directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Re: Handling M$ specification violations
Date Fri, 26 Feb 2010 09:18:41 GMT
On 2/23/10 10:06 PM, Matthew Swift wrote:
> I think so - I realize that our OpenDS SDK needs to cope with this as 
> well :-(
>
> It makes me wonder what else could be violated? Should we permit 
> non-DNs for all operations? 
IMO, no.

> E.g. modifying the entry "joe.bloggs@example.com"?  It seems a bit 
> inconsistent to be lax in only one part of the protocol but not 
> others. ;-)
There is a difference with the Bind operation DN : for M$, it makes 
sense to enforce their own rule, as they can't ask people to type a DN 
to login (even if they could have used SASL instead of a Simple 
BindRequest). But AFAIK, I don't think you need to 'fix' some other 
request to accept something else than a DN.
>
> My preference is to encourage conformance where possible. What other 
> known violations are there other than the bind DN?
You can rad this very interesting paper from Symas : 
http://www.symas.com/documents/Adam-Eval1-0.pdf

One of the major violation, beside the use of a non-DN in a SimpleBind 
operation is the fact that anonymous authent is not allowed on AD/ADAM 
by default, but this should not be a problem from the API pov, and 
another one is the retrieval of MV attributes that may need a special 
treatment when here are more than 1500 values (and I guess we have to 
deal with this problem...).
-- 

Regards,
Cordialement,
Emmanuel L├ęcharny
www.nextury.com



Mime
View raw message