Return-Path: Delivered-To: apmail-directory-api-archive@minotaur.apache.org Received: (qmail 69481 invoked from network); 26 Feb 2010 09:19:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 26 Feb 2010 09:19:19 -0000 Received: (qmail 85775 invoked by uid 500); 26 Feb 2010 09:19:19 -0000 Delivered-To: apmail-directory-api-archive@directory.apache.org Received: (qmail 85751 invoked by uid 500); 26 Feb 2010 09:19:19 -0000 Mailing-List: contact api-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: api@directory.apache.org Delivered-To: mailing list api@directory.apache.org Received: (qmail 85743 invoked by uid 99); 26 Feb 2010 09:19:19 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Feb 2010 09:19:19 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of elecharny@gmail.com designates 209.85.212.50 as permitted sender) Received: from [209.85.212.50] (HELO mail-vw0-f50.google.com) (209.85.212.50) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Feb 2010 09:19:10 +0000 Received: by vws6 with SMTP id 6so181154vws.37 for ; Fri, 26 Feb 2010 01:18:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=S4xOQ5vlP7y7Q5rRB+KXjVUiePTxYnYwkJUAoQBAu20=; b=j/FylPXmCyPp55sY5T4do+QCJEhsFy+EULRk/Y1NvXAkWcJyqp38BtDYUj5yCDSMyv aDRKrH0fzX08I4wOi+8Mxci54PdMtzFTN2eUidtsocYqUiKxxqzWcm31WIBC9vywFoG7 zUEZtreklJDFHZalSNcnOGcILLJ9h64JHo7NY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; b=kxapXtLEw4Gqy/wVNq+uFhz/m9GSn4UZDZnlMNpsjP5VL/CqqBDR9hbD+mRtLL/B2s gkspcux0mRaWIYp/oTdXwj3IjNgdu4tfpADXOPDYCB+/noBI1GkuUrCubjX2+Fn9Yl6j h0KUt+Iq6hFfRefxgLbbsjyxhM1L58DSMlvxg= Received: by 10.220.89.205 with SMTP id f13mr38904vcm.137.1267175929326; Fri, 26 Feb 2010 01:18:49 -0800 (PST) Received: from emmanuel-lecharnys-MacBook-Pro.local (vol75-3-82-66-216-176.fbx.proxad.net [82.66.216.176]) by mx.google.com with ESMTPS id 42sm68963466vws.8.2010.02.26.01.18.46 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 26 Feb 2010 01:18:47 -0800 (PST) Message-ID: <4B8791F1.5030803@gmail.com> Date: Fri, 26 Feb 2010 10:18:41 +0100 From: Emmanuel Lecharny Reply-To: elecharny@apache.org User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2 MIME-Version: 1.0 To: api@directory.apache.org Subject: Re: Handling M$ specification violations References: <4B840349.5020902@gmail.com> <4B84433B.2000504@sun.com> In-Reply-To: <4B84433B.2000504@sun.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit On 2/23/10 10:06 PM, Matthew Swift wrote: > I think so - I realize that our OpenDS SDK needs to cope with this as > well :-( > > It makes me wonder what else could be violated? Should we permit > non-DNs for all operations? IMO, no. > E.g. modifying the entry "joe.bloggs@example.com"? It seems a bit > inconsistent to be lax in only one part of the protocol but not > others. ;-) There is a difference with the Bind operation DN : for M$, it makes sense to enforce their own rule, as they can't ask people to type a DN to login (even if they could have used SASL instead of a Simple BindRequest). But AFAIK, I don't think you need to 'fix' some other request to accept something else than a DN. > > My preference is to encourage conformance where possible. What other > known violations are there other than the bind DN? You can rad this very interesting paper from Symas : http://www.symas.com/documents/Adam-Eval1-0.pdf One of the major violation, beside the use of a non-DN in a SimpleBind operation is the fact that anonymous authent is not allowed on AD/ADAM by default, but this should not be a problem from the API pov, and another one is the retrieval of MV attributes that may need a special treatment when here are more than 1500 values (and I guess we have to deal with this problem...). -- Regards, Cordialement, Emmanuel L�charny www.nextury.com