Requirement 3.2.8. [was: Re: [Ietf-not43] issues and questions on FIRS]

Mon Aug 18 20:10:57 EDT 2003

Andrew Newton wrote:

> Peter Gietz wrote:
> 
>>
>>>
>>> As I understand it, LDAP error codes are returned per response, not 
>>> per result or per attribute.  If I'm wrong, then this changes things 
>>> and please forgive me.
>>>
>>> Let's say I submit a query and get back the following:
>>>
>>> START RESPONSE
>>>
>>> Contact: bob-192
>>> Name: Bob Smurd
>>> Email: bob at example.com
>>> Phone: 555-1212
>>>
>>> Contact: lisa-543
>>> Name: Lisa Smith
>>> Phone: 121-5555
>>>
>>> Contact: charles-777
>>> Name: Charles Taylor
>>> Email: president at nic.lr
>>> Status: deposed
>>>
>>> Error: unwillingToPerform
>>>
>>> END RESPONSE
>>>
>>> What happened here?
>>>
>>> 1 - What bit of information did I not get because of a policy 
>>> decision?  Was that the phone number for charles-777 or the email 
>>> address for lisa-543?
>>>
>>> 2 - What was the server unwillingToPerform?  It gave me back 3 
>>> entries!  It certainly was willing to do something.
>>>
>>> (Sorry for the last example entry... too much coffee this morning!)
>>
>>
>>
>> There are two LDAP errors that indicate that only a partial list has 
>> been given back: timeLimitExceeded and sizeLimitExceeded.
>>
>> unwillingToPerform should not be used for partial lists. Now that we 
>> do define FIRS specific error codes, I would vote for adding two more 
>> for this. What about:
>>
>> authorizationLimitExceeded and privacyConstraintsLimitExceeded
> 
> 
> When you define them, is it possible that they are accompanied by a list 
> of dn's + attribute names so that the client can correlate which 
> attributes in which entries are being redacted?  (see the first question.)
> 
> Or am I making a false assumption?  Can an error code be returned per 
> entry or attribute?
No, you can give back a result set and one error code for he whole request.

> 
> On other possible solution is to have the server return a special entry 
> (perhaps last) being a list of dn+attribute name / reason pairs.  Again, 
> just theorizing here.

This could be done, but would be very FIRS specific and we woulld have 
to define schema for that. I don't think we really want to go this 
direction.

wouldn't it be enough to tell that more entries would have been returned 
if authentication were different? That would be indicated by the error 
code authorizationLimitExceeded.

Peter

> 
> -andy
> 
> 

-- 
_______________________________________________________________________

Peter Gietz (CEO)
DAASI International GmbH                phone: +49 7071 2970336
Wilhelmstr. 106                         Fax:   +49 7071 295114
D-72074 Tübingen                        email: peter.gietz at daasi.de
Germany                                 Web:   www.daasi.de

Directory Applications for Advanced Security and Information Management
_______________________________________________________________________