as vendors get together, solve their differences and make their directory implementations truely interoperable. (I'm not holding my breath for this momentous event!) > I believe that prior operational experience with such features > have proven to be source of numerous interoperability problems. I don't think that providing useful information is the source of interoperability problems. The source of interoperability problems is the basic fact that vendors will always implement part or all of a standard in order to say that they comply and will then add other features/bells/whistles to differentiate their product from their competitor's. This may cause some clients difficulties, but it's the way the world works and the way that new technologies are introduced and (eventually) standardized. As we progress with directory technology, more and more of the basic standards are implemented by vendors, but this implementation takes place at different rates for different vendors. Knowing the vendor and the version via a "standard" mechanism simply makes it easier to determine what implementation you're talking to and what "implementation quirks" might exist. I think Mark makes it clear that clients shouldn't depend on this information too heavily: The use of vendorName and vendorVersion SHOULD NOT be used to discover features. It is just an informational attribute. If a client relies on a vendorVersion number then that client MUST be coded to work with later versions and not just one version and no other. > You'll end up with clients that only support select versions > of select vendor products and other vendors resorting to > spoofing the vendor names/versions. (We've already have > received requests (and patches) from users to do exactly > this!). This is like saying that indicator lights on cars are dangerous because a driver may signal one way and turn the other; therefore, we shouldn't have signal lights on cars! If you're stupid enough to develop a client with hard-coded limits based on this information, you get what you deserve! If you have vendors spoofing this information, they'll get what they deserve - in the marketplace! All debate aside, this "feature" is simple, straightforward and useful to those of us who must attempt to integrate our products with multiple directory implementations. We're currently faced with delivering product that must interwork with Netscape, Novell, Active Directory and an in-house directory, with others on the way. As one example of what we have to deal with, each of these directories has a subtly different way of altering the schema definitions (even though there is a standard for this behaviour). We currently have to perform some really disgusting, poking and prodding to determine what type of directory we're talking to in order to perform the schema changes properly. We'd rather just query some attributes at a well-known location and perform the appropriate schema update based on that information. Directory implementations will always have differences. It's that simple. If we're arguing about such a simple addition on the basis that it may disrupt the ivory tower of interoperability, I fail to see how far more complex aspects of directory usage will ever be standardized or agreed to. > I suggest adding an applicability statement to the overview, > such as: > This document describes an elective feature which LDAP > servers MAY implement. > > I then suggest that the applicability statement in each > attribute descriptions be replaced with a technical > specification. > The value of vendorName contains the name of the vendor > producing or providing server implementation. > Example: "Novell, Inc." > > Likewise for vendorVersion: > The value of vendorVersion contains the string indicating > the version of the directory implementation. > Example: "NDS > 2100-r1.2.3/NT4SP3/US-crypto-128-1.1/TurboBlaster-v2 compat FooDir" > > No matching rules are defined. An EQUALITY > matching rule should minimally be defined. I suggest > caseExactMatch. > > Security Considerations: > > You may want to add a note publishing specific vendor > information may be used by clients to determine what > security holes a server provides (by feature or flaw). > > You may note that servers MAY restrict access to > vendorName/vendorVersion and clients SHOULD NOT > expect such attribute to be available. > > > Regards, Peter ------------------------------------------------------------------------ Peter Strong Software Architect Nortel Networks - Optivity Policy Services (OPS) and NetID pestrong@nortelnetworks.com (613) 831-6615 From list@netscape.com Wed Feb 9 10:48:31 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA08399 for ; Wed, 9 Feb 2000 10:48:30 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id HAA03029; Wed, 9 Feb 2000 07:45:36 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id HAA25999; Wed, 9 Feb 2000 07:47:19 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 07:47:19 -0800 (PST) Message-ID: From: "Salter, Thomas A" To: ietf-ldapext@netscape.com Subject: RE: substring matching rules Date: Wed, 9 Feb 2000 10:48:18 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Resent-Message-ID: <"wLEzoB.A.7VG.FwYo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Here's the X.511 definition of Filter. The need for two matching rules arises from the definition of substrings as three different value components each having the syntax of the substrings matching rule. The extensibleMatch component has only a single value component which, for a substring match, must be the same SEQUENCE defined in the strings component of the substrings filter item. Filter ::= CHOICE { item [0] FilterItem, and [1] SET OF Filter, or [2] SET OF Filter, not [3] Filter } FilterItem ::= CHOICE { equality [0] AttributeValueAssertion, substrings [1] SEQUENCE { type ATTRIBUTE.&id({SupportedAttributes}), strings SEQUENCE OF CHOICE { initial [0] ATTRIBUTE.&Type ({SupportedAttributes}{@substrings.type}), any [1] ATTRIBUTE.&Type ({SupportedAttributes}{@substrings.type}), final [2] ATTRIBUTE.&Type ({SupportedAttributes}{@substrings.type})}}, greaterOrEqual [2] AttributeValueAssertion, lessOrEqual [3] AttributeValueAssertion, present [4] AttributeType, approximateMatch [5] AttributeValueAssertion, extensibleMatch [6] MatchingRuleAssertion } MatchingRuleAssertion ::= SEQUENCE { matchingRule [1] SET SIZE (1..MAX) OF MATCHING-RULE.&id, type [2] AttributeType OPTIONAL, matchValue [3] MATCHING-RULE.&AssertionType ( CONSTRAINED BY { - matchValue must be a value of type specified by the &AssertionType field of -- one of the MATCHING-RULE information objects identified by matchingRule -- } ), dnAttributes [4] BOOLEAN DEFAULT FALSE } > -----Original Message----- > From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] > Sent: Tuesday, February 08, 2000 8:57 PM > To: ietf-ldapext@netscape.com > Subject: Re: substring matching rules > > > At 11:33 AM 2/8/00 -0800, Kurt D. Zeilenga wrote: > >RFC 2252, 8.3 says: > > ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' > > SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) > > > > Interesting enough, the inetOrgPerson draft says: > > 13.3.3. Additional matching rules from X.520 > > ( 2.5.13.5 NAME 'caseExactMatch' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) > > ( 2.5.13.7 NAME 'caseExactSubstringsMatch' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) > > I don't have a copy of X.520 to confirm correctness. But > appear so. When used in a substrings filter, the asserted > substrings are each of directoryString syntax, not each a > substringsAssertion syntax. > > The caseIgnoreSubstringsMatch implies that in a substrings > filter, each of the asserted substrings are each of > substringsAssertion syntax. This is incorrect. Each should > be a directoryString. > > I believe two matching rules, one for substrings filters > and one for extended matching using substrings assertions, > are needed for every match algorithm. That is: > > ( .1 NAME 'mySubstringsMatch' > DESC 'for use with substring filters' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) > ( .2 NAME 'mySubstringsExtendedMatch' > DESC 'for use with extended match filters' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) > > (where is replaced with some valid OID). > > From list@netscape.com Wed Feb 9 10:52:39 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA08555 for ; Wed, 9 Feb 2000 10:52:38 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id HAA16057; Wed, 9 Feb 2000 07:48:02 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id HAA27530; Wed, 9 Feb 2000 07:51:29 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 07:51:29 -0800 (PST) Date: Wed, 09 Feb 2000 09:50:14 -0600 From: Mark Wahl Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt In-reply-to: "Your message of Tue, 08 Feb 2000 12:20:34 MST." Sender: Mark.Wahl@INNOSOFT.COM To: Mark Meredith Cc: ietf-ldapext@netscape.com Message-id: <24386.950111414@threadgill.austin.innosoft.com> Resent-Message-ID: <"YmyTMB.A.ztG.A0Yo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Again, I believe this is the wrong approach to specifying server behavior and will not lead to interoperable clients. If there is a element of service X which two or more vendors implement differently, then there should be a proposal for a new attribute or similar for the server to advertise how it implements X. For example, allowsMultipleSubschemas: TRUE or accessControlScheme: 1.2.3.4 A standards-track proposal would be best for each, because during the course of discussion on the mailing list, we may find that the root DSE it not the best place for it, or there are more than an anticipated number of approaches and so what was a BOOLEAN option flag might be better described some other way. E.g. if a server uses chaining to automatically forward operations in a naming context to other servers which is a different implementation, then the capabilities that the chaining initiating server might advertise would potentially be more than if the server was not chaining. Another example. A server implementation allows the subschema subentry to be modified to introduce new object classes, for compatibility with Netscape-oriented clients. It also allows subsubentries to be created below the subschema subentry to introduce new object classes, for compatibility with Active Directory-oriented clients. That server would advertise: allowsSubschemaEntryModification: TRUE implementsSubschemaLikeActiveDirectory: TRUE > If a client relies on a vendorVersion number then that client MUST > be coded to work with later versions and not just one version and > no other. I don't see how this would work at all. If the first version of the server ships on 1-JAN-2000, the client ships on 1-JAN-2001 and the next version of the server makes an incompatible change to something and ships on 1-JAN-2002, that would mean that the client would need to know a year in advance what non-backwards compatible changes would be made. Mark Wahl, Directory Product Architect Innosoft International, Inc. From list@netscape.com Wed Feb 9 10:58:51 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA08652 for ; Wed, 9 Feb 2000 10:58:50 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id HAA05134; Wed, 9 Feb 2000 07:56:04 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id HAA29277; Wed, 9 Feb 2000 07:57:48 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 07:57:48 -0800 (PST) Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Wed, 09 Feb 2000 08:57:38 -0700 From: "Roger Harrison" To: , "Mark Meredith" Cc: Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Resent-Message-ID: <"Dg2Hk.A.EJH.75Yo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id KAA08652 I agree wholeheartedly with your thoughts. For documented server features, the best way to specify server behavior is by some standard mechanism. There could even be some sort of grading provided to allow servers to specify which portions of a feature are implemented. However, every server implementation has "quirks" (also sometimes known as bugs), which may not be known in advance of shipping the server. A client that wants to interoperate with a server that doesn't do something quite right can be greatly aided if it knows the server's vendor and version. Often there's a way to work around quirky behavior if that information is available. Roger Harrison Novell, Inc. >>> Mark Wahl 02/09/00 08:51AM >>> Again, I believe this is the wrong approach to specifying server behavior and will not lead to interoperable clients. If there is a element of service X which two or more vendors implement differently, then there should be a proposal for a new attribute or similar for the server to advertise how it implements X. For example, allowsMultipleSubschemas: TRUE or accessControlScheme: 1.2.3.4 A standards-track proposal would be best for each, because during the course of discussion on the mailing list, we may find that the root DSE it not the best place for it, or there are more than an anticipated number of approaches and so what was a BOOLEAN option flag might be better described some other way. E.g. if a server uses chaining to automatically forward operations in a naming context to other servers which is a different implementation, then the capabilities that the chaining initiating server might advertise would potentially be more than if the server was not chaining. Another example. A server implementation allows the subschema subentry to be modified to introduce new object classes, for compatibility with Netscape-oriented clients. It also allows subsubentries to be created below the subschema subentry to introduce new object classes, for compatibility with Active Directory-oriented clients. That server would advertise: allowsSubschemaEntryModification: TRUE implementsSubschemaLikeActiveDirectory: TRUE > If a client relies on a vendorVersion number then that client MUST > be coded to work with later versions and not just one version and > no other. I don't see how this would work at all. If the first version of the server ships on 1-JAN-2000, the client ships on 1-JAN-2001 and the next version of the server makes an incompatible change to something and ships on 1-JAN-2002, that would mean that the client would need to know a year in advance what non-backwards compatible changes would be made. Mark Wahl, Directory Product Architect Innosoft International, Inc. From list@netscape.com Wed Feb 9 11:47:58 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA10186 for ; Wed, 9 Feb 2000 11:47:57 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id IAA23609; Wed, 9 Feb 2000 08:43:24 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id IAA22675; Wed, 9 Feb 2000 08:46:53 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 08:46:53 -0800 (PST) Date: Wed, 09 Feb 2000 10:45:43 -0600 From: Mark Wahl Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt In-reply-to: "Your message of Wed, 09 Feb 2000 08:57:38 MST." Sender: Mark.Wahl@INNOSOFT.COM To: Roger Harrison Cc: Mark Meredith , ietf-ldapext@netscape.com Message-id: <1014.950114743@threadgill.austin.innosoft.com> Resent-Message-ID: <"sl9WpB.A.-hF.8nZo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com > However, every server implementation has "quirks" (also sometimes known as > bugs), which may not be known in advance of shipping the server. Correct. My concern is primarily that the draft is proposing also doing feature selection with this. I don't have a problem in general with using version names and numbers for bug detection though, so long as the client behavior is specified along the lines of If the client does not recognize the specific vendor/version as one it has its 'bug workaround needed' table, then the client must assume that the server it is talking to is complete and correct. Mark Wahl, Directory Product Architect Innosoft International, Inc. From list@netscape.com Wed Feb 9 11:51:16 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA10292 for ; Wed, 9 Feb 2000 11:51:10 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id IAA24696; Wed, 9 Feb 2000 08:46:35 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id IAA25864; Wed, 9 Feb 2000 08:50:03 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 08:50:03 -0800 (PST) Message-Id: <3.0.5.32.20000209084941.00939140@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 09 Feb 2000 08:49:41 -0800 To: Mark Wahl From: "Kurt D. Zeilenga" Subject: Re: RFC2251: RootDSE subschemasubentry issue Cc: ietf-ldapext@netscape.com In-Reply-To: <7078.950102645@threadgill.austin.innosoft.com> References: <"Your message of Mon, 07 Feb 2000 09:40:04 PST." <3.0.5.32.20000207094004.009392d0@infidel.boolean.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"AxShc.A.ISG.4qZo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 07:24 AM 2/9/00 -0600, Mark Wahl wrote: >The role of the subschemaSubentry attribute of the root DSE was discussed on >the IETF-ASID mailing list during the design of LDAPv3. Are the archives to the IETF-ASID mailing list still available? >It provides an important adminstrative function to allow management >clients to determine the capabilities of an LDAP server and the data >it contains. A couple of questions: How does a client determine which subschema subentry controls the RootDSE? David said that this wasn't needed. I disagre. The RootDSE may contain additional attributes to which the client may desire to access and hence may desire to discover schema for. It's possible that attribute type "foo" be listed differently in two different subschemas (because each was being separately maintained). Which defines "foo" as used in the Root DSE? But how can an attribute type restricted to SINGLE-VALUE (RFC 2252) take on multiple values as prescribed (RFC 2251)? Seems that one of the two documents must be in error. Kurt From list@netscape.com Wed Feb 9 12:09:25 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA10935 for ; Wed, 9 Feb 2000 12:09:22 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA28047; Wed, 9 Feb 2000 09:04:41 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA04276; Wed, 9 Feb 2000 09:08:10 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 09:08:10 -0800 (PST) Message-Id: <3.0.5.32.20000209090759.0097bc80@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 09 Feb 2000 09:07:59 -0800 To: mcs@netscape.com (Mark C Smith) From: "Kurt D. Zeilenga" Subject: Re: substring matching rules Cc: Mark Wahl , ietf-ldapext@netscape.com In-Reply-To: <38A181E4.C683919C@netscape.com> References: <7416.950102811@threadgill.austin.innosoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"lDsJO.A.iCB.57Zo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com So, if I want to define a bitString substring matching rule where each asserted component is a bitString, I should define a bitStringSubstrings (assertion) syntax and than use this as the syntax of asserted values of bitStringSubstringsMatch? Okay, so why? ( 2.5.13.10 NAME 'numericStringSubstringsMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) This says that each asserted substring component is of directoryString syntax. I would think each asserted substring component should be of numericString syntax. From list@netscape.com Wed Feb 9 12:48:30 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA12668 for ; Wed, 9 Feb 2000 12:48:30 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA04419; Wed, 9 Feb 2000 09:43:43 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA23447; Wed, 9 Feb 2000 09:47:12 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 09:47:12 -0800 (PST) Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Wed, 09 Feb 2000 10:46:56 -0700 From: "Mark Meredith" To: , "Roger Harrison" Cc: Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_5108C508.ED8CB993" Resent-Message-ID: <"w22QmC.A.tsF.cgao4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_5108C508.ED8CB993 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable I will add your suggestion to section 6 Notes to Client Developers. To = read something like this. 6. Notes to Client Developers The use of vendorName and vendorVersion SHOULD NOT be used to discover features. It is just an informational attribute. If a client relies on a vendorVersion number then that client MUST be coded to work with later versions and not just one version and no other. If the client does not recognize the specific vendorName/vendorVersion= as=20 one it has for its 'bug workaround needed' table, then the client = MUST=20 assume that the server it is talking to is complete and correct.=20 Does this look ok? -Mark Mark Meredith Novell Inc 122 E. 1700 S. Provo UT 84606 mark_meredith@novell.com 801-861-2645 --------------------- A boat in the harbor is safe,=20 but that is not what boats are for. --John A. Shed --------------------- >>> Mark Wahl 02/09/00 09:45AM >>> > However, every server implementation has "quirks" (also sometimes known = as=20 > bugs), which may not be known in advance of shipping the server.=20 Correct. My concern is primarily that the draft is proposing also = doing=20 feature selection with this. I don't have a problem in general with = using=20 version names and numbers for bug detection though, so long as the = client=20 behavior is specified along the lines of If the client does not recognize the specific vendor/version as one it has its 'bug workaround needed' table, then the client must assume that the=20 server it is talking to is complete and correct.=20 Mark Wahl, Directory Product Architect Innosoft International, Inc. --=_5108C508.ED8CB993 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable

I will add your suggestion to section 6 Notes to Client Developers. To read something like this.

6. Notes to Client Developers

     The use of vendorName and vendorVersion SHOULD NOT be used to
     discover features. It is just an informational attribute. If a
     client relies on a vendorVersion number then that client MUST
     be coded to work with later versions and not just one version and
     no other.

If the client does not recognize the specific vendorName/vendorVersion as

one it has for its 'bug workaround needed' table, then the client MUST

assume that the server it is talking to is complete and correct.

Does this look ok?

-Mark

Mark Meredith
Novell Inc
122 E. 1700 S. Provo UT 84606
mark_meredith@novell.com
801-861-2645
---------------------
A boat in the harbor is safe,
but that is not what boats are for.
--John A. Shed
---------------------

>>> Mark Wahl <M.Wahl@INNOSOFT.COM> 02/09/00 09:45AM >>>

> However, every server implementation has "quirks" (also sometimes known as
> bugs), which may not be known in advance of shipping the server.

Correct. My concern is primarily that the draft is proposing also doing
feature selection with this. I don't have a problem in general with using
version names and numbers for bug detection though, so long as the client
behavior is specified along the lines of

If the client does not recognize the specific vendor/version as one it has
its 'bug workaround needed' table, then the client must assume that the
server it is talking to is complete and correct.

Mark Wahl, Directory Product Architect
Innosoft International, Inc.

--=_5108C508.ED8CB993-- From list@netscape.com Wed Feb 9 13:09:50 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA13947 for ; Wed, 9 Feb 2000 13:09:47 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA09325; Wed, 9 Feb 2000 10:05:06 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA06439; Wed, 9 Feb 2000 10:08:34 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 10:08:34 -0800 (PST) Message-Id: <3.0.5.32.20000209100822.00976100@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 09 Feb 2000 10:08:22 -0800 To: ietf-ldapext@netscape.com From: "Kurt D. Zeilenga" Subject: unsolicited controls (Was: I-D ACTION:draft-weltman-ldapv3-auth-response-01.txt) In-Reply-To: <200002091641.LAA09935@ietf.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"LJvB9.A.8jB.g0ao4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com I like to voice a general concern about unsolicited response controls. That is, controls provided by servers without the client implicit or explicit solicitating the control. I believe we should discourage unsolicited controls in responses. As the number of such controls increase, which is inevidable, clients and networks will be overloaded with unneeded information. It would prudent, IMO, to provide and encourage use of client solicatation of desired information. That is, our general protocol model is one of client request/server response. I see no overriding reason why this particular control should not be sent without solicitation. I suggest that this response control be explicitly solicited by the client via a request control. Kurt From list@netscape.com Wed Feb 9 13:11:26 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA14077 for ; Wed, 9 Feb 2000 13:11:24 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA23835; Wed, 9 Feb 2000 10:08:14 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA07629; Wed, 9 Feb 2000 10:09:58 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 10:09:58 -0800 (PST) Message-ID: <38A1ADB6.6AA56D34@netscape.com> Date: Wed, 09 Feb 2000 10:11:02 -0800 From: dboreham@netscape.com (David Boreham) X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Kurt D. Zeilenga" CC: ietf-ldapext@netscape.com Subject: Re: unsolicited controls (Was: I-DACTION:draft-weltman-ldapv3-auth-response-01.txt) References: <3.0.5.32.20000209100822.00976100@infidel.boolean.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"BdjbNB.A.72B.21ao4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Examples ? "Kurt D. Zeilenga" wrote: > I like to voice a general concern about unsolicited response > controls. That is, controls provided by servers without the > client implicit or explicit solicitating the control. > > I believe we should discourage unsolicited controls in responses. > > As the number of such controls increase, which is inevidable, > clients and networks will be overloaded with unneeded information. > It would prudent, IMO, to provide and encourage use of client > solicatation of desired information. That is, our general > protocol model is one of client request/server response. I > see no overriding reason why this particular control should > not be sent without solicitation. > > I suggest that this response control be explicitly solicited > by the client via a request control. > > Kurt From list@netscape.com Wed Feb 9 13:54:18 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA16856 for ; Wed, 9 Feb 2000 13:54:16 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA17886; Wed, 9 Feb 2000 10:49:54 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA13553; Wed, 9 Feb 2000 10:53:23 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 10:53:23 -0800 (PST) Message-Id: <3.0.5.32.20000209105319.009804f0@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 09 Feb 2000 10:53:19 -0800 To: dboreham@netscape.com (David Boreham) From: "Kurt D. Zeilenga" Subject: Re: unsolicited controls (Was: I-DACTION:draft-weltman-ldapv3-auth-response-01.txt) Cc: ietf-ldapext@netscape.com In-Reply-To: <38A1ADB6.6AA56D34@netscape.com> References: <3.0.5.32.20000209100822.00976100@infidel.boolean.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"_-1YhB.A.dTD.iebo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 10:11 AM 2/9/00 -0800, David Boreham wrote: > >Examples ? draft-weltman-ldapv3-auth-response-01.txt draft-behera-ldap-password-policy-00.txt I feel the client should be required to take some explicit action before the returns any response not described by the core specifications. This act may be an explicit request control, a control upon bind enabling the behavior for the "session", an extended operation enabling the behavior, or some other form of solicitation. I feel a server should not respond with controls and/or extended responses not detailed by the core specifications without such solicitation. That is, the client should 1) discover what protocol extensions are supported by the server 2) enable desired extensions A server should: 1) published supported extensions 2) disable all extensions until enabled by the client From list@netscape.com Wed Feb 9 14:07:12 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA17650 for ; Wed, 9 Feb 2000 14:07:11 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA21062; Wed, 9 Feb 2000 11:02:31 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA20921; Wed, 9 Feb 2000 10:58:55 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 10:58:55 -0800 (PST) Message-Id: <3.0.5.32.20000209105851.00973570@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 09 Feb 2000 10:58:51 -0800 To: ietf-ldapext@netscape.com From: "Kurt D. Zeilenga" Subject: Security Considerations in draft-weltman-ldapv3-auth-response-01.txt In-Reply-To: <200002091641.LAA09935@ietf.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"H80p_D.A.6FF.tjbo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com I suggest noting explicitly in Security Considerations that the control is not protected by the SASL privacy or integrity protection negotiated by the BIND process returning this control. A client requiring such protection must rely on independent services, such as TLS or IPSEC, or use some operation after negotiating SASL protection services. Because of this consideration, I can see the need for an extended operation to obtain authorization information post BIND. BTW, what's the intended track of this document? I suggest adding a note to the draft indicating your intent. From list@netscape.com Wed Feb 9 14:13:10 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA17873 for ; Wed, 9 Feb 2000 14:13:09 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA22419; Wed, 9 Feb 2000 11:09:08 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA29686; Wed, 9 Feb 2000 11:12:38 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 11:12:38 -0800 (PST) Message-ID: <38A1BBFB.A0F93C05@netscape.com> Date: Wed, 09 Feb 2000 11:11:55 -0800 From: rweltman@netscape.com (Rob Weltman) X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en-US,sv,ja MIME-Version: 1.0 To: "Kurt D. Zeilenga" CC: ietf-ldapext@netscape.com Subject: Re: Security Considerations indraft-weltman-ldapv3-auth-response-01.txt References: <3.0.5.32.20000209105851.00973570@infidel.boolean.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"Ra91r.A.kPH.lwbo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Per previous messages: I originally proposed something more along the lines of what you have suggested - a control or extended operation which could be issued at any time to query the authentication identity of a connection. Mark Wahl had a strong argument at the time (a year ago) for why it would be better to have an unsolicited control returned on bind. I don't remember what that strong argument was... Maybe Mark can add to this discussion. "Kurt D. Zeilenga" wrote: > I suggest noting explicitly in Security Considerations that the > control is not protected by the SASL privacy or integrity > protection negotiated by the BIND process returning this control. > A client requiring such protection must rely on independent > services, such as TLS or IPSEC, or use some operation after > negotiating SASL protection services. That could be added, but note that the information being returned in the control is not a password, but just the identity (DN) of the authenticated connection. > > > Because of this consideration, I can see the need for an extended > operation to obtain authorization information post BIND. > > BTW, what's the intended track of this document? I suggest > adding a note to the draft indicating your intent. It depends a little on the interest among participants on this list. Thanks, Rob From list@netscape.com Wed Feb 9 14:27:38 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18819 for ; Wed, 9 Feb 2000 14:27:32 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA25054; Wed, 9 Feb 2000 11:22:30 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA07521; Wed, 9 Feb 2000 11:26:00 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 11:26:00 -0800 (PST) Message-Id: <3.0.5.32.20000209112555.00968970@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 09 Feb 2000 11:25:55 -0800 To: rweltman@netscape.com (Rob Weltman) From: "Kurt D. Zeilenga" Subject: Re: Security Considerations indraft-weltman-ldapv3-auth-response-01.txt Cc: ietf-ldapext@netscape.com In-Reply-To: <38A1BBFB.A0F93C05@netscape.com> References: <3.0.5.32.20000209105851.00973570@infidel.boolean.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"9w-aYB.A.I1B.H9bo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 11:11 AM 2/9/00 -0800, Rob Weltman wrote: >"Kurt D. Zeilenga" wrote: >> I suggest noting explicitly in Security Considerations that the >> control is not protected by the SASL privacy or integrity >> protection negotiated by the BIND process returning this control. >> A client requiring such protection must rely on independent >> services, such as TLS or IPSEC, or use some operation after >> negotiating SASL protection services. > That could be added, but note that the information being returned in the control is not a password, but just the identity (DN) of the authenticated connection. I am specifically concerned that the DN returned may be modified in transit or by man in the middle and the client may assume incorrectly that the information is protected by services negotiated during the bind operation. I believe any specification of a control passed in a Bind Request or Response should have a explicit security consideration statement that control is not protected by services which the Bind may or may not negotiate. From list@netscape.com Wed Feb 9 14:27:53 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18839 for ; Wed, 9 Feb 2000 14:27:50 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA25595; Wed, 9 Feb 2000 11:23:14 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA08267; Wed, 9 Feb 2000 11:26:44 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 11:26:44 -0800 (PST) Message-ID: <38A1BF2C.AFDD7A32@netscape.com> Date: Wed, 09 Feb 2000 14:25:32 -0500 From: mcs@netscape.com (Mark C Smith) Organization: iPlanet E-Commerce Solutions X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Kurt D. Zeilenga" CC: ietf-ldapext@netscape.com Subject: Re: Security Considerations indraft-weltman-ldapv3-auth-response-01.txt References: <3.0.5.32.20000209105851.00973570@infidel.boolean.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"QmT7G.A.2AC.z9bo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit "Kurt D. Zeilenga" wrote: > > BTW, what's the intended track of this document? I suggest > adding a note to the draft indicating your intent. Good point. You raised this before but we neglected to address it. I think this should be a standards track document, i.e., if a server is going to return authentication information this is how it should do it (subject to revision and debate about issues such as whether the client must request the information, etc. of course). My point is that we should have one way of returning this information so that if a server or client needs this feature they can count on it being implemented in just one way from a protocol perspective. -- Mark Smith Directory Product Development / iPlanet E-Commerce Solutions My words are my own, not my employer's. Got LDAP? From list@netscape.com Wed Feb 9 14:30:37 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18997 for ; Wed, 9 Feb 2000 14:30:34 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA10745; Wed, 9 Feb 2000 11:27:33 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA10821; Wed, 9 Feb 2000 11:29:17 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 11:29:17 -0800 (PST) From: "David Chadwick" Organization: University of Salford To: "Kurt D. Zeilenga" , ietf-ldapext@netscape.com, Mark Wahl Date: Wed, 9 Feb 2000 19:26:37 -0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: RFC2251: RootDSE subschemasubentry issue Reply-to: d.w.chadwick@salford.ac.uk Priority: normal In-reply-to: <3.0.5.32.20000209084941.00939140@infidel.boolean.net> References: <7078.950102645@threadgill.austin.innosoft.com> X-mailer: Pegasus Mail for Win32 (v3.12b) Message-Id: Resent-Message-ID: <"xTD8EC.A.zoC.MAco4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7BIT Mark, Kurt I think I have an answer to the problem(s) being posed by Kurt. The model as it stands is OK if a server only masters one naming context. Everything works fine. All the entries in the NC and the rootDSE can contain the subschemaSubentry attribute which points to the single subschema subentry. The problem arises once we have multiple NCs in a server. The subschemaSubentry attribute can still be single valued and exist in each entry in each NC and point to the correct subschema subentry. However, the attribute in the root DSE no longer works, for two reasons. Firstly it is supposed to be single valued (as Kurt pointed out) and now it needs to have multiple values. Secondly, (again as Kurt pointed out) there is no way for the user to know from the multivalued attribute in the rootDSE which value points to which subschema subentry for which NC. THis of course is not a problem for the entries within the NC, as they only still need a single pointer to their one and only subschema subentry. Thus I conclude that the model is broken for multiple naming contexts, and that the subschemaSubentry attribute in the rootDSE needs to be replaced by a multivalued attribute, having two components - the context prefix of an NC (an LDAP DN), and the pointer to the subschemaSubentry. Do you agree with this analysis? David *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** From list@netscape.com Wed Feb 9 14:31:46 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA19120 for ; Wed, 9 Feb 2000 14:31:42 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA11472; Wed, 9 Feb 2000 11:29:24 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA13011; Wed, 9 Feb 2000 11:31:09 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 11:31:09 -0800 (PST) Message-ID: <38A1C055.C82ABF09@netscape.com> Date: Wed, 09 Feb 2000 11:30:29 -0800 From: rweltman@netscape.com (Rob Weltman) X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en-US,sv,ja MIME-Version: 1.0 To: "Kurt D. Zeilenga" CC: ietf-ldapext@netscape.com Subject: Re: Security Considerationsindraft-weltman-ldapv3-auth-response-01.txt References: <3.0.5.32.20000209105851.00973570@infidel.boolean.net> <3.0.5.32.20000209112555.00968970@infidel.boolean.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"VfI_DB.A.xKD.7Bco4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit "Kurt D. Zeilenga" wrote: > At 11:11 AM 2/9/00 -0800, Rob Weltman wrote: > >"Kurt D. Zeilenga" wrote: > >> I suggest noting explicitly in Security Considerations that the > >> control is not protected by the SASL privacy or integrity > >> protection negotiated by the BIND process returning this control. > >> A client requiring such protection must rely on independent > >> services, such as TLS or IPSEC, or use some operation after > >> negotiating SASL protection services. > > That could be added, but note that the information being returned in the control is not a password, but just the identity (DN) of the authenticated connection. > > I am specifically concerned that the DN returned may be modified > in transit or by man in the middle and the client may assume > incorrectly that the information is protected by services > negotiated during the bind operation. > > I believe any specification of a control passed in a Bind > Request or Response should have a explicit security consideration > statement that control is not protected by services which the > Bind may or may not negotiate. I see. Thanks for pointing that out. The response is returned before any session protection takes effect, so it is more exposed than any other data-carrying LDAP response. Rob From list@netscape.com Wed Feb 9 14:53:03 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA20123 for ; Wed, 9 Feb 2000 14:53:00 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA16780; Wed, 9 Feb 2000 11:50:28 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA21972; Wed, 9 Feb 2000 11:42:14 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 11:42:14 -0800 (PST) Message-ID: <38A1C2CD.ED72039D@netscape.com> Date: Wed, 09 Feb 2000 14:41:01 -0500 From: mcs@netscape.com (Mark C Smith) Organization: iPlanet E-Commerce Solutions X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Kurt D. Zeilenga" CC: Mark Wahl , ietf-ldapext@netscape.com Subject: Re: substring matching rules References: <7416.950102811@threadgill.austin.innosoft.com> <3.0.5.32.20000209090759.0097bc80@infidel.boolean.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"b8GCvD.A.FXF.UMco4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit I don't have access to all of the right standard documents here, but I suspect that the NumericString syntax is compatible with DirectoryString. Not true for bitString or octetString... in fact, X.521 includes this definition: octetStringSubstringsMatch MATCHING-RULE ::= { SYNTAX OctetSubstringAssertion ID id-mr-octetStringSubstringsMatch } OctetSubstringAssertion ::= SEQUENCE OF CHOICE { initial [0] OCTET STRING, any [1] OCTET STRING, final [2] OCTET STRING } -- at most one initial and one final component which is very similar in concept to your bitStringSubstringsMatch example. It would be nice to add some text about all of this to RFC2252-bis when it is created. -- Mark Smith Directory Product Development / iPlanet E-Commerce Solutions My words are my own, not my employer's. Got LDAP? "Kurt D. Zeilenga" wrote: > > So, if I want to define a bitString substring matching rule > where each asserted component is a bitString, I should define > a bitStringSubstrings (assertion) syntax and than use this as > the syntax of asserted values of bitStringSubstringsMatch? > > Okay, so why? > > ( 2.5.13.10 NAME 'numericStringSubstringsMatch' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) > > This says that each asserted substring component is of > directoryString syntax. I would think each asserted substring > component should be of numericString syntax. From list@netscape.com Wed Feb 9 14:59:35 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA20451 for ; Wed, 9 Feb 2000 14:59:35 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA17596; Wed, 9 Feb 2000 11:56:35 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA00556; Wed, 9 Feb 2000 11:58:20 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 11:58:20 -0800 (PST) Message-Id: <3.0.5.32.20000209115809.00970b70@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 09 Feb 2000 11:58:09 -0800 To: d.w.chadwick@salford.ac.uk From: "Kurt D. Zeilenga" Subject: Re: RFC2251: RootDSE subschemasubentry issue Cc: ietf-ldapext@netscape.com, Mark Wahl In-Reply-To: References: <3.0.5.32.20000209084941.00939140@infidel.boolean.net> <7078.950102645@threadgill.austin.innosoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"n5RuIC.A.aI.abco4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 07:26 PM 2/9/00 -0000, David Chadwick wrote: >Do you agree with this analysis? Yes. The next questions are: What other attributes published in RootDSE are naming context specific? I've seen a lot of proposals (including my own) which suggest attributes for publishing capabilities. It's likely that some of these are not server specific, but are naming context specific. From the design perpective, I see different ways of providing naming context specific information: 1) add new attributes which provide the context and the capability as combined value. (Ie: 1A) dn: (root dse) subschemasubentries: dc=openldap,dc=org $ ( cn=subschema $ cn=openldap-subschema ) subschemasubentries: dc=example,dc=com $ cn=subschema ... or: 1B) dn: (root dse) subschemasubentries: dc=openldap,dc=org $ cn=subschema subschemasubentries: dc=openldap,dc=org $ cn=opendlap-subschema subschemasubentries: dc=example,dc=com $ cn=subschema 2) provide an attribute which lists naming contexts AND a provides a DN of an entry (or subentry) which contains attributes describing the naming context specific capabilities. dn: (root dse) namingContextCapabilities: dc=openldap,dc=org $ cn=openldap namingContextCapabilities: dc=example,dc=com $ cn=example dn: cn=openldap subschemasubentries: cn=subschema subschemasubentries: cn=openldap-subschema dn: cn=example subschemasubentires: cn=subschema Comments? From list@netscape.com Wed Feb 9 16:37:01 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA24510 for ; Wed, 9 Feb 2000 16:36:59 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id NAA16111; Wed, 9 Feb 2000 13:32:12 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id NAA12279; Wed, 9 Feb 2000 13:35:41 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 13:35:41 -0800 (PST) Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Wed, 09 Feb 2000 14:34:46 -0700 From: "Steven Merrill" To: "<" Subject: java-api-asynch-ext-04, Sec 4.1.8 search Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Resent-Message-ID: <"THJwRB.A.K_C.s2do4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id QAA24510 For the second search method definition shouldn't an LDAPSearchConstraints object be specified instead of LDAPConstraints? Downcasting the LDAPConstraints to an LDAPSearchContraints object would be dangerous. Steve Merrill Novell, Inc. From list@netscape.com Wed Feb 9 17:27:43 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25851 for ; Wed, 9 Feb 2000 17:27:38 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id OAA09321; Wed, 9 Feb 2000 14:25:14 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id OAA04092; Wed, 9 Feb 2000 14:26:57 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 14:26:57 -0800 (PST) Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Wed, 09 Feb 2000 15:26:38 -0700 From: "Jim Sermersheim" To: , Cc: , Subject: Re: substring matching rules Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Resent-Message-ID: <"WHNv-D.A.o_.wmeo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id RAA25851 We still need two separate substrings matching rules (Ech). Either that, or the MatchingRuleDescription needs to allow for two syntaxes, one being the syntax used for the matchValue of an extensibleMatch, and the other used for the substrings value of a normal (not extensible) filter. Jim >>> Mark C Smith 2/9/00 12:42:46 PM >>> I don't have access to all of the right standard documents here, but I suspect that the NumericString syntax is compatible with DirectoryString. Not true for bitString or octetString... in fact, X.521 includes this definition: octetStringSubstringsMatch MATCHING-RULE ::= { SYNTAX OctetSubstringAssertion ID id-mr-octetStringSubstringsMatch } OctetSubstringAssertion ::= SEQUENCE OF CHOICE { initial [0] OCTET STRING, any [1] OCTET STRING, final [2] OCTET STRING } -- at most one initial and one final component which is very similar in concept to your bitStringSubstringsMatch example. It would be nice to add some text about all of this to RFC2252-bis when it is created. -- Mark Smith Directory Product Development / iPlanet E-Commerce Solutions My words are my own, not my employer's. Got LDAP? "Kurt D. Zeilenga" wrote: > > So, if I want to define a bitString substring matching rule > where each asserted component is a bitString, I should define > a bitStringSubstrings (assertion) syntax and than use this as > the syntax of asserted values of bitStringSubstringsMatch? > > Okay, so why? > > ( 2.5.13.10 NAME 'numericStringSubstringsMatch' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 ) > > This says that each asserted substring component is of > directoryString syntax. I would think each asserted substring > component should be of numericString syntax. From list@netscape.com Wed Feb 9 18:16:07 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA26674 for ; Wed, 9 Feb 2000 18:16:07 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id PAA16924; Wed, 9 Feb 2000 15:13:10 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id PAA03499; Wed, 9 Feb 2000 15:14:53 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 15:14:53 -0800 (PST) Message-Id: <3.0.5.32.20000209151440.0096f350@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 09 Feb 2000 15:14:40 -0800 To: ietf-ldapext@netscape.com From: "Kurt D. Zeilenga" Subject: Re: unsolicited controls (Was: I-DACTION:draft-weltman-ldapv3-auth-response-01.txt) In-Reply-To: <3.0.5.32.20000209105319.009804f0@infidel.boolean.net> References: <38A1ADB6.6AA56D34@netscape.com> <3.0.5.32.20000209100822.00976100@infidel.boolean.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"aliCFB.A.O1.qTfo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com RFC 2251, 4.4 (unsolicited notifications) says: It [an unsolicited notification] is used to signal an extraordinary condition in the server or in the connection between the client and the server I believe the same should apply to unsolicited controls: An unsolicited response control is used to signal an extraordinary condition with the operation. That is, the fact that an identity is authorized is by a operation bind is quite ordinary and hence a client shouldn't be notified of the identity unless explicitly requested. Kurt At 10:53 AM 2/9/00 -0800, Kurt D. Zeilenga wrote: >At 10:11 AM 2/9/00 -0800, David Boreham wrote: >> >>Examples ? > >draft-weltman-ldapv3-auth-response-01.txt >draft-behera-ldap-password-policy-00.txt > >I feel the client should be required to take some explicit >action before the returns any response not described by >the core specifications. This act may be an explicit >request control, a control upon bind enabling the behavior >for the "session", an extended operation enabling the behavior, >or some other form of solicitation. > >I feel a server should not respond with controls and/or >extended responses not detailed by the core specifications >without such solicitation. > >That is, the client should > 1) discover what protocol extensions are supported by the server > 2) enable desired extensions > >A server should: > 1) published supported extensions > 2) disable all extensions until enabled by the client > > > From list@netscape.com Wed Feb 9 21:04:55 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA29667 for ; Wed, 9 Feb 2000 21:04:50 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id SAA11396; Wed, 9 Feb 2000 18:02:24 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id SAA16483; Wed, 9 Feb 2000 18:04:07 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 18:04:07 -0800 (PST) Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Wed, 09 Feb 2000 19:03:44 -0700 From: "Jim Sermersheim" To: , Subject: Re: unsolicited controls (Was: I-DACTION:draft-weltman-ldapv3-auth-response-01.txt) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Resent-Message-ID: <"gTS0n.A.RBE.Wyho4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id VAA29667 Given this definition, what constitutes extraordinary? Is an expired password an extraordinary condition? Unless we can define the meaning of extraordinary, I'd rather just decide to allow unsolicited response controls or not. >>> "Kurt D. Zeilenga" 2/9/00 4:15:26 PM >>> RFC 2251, 4.4 (unsolicited notifications) says: It [an unsolicited notification] is used to signal an extraordinary condition in the server or in the connection between the client and the server I believe the same should apply to unsolicited controls: An unsolicited response control is used to signal an extraordinary condition with the operation. That is, the fact that an identity is authorized is by a operation bind is quite ordinary and hence a client shouldn't be notified of the identity unless explicitly requested. Kurt At 10:53 AM 2/9/00 -0800, Kurt D. Zeilenga wrote: >At 10:11 AM 2/9/00 -0800, David Boreham wrote: >> >>Examples ? > >draft-weltman-ldapv3-auth-response-01.txt >draft-behera-ldap-password-policy-00.txt > >I feel the client should be required to take some explicit >action before the returns any response not described by >the core specifications. This act may be an explicit >request control, a control upon bind enabling the behavior >for the "session", an extended operation enabling the behavior, >or some other form of solicitation. > >I feel a server should not respond with controls and/or >extended responses not detailed by the core specifications >without such solicitation. > >That is, the client should > 1) discover what protocol extensions are supported by the server > 2) enable desired extensions > >A server should: > 1) published supported extensions > 2) disable all extensions until enabled by the client > > > From list@netscape.com Wed Feb 9 22:43:14 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA02518 for ; Wed, 9 Feb 2000 22:43:13 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id TAA04727; Wed, 9 Feb 2000 19:38:21 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id TAA11959; Wed, 9 Feb 2000 19:41:51 -0800 (PST) Resent-Date: Wed, 9 Feb 2000 19:41:51 -0800 (PST) Message-Id: <3.0.5.32.20000209194141.00977940@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 09 Feb 2000 19:41:41 -0800 To: "Jim Sermersheim" From: "Kurt D. Zeilenga" Subject: Re: unsolicited controls (Was: I-DACTION:draft-weltman-ldapv3-auth-response-01.txt) Cc: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"Omsc8B.A.l6C.-Njo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Is their a compelling reason to not negotiate these elective features? I believe it is unwise not to negotiate elective features. At 07:03 PM 2/9/00 -0700, Jim Sermersheim wrote: >Given this definition, what constitutes extraordinary? Good question. Ask? Is the importance of the notification such that most applications would be modified to recognize it and do something reasonable because of it? If the answer is no, than it's not extraordinary. > Is an expired password an extraordinary condition? Per my above definition, no. In the case of password policy, I'd suggest a bind control that the client could use to tell the server, "I recognize password policy controls/responses". This is a form of solicitation. > Unless we can define the meaning of extraordinary, > I'd rather just decide to allow unsolicited response controls or not. Even though I am hard pressed at the moment to find a control extraordinary enough that application developers would be compelled to update their codes to recognize it, I would hate to disallow unsolicited response controls completely as I believe that the recommended use of unsolicited controls should be comparable to unsolicited responses. Kurt From list@netscape.com Thu Feb 10 08:12:23 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA21880 for ; Thu, 10 Feb 2000 08:12:22 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id FAA23535; Thu, 10 Feb 2000 05:09:31 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id FAA16784; Thu, 10 Feb 2000 05:11:09 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 05:11:09 -0800 (PST) From: hahnt@us.ibm.com Importance: Normal Subject: Re: RFC2251: RootDSE subschemasubentry issue To: ietf-ldapext@netscape.com X-Mailer: Lotus Notes Release 5.0.1 July 16, 1999 Message-ID: Date: Thu, 10 Feb 2000 08:08:42 -0500 X-MIMETrack: Serialize by Router on D01MLC96/01/M/IBM(Release 5.0.2b (Intl)|7 January 2000) at 10/02/2000 08:11:04 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Resent-Message-ID: <"9Des1.A.-FE.rjro4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Greetings, I believe that this was discussed on the mailing list about 6 months ago. At that time, the general direction seemed to be that the rootDSE entry would contain an additional attribute: subschemasubentries which would be defined to have distinguishedName syntax. And while this does not provide the detailed mapping (offered in Kurt's response), of associating namingContext values with subschemasubentries values, it also does not introduce another attribute value format that needs to be parsed. The X.500 specifications give some guidance on the placement of subschemasubentry values, namely they are to be placed "just below" the namingContext and should have object class: top, subentry, subschemasubentry. So, I would add a fourth option for the rootDSE: namingContexts: ou=Sales, o=Widgets namingContexts: ou=Development, o=Widgets subschemasubentries: cn=schema, ou=Sales, o=Widgets subschemasubentries: cn=schema, ou=Development, o=Widgets Regards, Tim Hahn Internet: hahnt@us.ibm.com Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT) phone: 607.752.6388 tie-line: 8/852.6388 fax: 607.752.3681 From list@netscape.com Thu Feb 10 09:09:00 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA25395 for ; Thu, 10 Feb 2000 09:08:59 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id GAA27608; Thu, 10 Feb 2000 06:06:08 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id GAA26717; Thu, 10 Feb 2000 06:07:50 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 06:07:50 -0800 (PST) Message-ID: From: "Salter, Thomas A" To: ietf-ldapext@netscape.com Subject: RE: RFC2251: RootDSE subschemasubentry issue Date: Thu, 10 Feb 2000 09:08:50 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Resent-Message-ID: <"Pie4JD.A.JhG.1Yso4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Instead of inventing new attributes or syntaxes, why not just say that the subschema for a naming context can be discovered by reading the subschemaSubentry attribute in the naming context? From list@netscape.com Thu Feb 10 09:25:09 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA26521 for ; Thu, 10 Feb 2000 09:25:09 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id GAA28788; Thu, 10 Feb 2000 06:22:07 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id GAA29705; Thu, 10 Feb 2000 06:23:53 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 06:23:53 -0800 (PST) From: "David Chadwick" Organization: University of Salford To: "Kurt D. Zeilenga" , ietf-ldapext@netscape.com, Mark Wahl Date: Thu, 10 Feb 2000 14:22:17 -0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: RFC2251: RootDSE subschemasubentry issue Reply-to: d.w.chadwick@salford.ac.uk Priority: normal In-reply-to: <3.0.5.32.20000209115809.00970b70@infidel.boolean.net> References: X-mailer: Pegasus Mail for Win32 (v3.12b) Message-Id: Resent-Message-ID: <"4DAPcC.A.3PH.4nso4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7BIT > At 07:26 PM 2/9/00 -0000, David Chadwick wrote: > >Do you agree with this analysis? > > Yes. Good, we are making progress towards resolution. > > The next questions are: > > What other attributes published in RootDSE are naming > context specific? The question should actually be wider than this I believe. i.e. What attributes are NC specific and what attributes are server specific and what attributes are Management Domain specific, since i) a Man Domain can comprise many servers ii) a server can hold many NCs iii) a server can hold many Man Domains. So we really need placeholders for all of these. It seems to me like the rootDSE should hold server specific attributes, a subentry under the NC context prefix should hold NC specific attributes (this is in line with the LDUP group I believe), and a subentry under an Admin Point should hold Man Domain specific attributes (this is in line with X.500(93)). What do you think? > > I've seen a lot of proposals (including my own) which > suggest attributes for publishing capabilities. It's > likely that some of these are not server specific, > but are naming context specific. agreed > > From the design perpective, I see different ways of > providing naming context specific information: > > 1) add new attributes which provide the context > and the capability as combined value. (Ie: > 1A) dn: (root dse) > subschemasubentries: dc=openldap,dc=org $ > ( cn=subschema $ cn=openldap-subschema ) > subschemasubentries: dc=example,dc=com $ cn=subschema > ... > > or: > 1B) dn: (root dse) > subschemasubentries: dc=openldap,dc=org $ cn=subschema > subschemasubentries: dc=openldap,dc=org $ cn=opendlap-subschema > subschemasubentries: dc=example,dc=com $ cn=subschema > > 2) provide an attribute which lists naming contexts > AND a provides a DN of an entry (or subentry) which > contains attributes describing the naming context > specific capabilities. Or, an attribute which lists NCs and have subentries under the NCs, so that no pointer is needed in the rootDSE. > > dn: (root dse) > namingContextCapabilities: dc=openldap,dc=org $ cn=openldap > namingContextCapabilities: dc=example,dc=com $ cn=example > > dn: cn=openldap > subschemasubentries: cn=subschema > subschemasubentries: cn=openldap-subschema Why would you have 2 subschemasubentries for 1 NC? I think only one is needed (this is mandatory at the moment I believe) David > > dn: cn=example > subschemasubentires: cn=subschema > > > Comments? > > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** From list@netscape.com Thu Feb 10 10:04:25 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA29164 for ; Thu, 10 Feb 2000 10:04:24 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id GAA12703; Thu, 10 Feb 2000 06:59:26 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id HAA09490; Thu, 10 Feb 2000 07:02:58 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 07:02:58 -0800 (PST) Message-ID: From: "Mcauliffe, Kristin" To: ietf-ldapext@netscape.com Subject: Question on Extensible Match Filter Date: Thu, 10 Feb 2000 10:02:34 -0500 Importance: low X-Priority: 5 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.10) Content-Type: text/plain; charset="iso-8859-1" Resent-Message-ID: <"Tbx8VB.A.AUC.hMto4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com I am working on LDAP v3 Search filters and cannot seem to get a return from the DS servers (Netscape, Novell NDS and MS AD) that I am testing using the Extensible Match string. I am following the definition identified in RFC2254 and those identified in Chapter 3 of "Understanding and Deploying LDAP DS" (and the examples). I have used both the assertion syntax and the value syntax. The results received are: Bind operation successful. ldap_search_s: Protocol error ldap_search_s: additional info: Bad search filter Any guidance would be appreciated. ===================================== Kristin McAuliffe Center for Information Technology Standards DISA mcaulifk@ftm.disa.mil ===================================== From list@netscape.com Thu Feb 10 12:06:21 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA04283 for ; Thu, 10 Feb 2000 12:06:19 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA25474; Thu, 10 Feb 2000 09:02:13 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA17784; Thu, 10 Feb 2000 09:05:43 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 09:05:43 -0800 (PST) Date: Thu, 10 Feb 2000 17:27:44 +0100 From: =?ISO-8859-1?Q?Patrik_F=E4ltstr=F6m?= To: ietf-ldapext@netscape.com cc: Jeff.Hodges@stanford.edu, RLBob Morgan , Mark Wahl Subject: Re: Please publish this I-D: draft-ietf-ldapext-ldapv3-tls-06.txt Message-ID: <2734229.3159192464@[192.168.111.25]> In-Reply-To: <200002101627.IAA01306@breakaway.Stanford.EDU> X-Mailer: Mulberry/2.0.0b9 (MacOS) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Resent-Message-ID: <"7IVVPD.A.WVE.m_uo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit --On 2000-02-10 08.27 -0800, Jeff.Hodges@stanford.edu wrote: > We'd appreciate it if you could carry the below version of the doc > forward into the RFC process. Thanks, Send it to internet-drafts@ietf.org, and let me know when the I-D is announced on the IETF-announce list. Patrik From list@netscape.com Thu Feb 10 12:18:12 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA04615 for ; Thu, 10 Feb 2000 12:18:08 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA27754; Thu, 10 Feb 2000 09:14:03 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA24629; Thu, 10 Feb 2000 09:17:34 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 09:17:34 -0800 (PST) Message-ID: <017E033801420200@mailgate.netconnect.co.uk> In-Reply-To: <2734229%.3159192464@mailgate.netconnect.co.uk> Date: Thu, 10 Feb 2000 17:16:00 +0000 From: John Storry Sender: John Storry Organization: NetConnect Ltd To: ietf-ldapext@netscape.com Subject: Please remove from mailing list Importance: High X-SMF-Hop-Count: 2 MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Mailer: Connect2-SMTP 4.32 MHS/SMF to SMTP Gateway Resent-Message-ID: <"93XNdC.A.SAG.sKvo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Could you please remove the following: dnesbitt@netconnect.co.uk from your mailing list ASAP as this user is no longer employed by this company. Many thanks ===== Original Message from ietf-ldapext @ netscape.com at 10/02/00 16:27 >--On 2000-02-10 08.27 -0800, Jeff.Hodges@stanford.edu wrote: > >> We'd appreciate it if you could carry the below version of the doc >> forward into the RFC process. Thanks, > >Send it to internet-drafts@ietf.org, and let me know when the I-D is >announced on the IETF-announce list. > > Patrik John Storry Internal Systems Engineer NetConnect Ltd Integration Training for Messaging, Security Directory Systems Phone:+44 (0) 1223 423 523 Fax:+44 (0) 1223 420 655 http://www.netconnect.co.uk/ CONFIDENTIALITY NOTICE: This e-mail contains confidential information which is intended only for use by the recipient (s) named above. If you have received this communication in error, please notify the sender immediately via e-mail and return the entire message. Thank you for your assistance. From list@netscape.com Thu Feb 10 12:18:29 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA04630 for ; Thu, 10 Feb 2000 12:18:23 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA20154; Thu, 10 Feb 2000 09:16:02 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA25016; Thu, 10 Feb 2000 09:17:47 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 09:17:47 -0800 (PST) Message-Id: <200002101717.JAA01460@breakaway.Stanford.EDU> X-Mailer: exmh version 2.0.2 2/24/98 Subject: Please publish this I-D: draft-ietf-ldapext-ldapv3-tls-06.txt To: internet-drafts@ietf.org cc: jhodges@oblix.com, RLBob Morgan , Mark Wahl , LDAP extensions From: jhodges@oblix.com Reply-to: ietf-ldapext@netscape.com Mime-Version: 1.0 Content-Type: multipart/mixed ; boundary="==_Exmh_5686075430" Date: Thu, 10 Feb 2000 09:17:11 -0800 Sender: hodges@Wind.Stanford.EDU Resent-Message-ID: <"cwB78C.A.sFG.4Kvo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com This is a multipart MIME message. --==_Exmh_5686075430 Content-Type: text/plain; charset=us-ascii This revision of draft-ietf-ldapext-ldapv3-tls has only minor editorial changes, plus a clarification at the end of section 4.6 as a result of Security Area review. The extraneous section 6 fragment was removed (we'd moved that entire section to draft-ietf-ldapext-authmeth-04), and remaining sections renumbered. JeffH --==_Exmh_5686075430 Content-Type: text/plain ; name="draft-ietf-ldapext-ldapv3-tls-06.txt"; charset=us-ascii Content-Description: draft-ietf-ldapext-ldapv3-tls-06.txt Content-Disposition: attachment; filename="draft-ietf-ldapext-ldapv3-tls-06.txt" LDAPEXT Working Group Jeff Hodges, Oblix Inc. INTERNET-DRAFT RL "Bob" Morgan, Univ of Washington Intended Category: Mark Wahl, Innosoft International, Inc. Standards Track February, 2000 Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security Status of this Document This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Comments and suggestions on this document are encouraged. Comments on this document should be sent to the LDAPEXT working group discussion list: ietf-ldapext@netscape.com This document expires in July 2000. 1. Abstract This document defines the "Start Transport Layer Security (TLS) Opera- tion" for LDAP [LDAPv3, TLS]. This operation provides for TLS establish- ment in an LDAP association and is defined in terms of an LDAP extended request. Hodges, Morgan, Wahl [Page 1] I-D LDAPv3: Extension for Transport Layer Security February 2000 2. Conventions Used in this Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [ReqsKeywords]. 3. The Start TLS Request This section describes the Start TLS extended request and extended response themselves: how to form the request, the form of the response, and enumerates the various result codes the client MUST be prepared to handle. The section following this one then describes how to sequence an overall Start TLS Operation. 3.1. Requesting TLS Establishment A client may perform a Start TLS operation by transmitting an LDAP PDU containing an ExtendedRequest [LDAPv3] specifying the OID for the Start TLS operation: 1.3.6.1.4.1.1466.20037 An LDAP ExtendedRequest is defined as follows: ExtendedRequest ::= [APPLICATION 23] SEQUENCE { requestName [0] LDAPOID, requestValue [1] OCTET STRING OPTIONAL } A Start TLS extended request is formed by setting the requestName field to the OID string given above. The requestValue field is absent. The client MUST NOT send any PDUs on this connection following this request until it receives a Start TLS extended response. When a Start TLS extended request is made, the server MUST return an LDAP PDU containing a Start TLS extended response. An LDAP Exten- dedResponse is defined as follows: ExtendedResponse ::= [APPLICATION 24] SEQUENCE { COMPONENTS OF LDAPResult, responseName [10] LDAPOID OPTIONAL, response [11] OCTET STRING OPTIONAL } A Start TLS extended response MUST contain a responseName field which MUST be set to the same string as that in the responseName field present in the Start TLS extended request. The response field is absent. The server MUST set the resultCode field to either success or one of the Hodges, Morgan, Wahl [Page 2] I-D LDAPv3: Extension for Transport Layer Security February 2000 other values outlined in section 3.3. 3.2. "Success" Response If the ExtendedResponse contains a resultCode of success, this indicates that the server is willing and able to negotiate TLS. Refer to section 4, below, for details. 3.3. Response other than "success" If the ExtendedResponse contains a resultCode other than success, this indicates that the server is unwilling or unable to negotiate TLS. If the Start TLS extended request was not successful, the resultCode will be one of: operationsError (operations sequencing incorrect; e.g. TLS already established) protocolError (TLS not supported or incorrect PDU structure) referral (this server doesn't do TLS, try this one) unavailable (e.g. some major problem with TLS, or server is shutting down) The server MUST return operationsError if the client violates any of the Start TLS extended operation sequencing requirements described in sec- tion 4, below. If the server does not support TLS (whether by design or by current con- figuration), it MUST set the resultCode to protocolError (see section 4.1.1 of [LDAPv3]), or to referral. The server MUST include an actual referral value in the LDAP Result if it returns a resultCode of refer- ral. The client's current session is unaffected if the server does not support TLS. The client MAY proceed with any LDAP operation, or it MAY close the connection. The server MUST return unavailable if it supports TLS but cannot estab- lish a TLS connection for some reason, e.g. the certificate server not responding, it cannot contact its TLS implementation, or if the server is in process of shutting down. The client MAY retry the StartTLS opera- tion, or it MAY proceed with any other LDAP operation, or it MAY close the connection. 4. Sequencing of the Start TLS Operation This section describes the overall procedures clients and servers MUST Hodges, Morgan, Wahl [Page 3] I-D LDAPv3: Extension for Transport Layer Security February 2000 follow for TLS establishment. These procedures take into consideration various aspects of the overall security of the LDAP association includ- ing discovery of resultant security level and assertion of the client's authorization identity. Note that the precise effects, on a client's authorzation identity, of establishing TLS on an LDAP association are described in detail in sec- tion 7. 4.1. Requesting to Start TLS on an LDAP Association The client MAY send the Start TLS extended request at any time after establishing an LDAP association, except that in the following cases the client MUST NOT send a Start TLS extended request: - if TLS is currently established on the connection, or - during a multi-stage SASL negotiation, or - if there are any LDAP operations outstanding on the connection. The result of violating any of these requirements is a resultCode of operationsError, as described above in section 3.3. The client MAY have already perfomed a Bind operation when it sends a Start TLS request, or the client might have not yet bound. If the client did not establish a TLS connection before sending any other requests, and the server requires the client to establish a TLS connection before performing a particular request, the server MUST reject that request with a confidentialityRequired or strongAuthRequired result. The client MAY send a Start TLS extended request, or it MAY choose to close the connection. 4.2. Starting TLS The server will return an extended response with the resultCode of suc- cess if it is willing and able to negotiate TLS. It will return other resultCodes, documented above, if it is unable. In the successful case, the client, which has ceased to transfer LDAP requests on the connection, MUST either begin a TLS negotiation or close the connection. The client will send PDUs in the TLS Record Protocol directly over the underlying transport connection to the server to ini- tiate TLS negotiation [TLS]. 4.3. TLS Version Negotiation Negotiating the version of TLS or SSL to be used is a part of the TLS Handshake Protocol, as documented in [TLS]. Please refer to that Hodges, Morgan, Wahl [Page 4] I-D LDAPv3: Extension for Transport Layer Security February 2000 document for details. 4.4. Discovery of Resultant Security Level After a TLS connection is established on an LDAP association, both par- ties MUST individually decide whether or not to continue based on the privacy level achieved. Ascertaining the TLS connection's privacy level is implementation dependent, and accomplished by communicating with one's respective local TLS implementation. If the client or server decides that the level of authentication or privacy is not high enough for it to continue, it SHOULD gracefully close the TLS connection immediately after the TLS negotiation has com- pleted (see sections 5 and 7.2, below). The client MAY attempt to Start TLS again, or MAY send an unbind request, or send any other LDAP request. 4.5. Assertion of Client's Authorization Identity The client MAY, upon receipt of a Start TLS extended response indicating success, assert that a specific authorization identity be utilized in determining the client's authorization status. The client accomplishes this via an LDAP Bind request specifying a SASL mechanism of "EXTERNAL" [SASL]. See section 7, below. 4.6. Server Identity Check The client MUST check its understanding of the server's hostname against the server's identity as presented in the server's Certificate message, in order to prevent man-in-the-middle attacks. If a subjectAltName extension of type dNSName is present, it SHOULD be used as the source of the server's identity. Matching is performed according to these rules: - The client MUST use the server hostname it used to open the LDAP connection as the value to compare against the server name as expressed in the server's certificate. The client MUST NOT use the server's canonical DNS name or any other derived form of name. - If a subjectAltName extension of type dNSName is present in the certificate, it SHOULD be used as the source of the server's identity. - Matching is case-insensitive. Hodges, Morgan, Wahl [Page 5] I-D LDAPv3: Extension for Transport Layer Security February 2000 - The "*" wildcard character is allowed. - If present, it applies only to the left-most name component. E.g. *.bar.com would match a.bar.com, b.bar.com, etc. but not bar.com. If more than one identity of a given type is present in the certificate (e.g. more than one dNSName name), a match in any one of the set is con- sidered acceptable. If the hostname does not match the dNSName-based identity in the certi- ficate per the above check, user-oriented clients SHOULD either notify the user (clients MAY give the user the opportunity to continue with the connection in any case) or terminate the connection and indicate that the server's identity is suspect. Automated clients SHOULD close the connection, returning and/or logging an error indicating hat the server's identity is suspect. Beyond the server identity checks described in this section, clients SHOULD be prepared to do further checking to ensure that the server is authorized to provide the service it is observed to provide. The client MAY need to make use of local policy information. 4.7. Refresh of Server Capabilities Information The client MUST refresh any cached server capabilities information (e.g. from the server's root DSE; see section 3.4 of [LDAPv3]) upon TLS ses- sion establishment. This is necessary to protect against active- intermediary attacks which may have altered any server capabilities information retrieved prior to TLS establishment. The server MAY adver- tise different capabilities after TLS establishment. 5. Closing a TLS Connection 5.1. Graceful Closure Either the client or server MAY terminate the TLS connection on an LDAP association by sending a TLS closure alert. This will leave the LDAP association intact. Before closing a TLS connection, the client MUST either wait for any outstanding LDAP operations to complete, or explicitly abandon them [LDAPv3]. After the initiator of a close has sent a closure alert, it MUST discard any TLS messages until it has received an alert from the other party. It will cease to send TLS Record Protocol PDUs, and following the reciept of the alert, MAY send and receive LDAP PDUs. The other party, if it receives a closure alert, MUST immediately Hodges, Morgan, Wahl [Page 6] I-D LDAPv3: Extension for Transport Layer Security February 2000 transmit a TLS closure alert. It will subequently cease to send TLS Record Protocol PDUs, and MAY send and receive LDAP PDUs. 5.2. Abrupt Closure Either the client or server MAY abruptly close the entire LDAP associa- tion and any TLS connection established on it by dropping the underlying TCP connection. A server MAY beforehand send the client a Notice of Disconnection [LDAPv3] in this case. 6. Effects of TLS on a Client's Authorization Identity This section describes the effects on a client's authorization identity brought about by establishing TLS on an LDAP association. The default effects are described first, and next the facilities for client asser- tion of authorization identity are discussed including error conditions. Lastly, the effects of closing the TLS connection are described. Authorization identities and related concepts are defined in [AuthMeth]. 6.1. TLS Connection Establishment Effects 6.1.1. Default Effects Upon establishment of the TLS connection onto the LDAP association, any previously established authentication and authorization identities MUST remain in force, including anonymous state. This holds even in the case where the server requests client authentication via TLS -- e.g. requests the client to supply its certificate during TLS negotiation (see [TLS]). 6.1.2. Client Assertion of Authorization Identity A client MAY either implicitly request that its LDAP authorization iden- tity be derived from its authenticated TLS credentials or it MAY expli- citly provide an authorization identity and assert that it be used in combination with its authenticated TLS credentials. The former is known as an implicit assertion, and the latter as an explicit assertion. 6.1.2.1. Implicit Assertion An implicit authorization identity assertion is accomplished after TLS establishment by invoking a Bind request of the SASL form using the "EXTERNAL" mechanism name [SASL, LDAPv3] that SHALL NOT include the optional credentials octet string (found within the SaslCredentials sequence in the Bind Request). The server will derive the client's authorization identity from the authentication identity supplied in the client's TLS credentials (typically a public key certificate) according to local policy. The underlying mechanics of how this is accomplished Hodges, Morgan, Wahl [Page 7] I-D LDAPv3: Extension for Transport Layer Security February 2000 are implementation specific. 6.1.2.2. Explicit Assertion An explicit authorization identity assertion is accomplished after TLS establishment by invoking a Bind request of the SASL form using the "EXTERNAL" mechanism name [SASL, LDAPv3] that SHALL include the creden- tials octet string. This string MUST be constructed as documented in section 11 of [AuthMeth]. 6.1.2.3. Error Conditions For either form of assertion, the server MUST verify that the client's authentication identity as supplied in its TLS credentials is permitted to be mapped to the asserted authorization identity. The server MUST reject the Bind operation with an invalidCredentials resultCode in the Bind response if the client is not so authorized. The LDAP association's authentication identity and authorization identity (if any) which were in effect after TLS establishment but prior to making the Bind request, MUST remain in force. Additionally, with either form of assertion, if a TLS session has not been established between the client and server prior to making the SASL EXTERNAL Bind request and there is no other external source of authenti- cation credentials (e.g. IP-level security RFC 1825), or if, during the process of establishing the TLS session, the server did not request the client's authentication credentials, the SASL EXTERNAL bind MUST fail with a result code of inappropriateAuthentication. Any authentication identity and authorization identity, as well as TLS connection, which were in effect prior to making the Bind request, MUST remain in force. 6.2. TLS Connection Closure Effects Closure of the TLS connection MUST cause the LDAP association to move to an anonymous authentication and authorization state regardless of the state established over TLS and regardless of the authentication and authorization state prior to TLS connection establishment. 7. Security Considerations The goals of using the TLS protocol with LDAP are to ensure connection confidentiality and integrity, and to optionally provide for authentica- tion. TLS expressly provides these capabilities, as described in [TLS]. All security gained via use of the Start TLS operation is gained by the use of TLS itself. The Start TLS operation, on its own, does not provide any additional security. Hodges, Morgan, Wahl [Page 8] I-D LDAPv3: Extension for Transport Layer Security February 2000 The use of TLS does not provide or ensure for confidentiality and/or non-repudiation of the data housed by an LDAP-based directory server. Nor does it secure the data from inspection by the server administra- tors. Once established, TLS only provides for and ensures confidential- ity and integrity of the operations and data in transit over the LDAP association, and only if the implementations on the client and server support and negotiate it. The level of security provided though the use of TLS depends directly on both the quality of the TLS implementation used and the style of usage of that implementation. Additionally, an active-intermediary attacker can remove the Start TLS extended operation from the supportedExtension attribute of the root DSE. Therefore, both parties SHOULD independently ascertain and consent to the security level achieved once TLS is esta- blished and before begining use of the TLS connection. For example, the security level of the TLS connection might have been negotiated down to plaintext. Clients SHOULD either warn the user when the security level achieved does not provide confidentiality and/or integrity protection, or be con- figurable to refuse to proceed without an acceptable level of security. Client and server implementors SHOULD take measures to ensure proper protection of credentials and other confidential data where such meas- ures are not otherwise provided by the TLS implementation. Server implementors SHOULD allow for server administrators to elect whether and when connection confidentiality and/or integrity is required, as well as elect whether and when client authentication via TLS is required. 8. Acknowledgements The authors thank Tim Howes, Paul Hoffman, John Kristian, Shirish Rai, Jonathan Trostle, Harald Alvestrand, and Marcus Leech for their contri- butions to this document. 9. References [AuthMeth] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan. "Authenti- cation Methods for LDAP". INTERNET-DRAFT, Work In Pro- gress. draft-ietf-ldapext-authmeth-04.txt [LDAPv3] M. Wahl, S. Kille and T. Howes. "Lightweight Directory Access Protocol (v3)". RFC 2251. [ReqsKeywords] Scott Bradner. "Key Words for use in RFCs to Indicate Requirement Levels". RFC 2119. Hodges, Morgan, Wahl [Page 9] I-D LDAPv3: Extension for Transport Layer Security February 2000 [SASL] J. Myers. "Simple Authentication and Security Layer (SASL)". RFC 2222. [TLS] Tim Dierks, C. Allen. "The TLS Protocol Version 1.0". RFC 2246. 10. Authors' Addresses Jeff Hodges Oblix, Inc. 18922 Forge Drive Cupertino, CA 95014 USA Phone: +1-408-861-6656 EMail: JHodges@oblix.com RL "Bob" Morgan Computing and Communications University of Washington Seattle, WA USA Phone: +1-206-221-3307 EMail: rlmorgan@washington.edu Mark Wahl Innosoft International, Inc. 8911 Capital of Texas Hwy, Suite 4140 Austin, TX 78759 USA Phone: +1 626 919 3600 EMail: Mark.Wahl@innosoft.com ----------------------------------- 11. Intellectual Property Rights Notices The IETF takes no position regarding the validity or scope of any intel- lectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with Hodges, Morgan, Wahl [Page 10] I-D LDAPv3: Extension for Transport Layer Security February 2000 respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this stan- dard. Please address the information to the IETF Executive Director. 12. Copyright Notice and Disclaimer Copyright (C) The Internet Society (1998). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of develop- ing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MER- CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Hodges, Morgan, Wahl [Page 11] --==_Exmh_5686075430-- From list@netscape.com Thu Feb 10 12:32:22 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA05157 for ; Thu, 10 Feb 2000 12:32:22 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA22703; Thu, 10 Feb 2000 09:29:50 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA01012; Thu, 10 Feb 2000 09:31:35 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 09:31:35 -0800 (PST) Message-Id: <3.0.5.32.20000210093128.00984100@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 10 Feb 2000 09:31:28 -0800 To: "Mcauliffe, Kristin" From: "Kurt D. Zeilenga" Subject: Re: Question on Extensible Match Filter Cc: ietf-ldapext@netscape.com In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"VOZJKD.A.iP.2Xvo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 10:02 AM 2/10/00 -0500, Mcauliffe, Kristin wrote: >I am working on LDAP v3 Search filters and cannot seem to get a return from >the DS servers (Netscape, Novell NDS and MS AD) that I am testing using the >Extensible Match string. I suggest you request help on a forum specific to the implementation of LDAPv3 you are using. >I am following the definition identified in >RFC2254 and those identified in Chapter 3 of "Understanding and Deploying >LDAP DS" (and the examples). I have used both the assertion syntax and the >value syntax. > >The results received are: > >Bind operation successful. >ldap_search_s: Protocol error >ldap_search_s: additional info: Bad search filter Looks like you sent the filter to an LDAPv2 server. An LDAPv3 should not have returned a protocol error just because it doesn't recognize extended search filter or other filter details. RFC 2251: A filter item evaluates to Undefined when the server would not be able to determine whether the assertion value matches an entry. If an attribute description in an equalityMatch, substrings, greaterOrEqual, lessOrEqual, approxMatch or extensibleMatch filter is not recognized by the server, a matching rule id in the extensibleMatch is not recognized by the server, the assertion value cannot be parsed, or the type of filtering requested is not implemented, then the filter is Undefined. I suggest contacting your server vendor. Be sure to provide the exact search filter specified and other detail likely to assist the vendor in helping you. Kurt From list@netscape.com Thu Feb 10 12:44:32 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA05459 for ; Thu, 10 Feb 2000 12:44:29 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA02283; Thu, 10 Feb 2000 09:39:47 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA07790; Thu, 10 Feb 2000 09:43:18 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 09:43:18 -0800 (PST) X-Authentication-Warning: perq.cac.washington.edu: rlmorgan owned process doing -bs Date: Thu, 10 Feb 2000 09:43:42 -0800 (PST) From: "RL 'Bob' Morgan" X-Sender: rlmorgan@perq.cac.washington.edu Reply-To: "RL 'Bob' Morgan" To: IETF ldapext WG Subject: LDAP subtree search with zero-length DN for baseObject? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"5F18tD.A.Q5B.0ivo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com RFC 2251 says, in section 3.4: An LDAP server MUST provide information about itself and other information that is specific to each server. This is represented as a group of attributes located in the root DSE (DSA-Specific Entry), which is named with the zero-length LDAPDN. These attributes are retrievable if a client performs a base object search of the root with filter "(objectClass=*)", however they are subject to access control restrictions. The root DSE MUST NOT be included if the client performs a subtree search starting from the root. It isn't clear to me, though, what the expected result should be from a subtree search where the baseObject is the zero-length DN. It mustn't include the root DSE info, but what should it include? Should this mean "the subtree rooted at root of the global DIT"? Presumably, if so, in existing cases this would typically fail since the DSA doesn't know how to contact a DSA for "the root". Or can a DSA interpret it as "search all the naming contexts you have locally?" By experiment I find that servers I've tried this on report "no such object". Thanks, - RL "Bob" From list@netscape.com Thu Feb 10 12:49:53 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA05579 for ; Thu, 10 Feb 2000 12:49:52 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA26615; Thu, 10 Feb 2000 09:46:42 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA12347; Thu, 10 Feb 2000 09:48:23 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 09:48:23 -0800 (PST) Message-ID: <90B308416283D311978B0090272BF7F503C1DA@mail.availnetworks.com> From: Ron Carter To: IETF ldapext WG Subject: RE: Notification: Inbound Mail Failure Date: Thu, 10 Feb 2000 12:47:41 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.10) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BF73EE.F141B810" Resent-Message-ID: <"rj6pd.A.RAD.mnvo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF73EE.F141B810 Content-Type: text/plain; charset="iso-8859-1" This user is no longer with our company. Please remove him from your list. Ron Carter Network Administrator Avail Networks 305 E. Eisenhower pkwy. Ann Arbor, MI 48108 (734) 332-5578 rcarter@availnetworks.com -----Original Message----- From: Ron Carter Sent: Thursday, February 10, 2000 12:43 PM To: Ron Carter Subject: Notification: Inbound Mail Failure The following recipients did not receive the attached mail. Reasons are listed with each recipient: rich@nei.com MSEXCH:IMS:avail:site-1:AVAIL-EXC 0 (000C05A6) Unknown Recipient The message that caused this notification was: ------_=_NextPart_001_01BF73EE.F141B810 Content-Type: text/html; charset="iso-8859-1" RE: Notification: Inbound Mail Failure

This user is no longer with our company. Please remove him from your list.

Ron Carter
Network Administrator
Avail Networks
305 E. Eisenhower pkwy.
Ann Arbor, MI 48108
(734) 332-5578
rcarter@availnetworks.com

-----Original Message-----
From: Ron Carter
Sent: Thursday, February 10, 2000 12:43 PM
To: Ron Carter
Subject: Notification: Inbound Mail Failure

The following recipients did not receive the attached mail. Reasons are listed with each recipient:

<rich@nei.com> rich@nei.com
MSEXCH:IMS:avail:site-1:AVAIL-EXC 0 (000C05A6) Unknown Recipient

The message that caused this notification was:

------_=_NextPart_001_01BF73EE.F141B810-- From list@netscape.com Thu Feb 10 12:56:04 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA05769 for ; Thu, 10 Feb 2000 12:56:01 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id JAA28232; Thu, 10 Feb 2000 09:53:27 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA17168; Thu, 10 Feb 2000 09:55:12 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 09:55:12 -0800 (PST) Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Thu, 10 Feb 2000 10:54:57 -0700 From: "Jim Sermersheim" To: , Subject: Re: LDAP subtree search with zero-length DN for baseObject? Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Resent-Message-ID: <"HxA5_B.A.-LE.Auvo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id MAA05769 Our server follows the "search all the naming contexts you have locally" model which I think is reasonable. Jim >>> "RL 'Bob' Morgan" 2/10/00 10:43:42 AM >>> RFC 2251 says, in section 3.4: An LDAP server MUST provide information about itself and other information that is specific to each server. This is represented as a group of attributes located in the root DSE (DSA-Specific Entry), which is named with the zero-length LDAPDN. These attributes are retrievable if a client performs a base object search of the root with filter "(objectClass=*)", however they are subject to access control restrictions. The root DSE MUST NOT be included if the client performs a subtree search starting from the root. It isn't clear to me, though, what the expected result should be from a subtree search where the baseObject is the zero-length DN. It mustn't include the root DSE info, but what should it include? Should this mean "the subtree rooted at root of the global DIT"? Presumably, if so, in existing cases this would typically fail since the DSA doesn't know how to contact a DSA for "the root". Or can a DSA interpret it as "search all the naming contexts you have locally?" By experiment I find that servers I've tried this on report "no such object". Thanks, - RL "Bob" From list@netscape.com Thu Feb 10 13:08:56 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA06188 for ; Thu, 10 Feb 2000 13:08:49 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA08082; Thu, 10 Feb 2000 10:04:04 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA23636; Thu, 10 Feb 2000 10:07:35 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 10:07:35 -0800 (PST) Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Thu, 10 Feb 2000 11:07:14 -0700 From: "Jim Sermersheim" To: , , , Subject: Re: RFC2251: RootDSE subschemasubentry issue Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Resent-Message-ID: <"zpo8mB.A.7wF.m5vo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id NAA06188 >>> "David Chadwick" 2/10/00 7:24:12 AM >>> >So we really need placeholders for all of these. >It seems to me like the rootDSE should hold server specific >attributes, a subentry under the NC context prefix should hold NC >specific attributes (this is in line with the LDUP group I believe), and >a subentry under an Admin Point should hold Man Domain specific >attributes (this is in line with X.500(93)). > >What do you think? >Or, an attribute which lists NCs and have subentries under the NCs, >so that no pointer is needed in the rootDSE. This makes sense to me. The current model of listing the DN's of all known subschema subentries is confusing because of the "decoupled from NCs" problems already discussed. As long as a client can discover the NCs, it can discover the entire set of subschema subentries. Jim From list@netscape.com Thu Feb 10 13:13:20 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA06313 for ; Thu, 10 Feb 2000 13:13:17 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA09531; Thu, 10 Feb 2000 10:09:10 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA27737; Thu, 10 Feb 2000 10:12:42 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 10:12:42 -0800 (PST) Message-Id: <3.0.5.32.20000210101238.009a0100@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 10 Feb 2000 10:12:38 -0800 To: ietf-ldapext@netscape.com From: "Kurt D. Zeilenga" Subject: draft-ietf-ldapext-ldapv3-tls-06.txt Cc: jhodges@oblix.com, RLBob Morgan , Mark Wahl , LDAP extensions In-Reply-To: <200002101717.JAA01460@breakaway.Stanford.EDU> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"2hirQC.A.HxG.Z-vo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Jeff, I have only significant concern. In 6.1.2: [Upon failure of BIND SASL/EXTERNAL...] The LDAP association's authentication identity and authorization identity (if any) which were in effect after TLS establishment but prior to making the Bind request, MUST remain in force. This is inconsistent with RFC 2251 prescribed behavior: Clients MAY send multiple bind requests on a connection to change their credentials. ... Authentication from earlier binds are subsequently ignored, and so if the bind fails, the connection will be treated as anonymous. I can find no compelling reasoning why BIND failure whilst TLS is enabled should have special behavior. I believe this an unnecessary complication. I believe there are many good reasons why this BIND behavior should be consistent without regard to TLS (or IPSEC or whatever). Reasons: simplicity of specification, implementation, and use. The general rule for security is simplicity. Why the complication? From list@netscape.com Thu Feb 10 13:20:38 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA06591 for ; Thu, 10 Feb 2000 13:20:36 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA03976; Thu, 10 Feb 2000 10:18:14 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA02411; Thu, 10 Feb 2000 10:19:56 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 10:19:56 -0800 (PST) Date: Thu, 10 Feb 2000 12:18:50 -0600 From: Mark Wahl Subject: Re: LDAP subtree search with zero-length DN for baseObject? In-reply-to: "Your message of Thu, 10 Feb 2000 09:43:42 PST." Sender: Mark.Wahl@INNOSOFT.COM To: "RL 'Bob' Morgan" Cc: IETF ldapext WG Message-id: <3425.950206730@threadgill.austin.innosoft.com> Resent-Message-ID: <"1x8DKC.A.Xl.LFwo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com I can tell you what at least one implementation does in the case of a search that is not baseObject and the base name is zero length: 1) If the server is configured to hold ALL naming contexts immediately subordinate to the root (it is a top level server), then it searches each of these naming contexts that are immediately subordinate to the root, and any subordinate contexts as normal. 2) If the server is configured with a superior reference, then it returns a referral. 3) Otherwise it returns an error such as noSuchObject. Mark Wahl, Directory Product Architect Innosoft International, Inc. From list@netscape.com Thu Feb 10 13:20:43 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA06601 for ; Thu, 10 Feb 2000 13:20:41 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA10903; Thu, 10 Feb 2000 10:16:32 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA02521; Thu, 10 Feb 2000 10:20:02 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 10:20:02 -0800 (PST) Message-Id: <3.0.5.32.20000210101955.00990950@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 10 Feb 2000 10:19:55 -0800 To: "Jim Sermersheim" From: "Kurt D. Zeilenga" Subject: Re: LDAP subtree search with zero-length DN for baseObject? Cc: , In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"VevoP.A.0m.RFwo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 10:54 AM 2/10/00 -0700, Jim Sermersheim wrote: >Our server follows the "search all the naming contexts you have locally" model which I think is reasonable. Our server returns noSuchObject (or superior referral) unless the server is configured to be a global root server (experimental only). From list@netscape.com Thu Feb 10 13:22:49 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA06654 for ; Thu, 10 Feb 2000 13:22:45 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA11764; Thu, 10 Feb 2000 10:18:24 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA05274; Thu, 10 Feb 2000 10:21:53 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 10:21:53 -0800 (PST) Date: Thu, 10 Feb 2000 12:20:45 -0600 From: Mark Wahl Subject: Re: RFC2251: RootDSE subschemasubentry issue In-reply-to: "Your message of Thu, 10 Feb 2000 11:07:14 MST." Sender: Mark.Wahl@INNOSOFT.COM To: Jim Sermersheim Cc: ietf-ldapext@netscape.com, Kurt@OpenLDAP.org, d.w.chadwick@salford.ac.uk Message-id: <3678.950206845@threadgill.austin.innosoft.com> Resent-Message-ID: <"W4ygPD.A.ISB.AHwo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com > As long as a client can discover the NCs, it can discover the entire > set of subschema subentries. This doesn't work where there are subschema administrative areas inside of naming contexts. You put the subschema subentry below the subschema admin point, not below the naming context prefix. Mark Wahl, Directory Product Architect Innosoft International, Inc. From list@netscape.com Thu Feb 10 13:35:12 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA07034 for ; Thu, 10 Feb 2000 13:35:08 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA14018; Thu, 10 Feb 2000 10:29:57 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA12379; Thu, 10 Feb 2000 10:33:29 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 10:33:29 -0800 (PST) Date: Thu, 10 Feb 2000 12:33:17 -0600 From: Andy Coulbeck Subject: Re: RFC2251: RootDSE subschemasubentry issue Sender: Andy.Coulbeck@INNOSOFT.COM To: Jim Sermersheim Cc: M.Wahl@INNOSOFT.COM, ietf-ldapext@netscape.com, Kurt@OpenLDAP.org, d.w.chadwick@salford.ac.uk Message-id: <38A3046D.FBC7D91D@innosoft.com> Organization: Innosoft International Inc. MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4u) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: fr, en References: Resent-Message-ID: <"UuDmUB.A.vAD.3Rwo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Jim Sermersheim wrote: > > >>> "David Chadwick" 2/10/00 7:24:12 AM >>> > > >So we really need placeholders for all of these. > >It seems to me like the rootDSE should hold server specific > >attributes, a subentry under the NC context prefix should hold NC > >specific attributes (this is in line with the LDUP group I believe), and > >a subentry under an Admin Point should hold Man Domain specific > >attributes (this is in line with X.500(93)). > > > >What do you think? > > > > >Or, an attribute which lists NCs and have subentries under the NCs, > >so that no pointer is needed in the rootDSE. > > This makes sense to me. The current model of listing the DN's of all known subschema subentries is confusing because of the "decoupled from NCs" problems already discussed. As long as a client can discover the NCs, it can discover the entire set of subschema subentries. > > Jim As Thomas Salter has already pointed out, the subschema subentry associated with a given naming context can be found by reading the naming context entry. The root DSE already contains the set of naming contexts. Therefore the current model is not broken. Also, in the current model, a server may have several naming contexts referring to a single subschema subentry. This would not be possible if subschema subentries were assumed to be under the naming context. From list@netscape.com Thu Feb 10 13:38:19 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA07156 for ; Thu, 10 Feb 2000 13:38:14 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA10030; Thu, 10 Feb 2000 10:35:53 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id KAA15874; Thu, 10 Feb 2000 10:37:39 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 10:37:39 -0800 (PST) Sender: mcs@netscape.com (Mark C Smith) Message-ID: <38A3056D.64A8167@netscape.com> Date: Thu, 10 Feb 2000 13:37:33 -0500 From: Mark Smith Organization: iPlanet E-Commerce Solutions X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en-US,en MIME-Version: 1.0 To: John Storry , John Storry CC: ietf-ldapext@netscape.com Subject: Re: Please remove from mailing list References: <017E033801420200@mailgate.netconnect.co.uk> Content-Type: multipart/mixed; boundary="------------7977908668D4FCB925CFF188" Resent-Message-ID: <"JuSG7D.A.d3D.xVwo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com This is a multi-part message in MIME format. --------------7977908668D4FCB925CFF188 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit John Storry wrote: > > Could you please remove the following: > > dnesbitt@netconnect.co.uk from your mailing list ASAP as this user is no > longer employed by this company. Please, please do not send "unsubscribe" and other administrative requests to the entire LDAPEXT mailing list! See: http://www.ietf.org/html.charters/ldapext-charter.html for list information. Or just try the nearly universal Internet convention of sending administrative requests to -request, i.e., mailto:ietf-ldapext-REQUEST@netscape.com Thanks. I won't repeat this again soon, so I hope everyone is paying attention. -- Mark Smith Directory Product Development / iPlanet E-Commerce Solutions My words are my own, not my employer's. Got LDAP? --------------7977908668D4FCB925CFF188 Content-Type: message/rfc822 Content-Disposition: inline Return-Path: Received: from aka.mcom.com ([205.217.237.180]) by tintin.mcom.com (Netscape Messaging Server 4.1) with ESMTP id FPQ6TK00.S2Q for ; Thu, 10 Feb 2000 09:48:56 -0800 Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id JAA13086 for mcs; Thu, 10 Feb 2000 09:48:56 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 09:48:56 -0800 (PST) Message-ID: <90B308416283D311978B0090272BF7F503C1DA@mail.availnetworks.com> From: Ron Carter To: IETF ldapext WG Subject: RE: Notification: Inbound Mail Failure Date: Thu, 10 Feb 2000 12:47:41 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.10) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BF73EE.F141B810" Resent-Message-ID: <"rj6pd.A.RAD.mnvo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF73EE.F141B810 Content-Type: text/plain; charset="iso-8859-1" This user is no longer with our company. Please remove him from your list. Ron Carter Network Administrator Avail Networks 305 E. Eisenhower pkwy. Ann Arbor, MI 48108 (734) 332-5578 rcarter@availnetworks.com -----Original Message----- From: Ron Carter Sent: Thursday, February 10, 2000 12:43 PM To: Ron Carter Subject: Notification: Inbound Mail Failure The following recipients did not receive the attached mail. Reasons are listed with each recipient: rich@nei.com MSEXCH:IMS:avail:site-1:AVAIL-EXC 0 (000C05A6) Unknown Recipient The message that caused this notification was: ------_=_NextPart_001_01BF73EE.F141B810 Content-Type: text/html; charset="iso-8859-1" RE: Notification: Inbound Mail Failure

This user is no longer with our company. Please remove him from your list.

Ron Carter
Network Administrator
Avail Networks
305 E. Eisenhower pkwy.
Ann Arbor, MI 48108
(734) 332-5578
rcarter@availnetworks.com

-----Original Message-----
From: Ron Carter
Sent: Thursday, February 10, 2000 12:43 PM
To: Ron Carter
Subject: Notification: Inbound Mail Failure

The following recipients did not receive the attached mail. Reasons are listed with each recipient:

<rich@nei.com> rich@nei.com
MSEXCH:IMS:avail:site-1:AVAIL-EXC 0 (000C05A6) Unknown Recipient

The message that caused this notification was:

------_=_NextPart_001_01BF73EE.F141B810-- --------------7977908668D4FCB925CFF188-- From list@netscape.com Thu Feb 10 14:01:54 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA07688 for ; Thu, 10 Feb 2000 14:01:52 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id KAA14406; Thu, 10 Feb 2000 10:59:28 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA29470; Thu, 10 Feb 2000 11:01:14 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 11:01:14 -0800 (PST) Message-Id: <3.0.5.32.20000210110056.00991ad0@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 10 Feb 2000 11:00:56 -0800 To: d.w.chadwick@salford.ac.uk From: "Kurt D. Zeilenga" Subject: Re: RFC2251: RootDSE subschemasubentry issue Cc: ietf-ldapext@netscape.com, Mark Wahl In-Reply-To: References: <3.0.5.32.20000209115809.00970b70@infidel.boolean.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"6nrhXB.A.KMH.5rwo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 02:22 PM 2/10/00 -0000, David Chadwick wrote: > >> At 07:26 PM 2/9/00 -0000, David Chadwick wrote: >> >Do you agree with this analysis? >> >> Yes. > >Good, we are making progress towards resolution. > >> >> The next questions are: >> >> What other attributes published in RootDSE are naming >> context specific? > >The question should actually be wider than this I believe. i.e. What >attributes are NC specific and what attributes are server specific >and what attributes are Management Domain specific, since > >i) a Man Domain can comprise many servers >ii) a server can hold many NCs >iii) a server can hold many Man Domains. Yes... >It seems to me like the rootDSE should hold server specific >attributes, a subentry under the NC context prefix should hold NC >specific attributes (this is in line with the LDUP group I believe), and >a subentry under an Admin Point should hold Man Domain specific >attributes (this is in line with X.500(93)). > >What do you think? Might be workable... [see below] > >> From the design perpective, I see different ways of >> providing naming context specific information: >> >> 1) add new attributes which provide the context >> and the capability as combined value. (Ie: >> 1A) dn: (root dse) >> subschemasubentries: dc=openldap,dc=org $ >> ( cn=subschema $ cn=openldap-subschema ) >> subschemasubentries: dc=example,dc=com $ cn=subschema >> ... >> >> or: >> 1B) dn: (root dse) >> subschemasubentries: dc=openldap,dc=org $ cn=subschema >> subschemasubentries: dc=openldap,dc=org $ cn=opendlap-subschema >> subschemasubentries: dc=example,dc=com $ cn=subschema >> >> 2) provide an attribute which lists naming contexts >> AND a provides a DN of an entry (or subentry) which >> contains attributes describing the naming context >> specific capabilities. > >Or, an attribute which lists NCs and have subentries under the NCs, >so that no pointer is needed in the rootDSE. I would like to have attribute type in the NC who's value named the entry (or subentry) so as to avoid hardcoding the DN of the subentry. So, I'd like a pointer... but the pointer can be in the NC. If in the RootDSE, then it needs to contain both the DN of the namingContext and the DN of the subentry. >Why would you have 2 subschemasubentries for 1 NC? Separate subschema administrative areas within the NC. [See Mark Wahl's comment] From list@netscape.com Thu Feb 10 14:12:44 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA07992 for ; Thu, 10 Feb 2000 14:12:39 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id LAA22434; Thu, 10 Feb 2000 11:08:17 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id LAA06447; Thu, 10 Feb 2000 11:11:48 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 11:11:48 -0800 (PST) Sender: kristian@netscape.com (John Kristian) Message-ID: <38A30D72.BEEEC837@netscape.com> Date: Thu, 10 Feb 2000 11:11:46 -0800 From: John Kristian Organization: iPlanet E-Commerce Solutions X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.5.1 sun4u) X-Accept-Language: en-US,en MIME-Version: 1.0 To: "Mcauliffe Kristin" CC: ietf-ldapext@netscape.com Subject: Re: Question on Extensible Match Filter References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"E5-LXD.A.dkB.z1wo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Your query is somewhat off-topic here. A better forum would be snews://secnews.netscape.com/netscape.server.directory or news://news.mozilla.org/netscape.public.mozilla.directory See also http://help.netscape.com/products/server/directory/index.html "Mcauliffe, Kristin" wrote: > I ... cannot seem to get a return from the DS servers (Netscape, Novell NDS > and MS AD) that I am testing using the Extensible Match string. http://home.netscape.com/eng/server/directory/4.1/admin/find.htm#1041100 might be helpful. From list@netscape.com Thu Feb 10 15:38:39 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09999 for ; Thu, 10 Feb 2000 15:38:37 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id MAA00319; Thu, 10 Feb 2000 12:35:31 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id MAA11588; Thu, 10 Feb 2000 12:37:15 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 12:37:15 -0800 (PST) Sender: mcs@netscape.com (Mark C Smith) Message-ID: <38A32174.6E0ECA06@netscape.com> Date: Thu, 10 Feb 2000 15:37:08 -0500 From: Mark Smith Organization: iPlanet E-Commerce Solutions X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en-US,en MIME-Version: 1.0 To: Mark Meredith CC: M.Wahl@INNOSOFT.COM, Roger Harrison , ietf-ldapext@netscape.com Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"uDo-iC.A.y0C.6Fyo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Mark Meredith wrote: > I will add your suggestion to section 6 Notes to Client Developers. To read > something like this. > > 6. Notes to Client Developers > > The use of vendorName and vendorVersion SHOULD NOT be used to > discover features. It is just an informational attribute. If a > client relies on a vendorVersion number then that client MUST > be coded to work with later versions and not just one version and > no other. > > If the client does not recognize the specific vendorName/vendorVersion as > one it has for its 'bug workaround needed' table, then the client MUST > assume that the server it is talking to is complete and correct. > > Does this look ok? I think this text is an improvement. But the "Overview" text also implies that these attributes should be used for discovering some features: 3. Overview The root DSE query is a mechanism used by clients to find out what controls, extensions, etc. is available from a given LDAP server. It is useful to be able to query an LDAP server to determine the vendor of that server and see what version of that vendor's code is currently installed. Since vendors can implement X- options for attributes, classes, and syntaxes (described in section 4 of [RFC2251] and section 4 of [RFC2252] ) that may or may not be published, this would allow users or applications to be able to determine if these features are available from a given server. I feel strongly that this document should consistently say that the vendorName and vendorVersion attribute values must only be used to work around bugs and shortcomings of a server and for purely informational (e.g., display) purposes. If others agree, the overview should be revised as well. If there are X- options that are adding real value to subschema values, let's start a discussion about them (and a document if appropriate). I suspect there are, given that several vendors (including iPlanet/Sun/netscape) are using various X- options today in their products. Also, the format for vendorVersion should be more fully specified. It is specified as an integer. But what if I need to publish version 4.11? I suggest making the value "version multiplied times 100" or using a string format. I also wonder if there should be a vendorProductName attribute as well, given that some vendors produce more than one product that processes LDAP requests. I suppose the vendorName field can be overloaded for that purpose, e.g., vendorName: OpenLDAP / slapd vendorName: OpenLDAP / ldapd ... but a separate attribute might be better. A minor formatting comment: the draft includes at least two non-ASCII characters (one in the "Overview" section and one in the "Author's Addresses" section). I think both were intended to be apostrophes ('). -- Mark Smith Directory Product Development / iPlanet E-Commerce Solutions My words are my own, not my employer's. Got LDAP? From list@netscape.com Thu Feb 10 15:54:38 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10403 for ; Thu, 10 Feb 2000 15:54:37 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id MAA06249; Thu, 10 Feb 2000 12:47:39 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id MAA15928; Thu, 10 Feb 2000 12:51:11 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 12:51:11 -0800 (PST) Message-Id: <3.0.5.32.20000210125106.00926100@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 10 Feb 2000 12:51:06 -0800 To: Mark Smith From: "Kurt D. Zeilenga" Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt Cc: Mark Meredith , M.Wahl@INNOSOFT.COM, Roger Harrison , ietf-ldapext@netscape.com In-Reply-To: <38A32174.6E0ECA06@netscape.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"XkXAs.A.W4D.-Syo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com At 03:37 PM 2/10/00 -0500, Mark Smith wrote: >Also, the format for vendorVersion should be more fully specified. I disagree. Since you state that this should be for display purposes and/or for working around known bugs specific to this version, the only match that makes sense is EQUALITY. I suggest the values of this attribute type have syntax DirectoryString and that an equality rule of CaseExactMatch be provided. No ordering or substrings match, IMO, should be provided these would promote uses beyond that which is intended. (this doesn't disallow some vendor from support such via extended search filters) >I also wonder if there should be a vendorProductName attribute as well, >given that some vendors produce more than one product that processes >LDAP requests. Or some products might be comprised of software from multiple vendors... many server implementations support plugin architectures after all. In many cases, the vendor providing the core implementation is not the primary vendor providing the end "product". This is a rat hole. From list@netscape.com Thu Feb 10 16:40:22 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA11269 for ; Thu, 10 Feb 2000 16:40:20 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id NAA15096; Thu, 10 Feb 2000 13:35:38 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id NAA05398; Thu, 10 Feb 2000 13:39:08 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 13:39:08 -0800 (PST) Sender: mcs@netscape.com (Mark C Smith) Message-ID: <38A32FF7.D37AC34B@netscape.com> Date: Thu, 10 Feb 2000 16:39:03 -0500 From: Mark Smith Organization: iPlanet E-Commerce Solutions X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en-US,en MIME-Version: 1.0 To: "Kurt D. Zeilenga" CC: Mark Meredith , M.Wahl@INNOSOFT.COM, Roger Harrison , ietf-ldapext@netscape.com Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt References: <3.0.5.32.20000210125106.00926100@infidel.boolean.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"6_wG8.A.DUB.7_yo4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit "Kurt D. Zeilenga" wrote: > > At 03:37 PM 2/10/00 -0500, Mark Smith wrote: > >Also, the format for vendorVersion should be more fully specified. > > I disagree. Since you state that this should be for > display purposes and/or for working around known bugs specific > to this version, the only match that makes sense is EQUALITY. > I suggest the values of this attribute type have syntax DirectoryString > and that an equality rule of CaseExactMatch be provided. No > ordering or substrings match, IMO, should be provided these > would promote uses beyond that which is intended. (this doesn't > disallow some vendor from support such via extended search filters) But your comment seems to be in conflict with this text from the document: > 6. Notes to Client Developers > > The use of vendorName and vendorVersion SHOULD NOT be used to > discover features. It is just an informational attribute. If a > client relies on a vendorVersion number then that client MUST > be coded to work with later versions and not just one version and > no other. I'd be happy to see the last sentence removed. Clients that rely on this attribute do so at their own risk and they should code the behavior that they think is best for them. This draft can't stipulate that an older client will work correctly with a newer server which, for example, includes a bug fix that introduces incompatibilities with older clients. > > >I also wonder if there should be a vendorProductName attribute as well, > >given that some vendors produce more than one product that processes > >LDAP requests. > > Or some products might be comprised of software from multiple vendors... > many server implementations support plugin architectures after all. > In many cases, the vendor providing the core implementation is not > the primary vendor providing the end "product". This is a rat hole. Good point. I agree. So we might as well just stick with one value (vendorName). -- Mark Smith Directory Product Development / iPlanet E-Commerce Solutions My words are my own, not my employer's. Got LDAP? From list@netscape.com Thu Feb 10 18:07:41 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA12688 for ; Thu, 10 Feb 2000 18:07:39 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id PAA23686; Thu, 10 Feb 2000 15:04:46 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id PAA14884; Thu, 10 Feb 2000 15:06:31 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 15:06:31 -0800 (PST) From: "David Chadwick" Organization: University of Salford To: Jim Sermersheim , Andy Coulbeck Date: Thu, 10 Feb 2000 23:04:29 -0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: RFC2251: RootDSE subschemasubentry issue Reply-to: d.w.chadwick@salford.ac.uk CC: M.Wahl@INNOSOFT.COM, ietf-ldapext@netscape.com, Kurt@OpenLDAP.org, d.w.chadwick@salford.ac.uk Priority: normal In-reply-to: <38A3046D.FBC7D91D@innosoft.com> X-mailer: Pegasus Mail for Win32 (v3.12b) Message-Id: Resent-Message-ID: <"ojl5jC.A.OoD.1R0o4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7BIT > As Thomas Salter has already pointed out, the subschema subentry > associated with a given naming context can be found by reading the > naming context entry. This is true. >The root DSE already contains the set of naming > contexts. Therefore the current model is not broken. . Not broken in that way, but it still is, in that a single valued attribute is required to hold multiple values >Also, in the > current model, a server may have several naming contexts referring to > a single subschema subentry. This would not be possible if subschema > subentries were assumed to be under the naming context. I dealt with this one by saying that in this case the subschema subentry would be below the administrative point for the domain, if they are all in the same management domain (In fact this is the model the NHS are using in the UK). Hope that helps David > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** From list@netscape.com Thu Feb 10 18:08:26 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA12689 for ; Thu, 10 Feb 2000 18:07:39 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id PAA05750; Thu, 10 Feb 2000 15:03:00 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id PAA14926; Thu, 10 Feb 2000 15:06:32 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 15:06:32 -0800 (PST) From: "David Chadwick" Organization: University of Salford To: "Kurt D. Zeilenga" , ietf-ldapext@netscape.com, Mark Wahl Date: Thu, 10 Feb 2000 23:04:27 -0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: RFC2251: RootDSE subschemasubentry issue Reply-to: d.w.chadwick@salford.ac.uk Priority: normal In-reply-to: <3.0.5.32.20000210110056.00991ad0@infidel.boolean.net> References: X-mailer: Pegasus Mail for Win32 (v3.12b) Message-Id: Resent-Message-ID: <"8xAQuB.A.roD.3R0o4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7BIT > >Why would you have 2 subschemasubentries for 1 NC? > > Separate subschema administrative areas within the NC. > [See Mark Wahl's comment] > I proposed solving this problem by having separate subschema subentries below each administrative point (ala X.500), then we still can retain single valued attributes. This is what I understood Mark was also proposing. Since the NC will probably be (but not necessarily) an administrative point anyway, then it will usually have a subschema subentry below it. For the few (rare?) cases where the NC is not an admin point (e.g. an orgs DIT is distributed across 2 servers and thus 2 NCs, but both are controlled by the same subschema) X.500 proposes having one subentry beneath the upper NC, and this would be replicated into the subordinate server. LDAP servers could choose instead to hold a copy of this subschema subentry beneath the subordinate NC context prefix if you wished to, or you could go with the X.500 model). I dont object to you also holding a pointer in the NC, holding the DN of the subschemasubentry directly beneath it, if you want to, although it only adds minor efficiency gains since the subentry is immediately subordinate to the NC context prefix entry anyway. David > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** From list@netscape.com Thu Feb 10 18:23:33 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA12849 for ; Thu, 10 Feb 2000 18:23:32 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id PAA08868; Thu, 10 Feb 2000 15:18:45 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id PAA22063; Thu, 10 Feb 2000 15:22:13 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 15:22:13 -0800 (PST) Message-Id: <3.0.5.32.20000210152203.00986150@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 10 Feb 2000 15:22:03 -0800 To: Mark Smith From: "Kurt D. Zeilenga" Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt Cc: Mark Meredith , M.Wahl@INNOSOFT.COM, Roger Harrison , ietf-ldapext@netscape.com In-Reply-To: <38A32FF7.D37AC34B@netscape.com> References: <3.0.5.32.20000210125106.00926100@infidel.boolean.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Resent-Message-ID: <"rlSd8D.A.aYF.kg0o4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com My basic option on this proposal as a whole: I think implementations that needs such specific vendor/version information are fundamentally broken. That is, a client should be liberal enough to workaround any reasonable non-strict behavior of the servers (and vice versa). Clients SHOULD NOT be modified to support servers who's behavior is not reasonable (and vice versa). As such, I can only support such attributes if their use is is restricted to DISPLAY PURPOSES ONLY. At 04:39 PM 2/10/00 -0500, Mark Smith wrote: >But your comment seems to be in conflict with this text from the >document: That might be true. My point is that if the intent is to work around bugs in a specific version, then only an equality test for specific versions (known by the client to have bugs) is needed. All other versions should be considered to properly implement specifications. > >> 6. Notes to Client Developers >> >> The use of vendorName and vendorVersion SHOULD NOT be used to >> discover features. It is just an informational attribute. If a >> client relies on a vendorVersion number then that client MUST >> be coded to work with later versions and not just one version and >> no other. >Clients that rely on this attribute do so at their own risk I concur with this statement. >and they should code the behavior that they think is best for them. >This draft can't stipulate that an >older client will work correctly with a newer server which, for example, >includes a bug fix that introduces incompatibilities with older clients. Right... so next folks will ask that we extend the protocol so that servers will know the vendorName/vendorVersion of CLIENTS so servers can adapt to clients. One-off workarounds lead to future inoperability problems. > > > >> >> >I also wonder if there should be a vendorProductName attribute as well, >> >given that some vendors produce more than one product that processes >> >LDAP requests. >> >> Or some products might be comprised of software from multiple vendors... >> many server implementations support plugin architectures after all. >> In many cases, the vendor providing the core implementation is not >> the primary vendor providing the end "product". This is a rat hole. > >Good point. I agree. So we might as well just stick with one value >(vendorName). Again, who's the vendor? Is the implementor core server the vendor? Is the packager who screwed their build the vendor? Is the implementor of the buggy syntax plugin the vendor? Is the OS vendor who shipped a buggy support library? Is the support contractor the vendor? This is a rat hole. From list@netscape.com Thu Feb 10 18:33:44 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA12955 for ; Thu, 10 Feb 2000 18:33:43 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id PAA28089; Thu, 10 Feb 2000 15:30:55 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id PAA28545; Thu, 10 Feb 2000 15:32:41 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 15:32:41 -0800 (PST) X-Authentication-Warning: perq.cac.washington.edu: rlmorgan owned process doing -bs Date: Thu, 10 Feb 2000 16:33:11 -0700 (MST) From: "RL 'Bob' Morgan" X-Sender: rlmorgan@perq.cac.washington.edu Reply-To: "RL 'Bob' Morgan" To: Jim Sermersheim cc: ietf-ldapext@netscape.com Subject: Re: LDAP subtree search with zero-length DN for baseObject? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"s3J3t.A.V9G.Xq0o4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com On Thu, 10 Feb 2000, Jim Sermersheim wrote: > Our server follows the "search all the naming contexts you have > locally" model which I think is reasonable. So, in the terms Mark and Kurt use, a Novell directory always acts like a top-level or global-root server? - RL "Bob" From list@netscape.com Thu Feb 10 19:20:41 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA13282 for ; Thu, 10 Feb 2000 19:20:40 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id QAA04451; Thu, 10 Feb 2000 16:17:36 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id QAA20390; Thu, 10 Feb 2000 16:19:21 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 16:19:21 -0800 (PST) X-Authentication-Warning: perq.cac.washington.edu: rlmorgan owned process doing -bs Date: Thu, 10 Feb 2000 16:19:53 -0800 (PST) From: "RL 'Bob' Morgan" X-Sender: rlmorgan@perq.cac.washington.edu Reply-To: "RL 'Bob' Morgan" To: IETF ldapext WG Subject: proposed mods to draft-ietf-ldapext-locate-01.txt Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"7FImQB.A.U-E.IW1o4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Here are modifications I propose to draft-ietf-ldapext-locate-01.txt, based on my note of 20 Jan 2000, and some other stuff. - RL "Bob" --- [ This section 2 replaces the current section 2. ] 2. Introduction The LDAPv3 protocol [1] is designed to be a lightweight access protocol for directory services supporting X.500 models. As a distributed directory service, the complete set of directory information (known as the Directory Information Base) is spread across many different servers. Hence there is the need to determine, when initiating or processing a request, which servers hold the relevant information. In LDAP, the Search, Modify, Add, Delete, ModifyDN, and Compare operations all specify a Distinguished Name (DN) on which the operation is performed. A client, or a server acting on behalf of a client, must be able to determine the server(s) that hold the naming context containing that DN, since that server (or one of that set of servers) must receive and process the request. This determination process is called "server location". To support dynamic distributed operation, the information needed to support server location must be available via lookups done at request processing time, rather than, for example, as static data configured into each client or server. It is possible to maintain the information needed to support server location in the directory itself, and X.500 directory deployments typically do so. In practice, however, this only permits location of servers within a limited X.500-connected set. LDAP-specific methods of maintaining server location information in the directory have not yet been standardized. This document defines an alternative method of managing server location information using the Domain Name System. This method takes advantage of the global deployment of the DNS, by allowing LDAP server location information for any existing DNS domain to be published by creating the records described below. A full discussion of the benefits and drawbacks of the various directory location and naming methods is beyond the scope of this document. RFC 2247 defines an algorithm for mapping DNS domain names into DNs. This document defines the inverse mapping, from DNs to DNS domain names, based on the RFC 2247 conventions, for use in this server location method. The server location method described in this document is only defined for DNs that can be so mapped, i.e., those DNs that are based on domain names. In practice this is reasonable because many objects of interest are named with domain names, and use of domain-name-based DNs is becoming common. === [ This is a new section. ] N. Mapping Distinguished Names into Domain Names This section defines a method of converting a DN into a DNS domain name for use in the server location method described below. Some DNs cannot be converted into a domain name. The output domain name is initially empty. For each RDN component of the DN, beginning with the first, if the attribute type is "DC", then the attribute value is used as a domain name component (label). The first such value becomes the most significant (i.e., rightmost) domain name component, and successive values occupy less significant positions (i.e., extending leftward), in order. If the attribute type is not "DC", then processing stops. If the first RDN component of the DN is not of type "DC" then the DN cannot be converted to a domain name. [ At first I wrote that the conversion should include converting the RDN attribute value to a string as per RFC 2253, but upon reflection I think it should just use the bits, since of course DNS can in theory handle binary labels just as well as X.500 can. I'm not a charset expert so I don't know if in reality an IA5 RDN value will just drop in and become a nice ASCII DNS name. I think, though, that RFC 2247 is deficient in that it assumes that a DNS name being converted into a DN will always be just ASCII/IA5 strings. ] === Mods to items in the current section 3: The name of this record always has the following format: _._. where is always "ldap", is a protocol that can be either "udp" or "tcp", and is the domain hosted by the LDAP Server. I think this is too loose about the relationship between the info on the LDAP server and the name of the SRV record used to locate it. So change the last bit to: where is always "ldap", and is a protocol that can be either "udp" or "tcp". is the domain name formed by converting the DN of a naming context mastered by the LDAP Server into a domain name using the algorithm in section N. Also: Presence of such records enables clients to find the LDAP servers using standard DNS query [3]. I think it's worthwhile to write down the algorithm in detail, hence follow this with: A client (or server) seeking an LDAP server for a particular DN converts that DN to a domain name using the algorithm of section N, does a SRV record query using the DNS name formed as described above: _ldap._tcp. and interprets the response as described in [6] to determine a host (or hosts) to contact. This continues with: As an example, a client that searches for an LDAP server in the example.net domain that supports TCP protocol But the LDAP client, for purposes of this document, starts with a DN, not a domain name, so make this: As an example, a client that searches for an LDAP server for the DN "dc=example,dc=net" that supports the TCP protocol ... From list@netscape.com Thu Feb 10 21:37:22 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA14632 for ; Thu, 10 Feb 2000 21:37:18 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id SAA05242; Thu, 10 Feb 2000 18:32:31 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id SAA09923; Thu, 10 Feb 2000 18:36:02 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 18:36:02 -0800 (PST) Message-ID: From: Gil Kirkpatrick To: "'d.w.chadwick@salford.ac.uk'" , "Kurt D. Zeilenga" , ietf-ldapext@netscape.com, Mark Wahl Subject: RE: RFC2251: RootDSE subschemasubentry issue Date: Thu, 10 Feb 2000 19:33:06 -0700 X-Mailer: Internet Mail Service (5.5.2650.21) Resent-Message-ID: <"FPkKyD.A.paC.QW3o4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com David, Why does the rootDSE need to contain subschemaSubentrys for each NC hosted by the server? Why is not sufficient to maintain the subschemaSubentrys in the NCs themselves? -gil Gil Kirkpatrick Director of Engineering Netpro > -----Original Message----- > From: David Chadwick [SMTP:d.w.chadwick@salford.ac.uk] > Sent: Wednesday, February 09, 2000 12:27 PM > To: Kurt D. Zeilenga; ietf-ldapext@netscape.com; Mark Wahl > Subject: Re: RFC2251: RootDSE subschemasubentry issue > > Mark, Kurt > > I think I have an answer to the problem(s) being posed by Kurt. > > The model as it stands is OK if a server only masters one naming > context. Everything works fine. All the entries in the NC and the > rootDSE can contain the subschemaSubentry attribute which points > to the single subschema subentry. > > The problem arises once we have multiple NCs in a server. The > subschemaSubentry attribute can still be single valued and exist in > each entry in each NC and point to the correct subschema > subentry. However, the attribute in the root DSE no longer works, for > two reasons. > > Firstly it is supposed to be single valued (as Kurt pointed out) and > now it needs to have multiple values. > > Secondly, (again as Kurt pointed out) there is no way for the user to > know from the multivalued attribute in the rootDSE which value > points to which subschema subentry for which NC. THis of course is > not a problem for the entries within the NC, as they only still need a > single pointer to their one and only subschema subentry. > > Thus I conclude that the model is broken for multiple naming > contexts, and that the subschemaSubentry attribute in the rootDSE > needs to be replaced by a multivalued attribute, having two > components - the context prefix of an NC (an LDAP DN), and the > pointer to the subschemaSubentry. > > Do you agree with this analysis? > > David > > *************************************************** > > David Chadwick > IS Institute, University of Salford, Salford M5 4WT > Tel +44 161 295 5351 Fax +44 161 745 8169 > Mobile +44 790 167 0359 > Email D.W.Chadwick@salford.ac.uk > Home Page http://www.salford.ac.uk/its024/chadwick.htm > Understanding X.500 http://www.salford.ac.uk/its024/X500.htm > X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm > Entrust key validation string MLJ9-DU5T-HV8J > > *************************************************** From list@netscape.com Thu Feb 10 23:24:47 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA17732 for ; Thu, 10 Feb 2000 23:24:44 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id UAA28075; Thu, 10 Feb 2000 20:21:48 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id UAA04532; Thu, 10 Feb 2000 20:23:34 -0800 (PST) Resent-Date: Thu, 10 Feb 2000 20:23:34 -0800 (PST) From: "Peter Strong" To: "Kurt D. Zeilenga" , Mark Smith Cc: Mark Meredith , "M.Wahl" , Roger Harrison , ietf-ldapext Subject: RE: please publish draft-mmeredith-rootdse-vendor-info-01.txt Date: Thu, 10 Feb 2000 23:25:58 -0500 Message-ID: <001a01bf7448$185f2860$3750fb8d@net-pstrong.corpnorth.baynetworks.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <3.0.5.32.20000210152203.00986150@infidel.boolean.net> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Resent-Message-ID: <"Z0RXrB.A.iGB.F74o4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit Hi, > -----Original Message----- > From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] > Sent: Thursday, February 10, 2000 6:22 PM > To: Mark Smith > Cc: Mark Meredith; M.Wahl@INNOSOFT.COM; Roger Harrison; > ietf-ldapext@netscape.com > Subject: Re: please publish draft-mmeredith-rootdse-vendor-info-01.txt > > > My basic option on this proposal as a whole: > > I think implementations that needs such specific vendor/version > information are fundamentally broken. My basic opinion is that you are not living in the real world! I challenge you to modify the schema of a Netscape directory server, a Novell directory server and an MS Active Directory server without knowing the type of server to which you are connected. When we install our products against different directory implementations, we need to know the vendor - they all have quirks and irregularities that make such things as schema modification tricky. It would be ideal if this weren't the case, but it is, and probably always will be. > That is, a client should > be liberal enough to workaround any reasonable non-strict behavior > of the servers (and vice versa). Clients SHOULD NOT be modified > to support servers who's behavior is not reasonable (and vice > versa). For most basic operations, clients shouldn't experience difficulties. However, for things like schema modification, access control specification, creation of new naming roots or subtrees, I know that significant differences exist and that these differences won't go away any time soon. > As such, I can only support such attributes if their use is > is restricted to DISPLAY PURPOSES ONLY. Again, I have to disagree - we'll have to use this information to make appropriate choices in how to deal with particular server implementations. If we screw something up while doing this, well, that's our fault. But at least these small scraps of information give us a small chance of overcoming implementation descrepancies. > At 04:39 PM 2/10/00 -0500, Mark Smith wrote: > >But your comment seems to be in conflict with this text from the > >document: > > That might be true. My point is that if the intent is to > work around bugs in a specific version, then only an equality > test for specific versions (known by the client to have bugs) > is needed. All other versions should be considered to properly > implement specifications. Actually, the instances that I mentioned above don't appear to bugs. They appear to be cases where vendors have knowingly strayed from the standards (for whatever reason). More than likely, they haven't made these decisions without reason, and, when confronted about it, will likely indicate that they will "probably fix it in a future release". Yeah, right! In the mean time, I have to get product out the door. > > > >> 6. Notes to Client Developers > >> > >> The use of vendorName and vendorVersion SHOULD NOT be used to > >> discover features. It is just an informational attribute. If a > >> client relies on a vendorVersion number then that client MUST > >> be coded to work with later versions and not just one version and > >> no other. > > >Clients that rely on this attribute do so at their own risk > > I concur with this statement. > As do I. > >and they should code the behavior that they think is best for them. > > >This draft can't stipulate that an > >older client will work correctly with a newer server which, for example, > >includes a bug fix that introduces incompatibilities with older clients. > > Right... so next folks will ask that we extend the protocol > so that servers will know the vendorName/vendorVersion of > CLIENTS so servers can adapt to clients. > > One-off workarounds lead to future inoperability problems. Yes, but lack of any workaround leads to products that don't work AT ALL! We will always have interoperability problems. That's not being pessimistic, that's being realistic. I'm all for promoting as much interoperability and adherence to standards as possible, but I'm under no delusions that we'll ever achieve 100% interoperability for all directory implementations all the time. > > > > > > > >> > >> >I also wonder if there should be a vendorProductName > attribute as well, > >> >given that some vendors produce more than one product that processes > >> >LDAP requests. > >> > >> Or some products might be comprised of software from multiple > vendors... > >> many server implementations support plugin architectures after all. > >> In many cases, the vendor providing the core implementation is not > >> the primary vendor providing the end "product". This is a rat hole. > > > >Good point. I agree. So we might as well just stick with one value > >(vendorName). > Sounds fine. > Again, who's the vendor? Is the implementor core server the vendor? > Is the packager who screwed their build the vendor? Is the > implementor of the buggy syntax plugin the vendor? Is the OS > vendor who shipped a buggy support library? Is the support > contractor the vendor? > > This is a rat hole. > The only rat hole appears to be the argument against having a couple of simple attributes available to the poor bastards who have to actually build products on top of directory technology as it exists today! Regards, Peter ------------------------------------------------------------------------ Peter Strong Software Architect Nortel Networks - Optivity Policy Services (OPS) and NetID pestrong@nortelnetworks.com (613) 831-6615 From list@netscape.com Fri Feb 11 06:33:01 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA03828 for ; Fri, 11 Feb 2000 06:33:00 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id DAA03987; Fri, 11 Feb 2000 03:28:17 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id DAA10680; Fri, 11 Feb 2000 03:31:48 -0800 (PST) Resent-Date: Fri, 11 Feb 2000 03:31:48 -0800 (PST) Message-Id: <200002111131.GAA03779@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-ldapext@netscape.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ldapext-ldapv3-tls-06.txt Date: Fri, 11 Feb 2000 06:31:40 -0500 Sender: nsyracus@cnri.reston.va.us Resent-Message-ID: <"d57ARB.A.mmC.jM_o4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the LDAP Extension Working Group of the IETF. Title : Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security Author(s) : J. Hodges, B. Morgan, M. Wahl Filename : draft-ietf-ldapext-ldapv3-tls-06.txt Pages : 11 Date : 10-Feb-00 This document defines the 'Start Transport Layer Security (TLS) Opera- tion' for LDAP [LDAPv3, TLS]. This operation provides for TLS establish- ment in an LDAP association and is defined in terms of an LDAP extended request. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ldapext-ldapv3-tls-06.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ldapext-ldapv3-tls-06.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ldapext-ldapv3-tls-06.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000210122219.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ldapext-ldapv3-tls-06.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ldapext-ldapv3-tls-06.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000210122219.I-D@ietf.org> --OtherAccess-- --NextPart-- From list@netscape.com Fri Feb 11 09:37:25 2000 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA09973 for ; Fri, 11 Feb 2000 09:37:17 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id GAA14696; Fri, 11 Feb 2000 06:32:29 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id GAA11600; Fri, 11 Feb 2000 06:36:01 -0800 (PST) Resent-Date: Fri, 11 Feb 2000 06:36:01 -0800 (PST) Message-ID: From: "Salter, Thomas A" To: ietf-ldapext Subject: RE: please publish draft-mmeredith-rootdse-vendor-info-01.txt Date: Fri, 11 Feb 2000 09:37:01 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Resent-Message-ID: <"5_-JUD.A.90C.Q5Bp4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com I agree that clients need to determine what server they are talking to. It wasn't that long ago that servers didn't even agree on the character set. In V2 you could find servers using UTF8, T.61 and Latin-1. Granted that problem should be solved by now, but there are still many ambiguities in the RFCs and probably a number of "a server MAY ... " clauses that are not otherwise resolvable. These attributes are easy to implement and allow client writers to solve real world problems. From list@netscape.com Fri Feb 11 10:50:29 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA12151 for ; Fri, 11 Feb 2000 10:50:20 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id HAA08780; Fri, 11 Feb 2000 07:47:11 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id HAA04917; Fri, 11 Feb 2000 07:48:57 -0800 (PST) Resent-Date: Fri, 11 Feb 2000 07:48:57 -0800 (PST) Message-ID: <38A4158C.102DDB73@netscape.com> Date: Fri, 11 Feb 2000 08:58:36 -0500 From: mcs@netscape.com (Mark C Smith) Organization: Netscape Communications X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: d.w.chadwick@salford.ac.uk CC: ietf-ldapext@netscape.com Subject: Re: RFC2251: RootDSE subschemasubentry issue References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-Message-ID: <"9jNPEB.A.jMB.o9Cp4"@glacier> Resent-From: ietf-ldapext@netscape.com X-Mailing-List: X-Loop: ietf-ldapext@netscape.com Precedence: list Resent-Sender: ietf-ldapext-request@netscape.com Content-Transfer-Encoding: 7bit David Chadwick wrote: > > > As Thomas Salter has already pointed out, the subschema subentry > > associated with a given naming context can be found by reading the > > naming context entry. > > This is true. > > >The root DSE already contains the set of naming > > contexts. Therefore the current model is not broken. > > . Not broken in that way, but it still is, in that a single valued attribute > is required to hold multiple values I'd really prefer we choose the simple solution to this problem: change the subschemasubentry attribute to multivalued, but stipulate that it can only have one value when it appears outside the rootDSE. Does that solve the problem at hand? > > >Also, in the > > current model, a server may have several naming contexts referring to > > a single subschema subentry. This would not be possible if subschema > > subentries were assumed to be under the naming context. > > I dealt with this one by saying that in this case the subschema > subentry would be below the administrative point for the domain, if > they are all in the same management domain (In fact this is the > model the NHS are using in the UK). But as far as I know LDAPv3 doesn't require that servers support administrative domains at all. Some servers do, some do not. Also, what if the naming contexts are disjoint yet all share the same schema? That is a very common situation today. -- Mark Smith iPlanet Directory Architect / Sun-Netscape Alliance My words are my own, not my employer's. Got LDAP? From list@netscape.com Fri Feb 11 12:00:14 2000 Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA14458 for ; Fri, 11 Feb 2000 12:00:07 -0500 (EST) Received: from aka.mcom.com (aka.mcom.com [205.217.237.180]) by netscape.com (8.8.5/8.8.5) with ESMTP id IAA18117; Fri, 11 Feb 2000 08:57:12 -0800 (PST) Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3) id IAA28622; Fri, 11 Feb 2000 08:58:59 -0800 (PST) Resent-Date: Fri, 11 Feb 2000 08:58:59 -0800 (PST) Message-Id: <3.0.5.32.20000211085848.009b4dd0@infidel.boolean.net> X-Sender: guru@infidel.boolean.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 11 Feb 2000 08:58:48 -0800 To: mcs@netscape.com (Mark C Smith) From: "Kurt D. Zeilenga"

INTERNET SPY ORDER FORM!!