directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: Handling M$ specification violations
Date Fri, 26 Feb 2010 09:18:41 GMT
On 2/23/10 10:06 PM, Matthew Swift wrote:
> I think so - I realize that our OpenDS SDK needs to cope with this as 
> well :-(
> It makes me wonder what else could be violated? Should we permit 
> non-DNs for all operations? 
IMO, no.

> E.g. modifying the entry ""?  It seems a bit 
> inconsistent to be lax in only one part of the protocol but not 
> others. ;-)
There is a difference with the Bind operation DN : for M$, it makes 
sense to enforce their own rule, as they can't ask people to type a DN 
to login (even if they could have used SASL instead of a Simple 
BindRequest). But AFAIK, I don't think you need to 'fix' some other 
request to accept something else than a DN.
> My preference is to encourage conformance where possible. What other 
> known violations are there other than the bind DN?
You can rad this very interesting paper from Symas :

One of the major violation, beside the use of a non-DN in a SimpleBind 
operation is the fact that anonymous authent is not allowed on AD/ADAM 
by default, but this should not be a problem from the API pov, and 
another one is the retrieval of MV attributes that may need a special 
treatment when here are more than 1500 values (and I guess we have to 
deal with this problem...).

Emmanuel L├ęcharny

View raw message