[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
At 07:53 AM 3/1/2006, Michael Ströder wrote:
>Excerpt from section 3.6.:
>
> In absence
> of a document detailing that the NO-USER-MODIFICATION constraint on a
> particular operational attribute may be relaxed, implementors SHOULD
> assume relaxation of the constraint is not appropriate for that
> attribute.
>
>This means a LDAP client cannot automatically determine which attributes
>should be displayed as editable except a small known subset.
The specification does not provide any facility for determining
whether any particular NO-USER-MODIFICATION attribute can
be modified through use of this control. As I intend the
control to only be used in limited cases, mainly when purposely
selected by the directory administrator to undertake a task
he/she knows requires it (and is allowed by it), I saw no
need to detail which particular NO-USER-MODIFICATION constraints
can be relaxed.
>Is that really necessary?
Even without this statement, I note that implementations are
not to relax the NO-USER-MODIFICATION in cases where doing
so would be problematic. For instance, a server should
prevent modification of modifyTimestamp is doing so would
hose directory services, such as replication or client
synchronization services. This implies not only a need for
server implementation-specific constraints upon use of
this control, but local policy constraints.
>I can understand your intention why you won't allow modification of
>'structuralObjectClass' etc. But how about the server simply ignoring
>them when sent in a modify request?
Because then the client has no clue what modification, if
any, took place.
Of course, a client could possibly provide a "permissive
modify" control as well...
>Ciao, Michael.
>
>_______________________________________________
>Ldapext mailing list
>Ldapext@ietf.org
>https://www1.ietf.org/mailman/listinfo/ldapext
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext