[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt

To: Michael Ströder <michael@stroeder.com>
Subject: Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 02 Mar 2006 10:45:01 -0800
Cc: ldapext@ietf.org
In-reply-to: <4405C37C.4060709@stroeder.com>
References: <7.0.1.0.0.20060228132901.03d38568@OpenLDAP.org> <4405C37C.4060709@stroeder.com>

At 07:53 AM 3/1/2006, Michael Ströder wrote:
>Excerpt from section 3.6.:
>
>  In absence
>  of a document detailing that the NO-USER-MODIFICATION constraint on a
>  particular operational attribute may be relaxed, implementors SHOULD
>  assume relaxation of the constraint is not appropriate for that
>  attribute.
>
>This means a LDAP client cannot automatically determine which attributes
>should be displayed as editable except a small known subset.

The specification does not provide any facility for determining
whether any particular NO-USER-MODIFICATION attribute can
be modified through use of this control.  As I intend the
control to only be used in limited cases, mainly when purposely
selected by the directory administrator to undertake a task
he/she knows requires it (and is allowed by it), I saw no
need to detail which particular NO-USER-MODIFICATION constraints
can be relaxed.

>Is that really necessary?

Even without this statement, I note that implementations are
not to relax the NO-USER-MODIFICATION in cases where doing
so would be problematic.  For instance, a server should
prevent modification of modifyTimestamp is doing so would
hose directory services, such as replication or client
synchronization services.   This implies not only a need for
server implementation-specific constraints upon use of
this control, but local policy constraints.

>I can understand your intention why you won't allow modification of
>'structuralObjectClass' etc. But how about the server simply ignoring
>them when sent in a modify request?

Because then the client has no clue what modification, if
any, took place.

Of course, a client could possibly provide a "permissive
modify" control as well...

>Ciao, Michael.
>
>_______________________________________________
>Ldapext mailing list
>Ldapext@ietf.org
>https://www1.ietf.org/mailman/listinfo/ldapext

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
Next by Date: Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
Index(es):
- Chronological
- Thread