[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP URI extensions for SASL/StartTLS



At 10:21 AM 12/2/99 +0100, Leif Johansson wrote:
>> Note also that URI are often provided by users (such as to an
>> Web browser with ldap: support).  The user needs a mechanism
>> to describe how to do the search in situations where the client
>> may not be albe to discover how to do the search through feature
>> discovery.
>
>When exactly is the client not able to discover the capabilities
>of the server?

We only provide a mechanism for advertising features, we provide
no mechanism that states when a particular feature is may or may
not be used.  In many cases, the only way to discover which
features may be used in a specific context requires client to
have some apriori knowledge or to do a bit of trail and error.
However, the number of possible features combinations makes trail
and error infeasible.  Though one could attempt to define
mechanism to represent all the allowed feature combinations
in some general context (such as which controls can be combined),
discovery of which features are applicable within the context
of a operation or set of operations is a whole other ball game.

Specifically to authentication, the server may support dozens
of sasl mechanisms, however only a few mechanims may be
appropriate for this particular user.  For example, the server
may advertise that it supports DIGEST-MD5, S/Key, and
Kerberos mechanisms.  The client as no method it can use to
determine which is appropriate for the particular user
without attempting each.  Clearly the user may desire to
offer suggestions on which mechanism to try (or require).

I believe the ldap: URI scheme should be extended to be able
to fully describe the set of operations associated with the
LDAP search.  This should include describing allowed/required
bind operations, allowed/required StartTLS, allowed/required
search controls.

>The answer is: when the server does not support 
>at least read only access to the parts of the DIT (usually the 
>root DSE) where capabilities and/or policy is kept.

We only provide a mechanism that allows servers to advertise
the existance of features.  We do not provide mechanism to
describe how, when, and by whom they may be used.

Kurt


----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>