[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syntax Issues in <draft-ietf-ldapext-acl-model-06.txt>

To: <steven.legg@adacel.com.au>, <stokes@austin.ibm.com>, <Robert.Byrne@france.Sun.COM>
Subject: Re: Syntax Issues in <draft-ietf-ldapext-acl-model-06.txt>
From: "Jim Sermersheim" <JIMSE@novell.com>
Date: Fri, 28 Jul 2000 17:41:35 -0600
Cc: <ietf-ldapext@netscape.com>
Content-disposition: inline

>>> "Steven Legg" <steven.legg@adacel.com.au> 7/28/00 1:24:34 AM >>>
<snip>
>
>The ldapACI SYNTAX and the binary representation of values are not
>compatible. Values of any attribute declared to be of DirectoryString
>syntax would be expected to have a BER encoding of a CHOICE of string
>types rather than a SEQUENCE. Also, the caseIgnoreMatch matching rule
>is meaningless if applied to a SEQUENCE type.
>
>Either define a new syntax OID and find/define a compatible matching
>rule, or lose the binary representation. I'd prefer the former to the
>latter.

That's my fault. I see your point, I'm also in favor of defining a new OID and matching rule (or rules). I'm told of a WG meeting some time back (Chicago maybe?) where there was an overwhelming consensus NOT to define new syntax OIDS. If this is still the case, a lesser evil might be to use Octet String syntax, and just force exact matching (eck).

>The SYNTAX field should also be an OID rather than a type name.

true

>> 4.1.2  ACI Binary Representation
>>
>>  The following ASN.1 data type is used to represent this
>>  syntax when transferred in binary form:
>>
>>  ldapACI ::= SEQUENCE {
>
>ASN.1 type names must start with an uppercase letter so ldapACI
>should be LDAPACI or LdapACI.

ok.

>>       subject    CHOICE {
>>             dn          [0] DN,
>>             user              [1] utf8String
>
>The type name "utf8String" can't be right. I would guess that it should
>be UTF8String but I haven't got the relevant standard handy to confirm this.

Right, and if UTF8String is not defined, we could change it to UTF8String and add:

UTF8String ::= OCTET String -- one or more ISO 10646 characters.

>> 11.1.1  Request Control
>
>>  getEffectiveRightsRequest ::= SEQUENCE {
>
>Should read:
>
>	GetEffectiveRightsRequest ::= SEQUENCE {
>
>>    effectiveRightsRequest   SEQUENCE OF SEQUENCE {
>>        whichObject   ENUMERATED {
>>                      LDAP_ENTRY (1),
>>                      LDAP_SUBTREE (2)
>
>Identifiers in ENUMERATED lists must start with lowercase letters
>and cannot contain underscores.
>
>Try,
>
>	ldap-entry (1),
>	ldap-subtree (2)
>
>or just,
>
>	entry (1),
>	subtree (2)
>
>like in the BNF.
>
>>                      },
>>        subject       <see <subject > in BNF> | "*"
>
>This is meaningless as an ASN.1 type definition. I assume it is
>intended to be a UTF8String whose contents are the string encoding
>of a subject according to the BNF, or "*". Otherwise, expose the
>subject CHOICE as a named ASN.1 type and use that.
>
>
>> 11.1.2  Response Control
>
>>  getEffectiveRightsResponse ::= {
>
>Should read:
>
>	GetEffectiveRightsResponse ::= SEQUENCE {
>
<snip>
>.. has the same problems as previously mentioned.

I think we hadn't scrubbed the controls and extensions yet. Thanks for these.

>> 12.1  LDAP Get Effective Rights Operation
>>
>> ldapGetEffectiveRightsRequest ::= [APPLICATION 23] SEQUENCE
>> {
>>    requestName      [0] <OID to be assigned>,
>>    requestValue     [1] OCTET STRING OPTIONAL }
>
>I suggest describing the extended operation the way
>draft-ietf-ldup-framing-00.txt does it. I've paraphrased below.
>
>   An LDAPv3 Extended Request is defined in [LDAPv3] as follows:
>
>      ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
>          requestName    [0] LDAPOID,
>          requestValue   [1] OCTET STRING OPTIONAL
>      }
>
>   The requestName portion of the GetEffectiveRightsRequest must be the
>   OID <OID to be assigned>.
>
>   The requestValue of the GetEffectiveRightsRequest must be set to the
>   BER-encoding of the following:
>
>>    requestValue ::= SEQUENCE {
>
>      GetEffectiveRightsRequestValue ::= SEQUENCE {

This makes more sense.

>>
>>       }
>
>Ditto the usual problems.

yes

>> The server will respond to this with an LDAPMessage
>> containing the ExtendedResponse which is a rights list.
<snip>

>I suggest ...
>
>   An LDAPv3 Extended Response is defined in [LDAPv3] as follows:
>
>      ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
>          COMPONENTS of LDAPResult,
>          responseName  [10] LDAPOID OPTIONAL,
>          response      [11] OCTET STRING OPTIONAL
>      }
>
>   The responseName of the GetEffectiveRightsResponse must be the OID
>   <OID to be assigned>.
>
>   The response of the GetEffectiveRightsResponse is set to the BER-
>   encoding of:
>
>>    effectiveRights ::= SEQUENCE OF SEQUENCE {
<snip>

Same response.

Thanks. Jim

Follow-Ups:
- Re: Syntax Issues
  - From: "David Chadwick" <d.w.chadwick@salford.ac.uk>

Prev by Date: RE: LDUP Working Group Agenda - Summary of objections to requirements draft
Next by Date: Re: IETF LDAPEXT WG draft agenda
Index(es):
- Chronological
- Thread