[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: FW: Active Directory question
Marty,
I've adjusted the cc/bcc lists to move this discussion
towards the LDAPEXT mailing list. That's the usual
forum for discussing the Internet engineering of LDAP
extensions.
This is an example of, amongst other things, a horribly
designed LDAP extension. It's most serious flaw is that
the extension is truly non-optional. If the server
elects to implement this extension, so must its clients
(if they want to get all available values).
Kurt
At 10:50 AM 4/15/2004, Schleiff, Marty wrote:
>Gentlemen,
>
>Can you please let me know your impressions about the MS Active
>Directory response with ranges of multi-valued attribute values?
>Also, using tools lke ldapsearch, how could I retrieve subsequent
>ranges?
>
>Thx,
>
>Marty.Schleiff@boeing.com; CISSP
>Associate Technical Fellow - Cyber Identity Specialist
>IT Access & Security Services
>(425) 957-5667
>-----Original Message-----
>From: Chris Harding [mailto:c.harding@opengroup.org]
>Sent: Wednesday, April 14, 2004 11:20 AM
>To: Schleiff, Marty
>Subject: RE: Active Directory question
>
>Hi, Marty -
>
>Thanks - sounds like this is definitely one for the IETF experts!
>
>At 18:52 14/04/2004, you wrote:
>Hi Dr. harding,
>
>Thanks for your response. I'd like to point out that this issue is
>not about a server limiting the number of entries to return; instead
>it's about the number of values within a single multi-valued
>attribute to return. The entry gets returned, but not all its
>attribute values.
>
>Marty.Schleiff@boeing.com; CISSP
>Associate Technical Fellow - Cyber Identity Specialist
>IT Access & Security Services
>(425) 957-5667
>-----Original Message-----
>From: Chris Harding [mailto:c.harding@opengroup.org]
>Sent: Wednesday, April 14, 2004 9:32 AM
>To: Schleiff, Marty
>Subject: Re: Active Directory question
>
>Hi, Marty -
>
>Our Product Standard is based on the IETF RFCs, so I think this
>would be legal behavior for an LDAP Certified server only if it
>is legal according to RFC 2251. Now the RFC says that "Servers may
>enforce a maximum number of entries to return" (section 4.5.1 under
>"sizelimit") so it looks to me as though the behavior may be legal.
>However, I have got my fingers burnt before trying to interpret
>this RFC, and I suggest you send mail to the ldapbis list
>(ietf-ldapbis@OpenLDAP.org) if you want to find out what the IETF
>experts think.
>
>At 22:57 13/04/2004, you wrote:
>Hi Dr. Harding,
>
>Microsoft Active Directory responds to queries on groups having
>more than 1024 members with the first 1000 members, with the
>'member' attribute changed to 'member;range=0-999'. See:
>http://www.hut.fi/cc/docs/kerberos/nss_ldap.html In TOG's efforts
>to brand "ldap-compliant" servers and applications, is this practice
>condoned? So far I've not been able to figure out how to get the
>next batch of members; I'm not sure it's possible via LDAP.
>
>Marty.Schleiff@boeing.com; CISSP
>Associate Technical Fellow - Cyber Identity Specialist
>IT Access & Security Services
>(425) 957-5667
>
>
>
>Regards,
>
>Chris
>+++++
>
>===========================================================================
> Dr. Christopher J. Harding
> T H E Executive Director for the Directory Interoperability Forum
> O P E N Apex Plaza, Forbury Road, Reading RG1 1AX, UK
>G R O U P Mailto:c.harding@opengroup.org Phone: +44 118 902 3018
> WWW: http://www.opengroup.org Mobile: +44 774 063 1520
>===========================================================================
>Boundaryless Information Flow: Managing the Flow
>Brussels Hilton Hotel, Brussels, Belgium. April 19-23, 2004
>http://www.opengroup.org/brussels2004/
>===========================================================================
>
>
>
>Regards,
>
>Chris
>+++++
>
>===========================================================================
> Dr. Christopher J. Harding
> T H E Executive Director for the Directory Interoperability Forum
> O P E N Apex Plaza, Forbury Road, Reading RG1 1AX, UK
>G R O U P Mailto:c.harding@opengroup.org Phone: +44 118 902 3018
> WWW: http://www.opengroup.org Mobile: +44 774 063 1520
>======================= ====================================================
>Boundaryless Information Flow: Managing the Flow
>Brussels Hilton Hotel, Brussels, Belgium. April 19-23, 2004
>http://www.opengroup.org/brussels2004/
>===========================================================================