Re: (ITS#6247) - openldap-bugs

2 May 2010

      Kurt Zeilenga schrieb:
...
On May 1, 2010, at 12:31 PM, daniel@pluta.biz wrote:
...
The patch can be downloaded here: 
ftp://ftp.openldap.org/incoming/daniel-pluta-100501.patch
Changes:

removed extensible matching rules strictly associated with

dedicated syntaxes

added two universal matching rules instead:
nowMach (equality matching rule)
nowOrdering (ordering matching rule)
these two rules also support extensible match filters

Your comments imply these rules could be used as attribute type
equality and ordering rules.
In general my intention is neither to violate X.501 nor changing the 
ASN.1 Generalized Time syntax.
Instead the introduction of a compatible/similar/derived attribute value 
syntax (e.g. generalizedTime') which supports matching against 
client-side known time-stamps *and* server-relative time-stamps (like 
NOW or NOW-1Y3M... or X.680 period formats) seems to be fine for me.
In the following generalizedTime' is such a kind of a (very) similar 
syntax to the well-defined generalizedTime.
Regarding the EQ/ORD matching rule applicability:
The attribute type is generalizedTime' and the assertion value is for 
example NOW which server-internally implicitly also represents a (at 
least some kind of possibly not ITU specified?) generalizedTime' conform 
assertion value:
NOW is the at client side unknown current time of the server in 
generalizedTime'. What's your suggestion regarding a possible solution 
on how to support EQ and ORD matching of attribute values compared to 
the server side current time?
...
I don't believe the met the
requirements (see X.501) to be used in that manner.  That is, they
only make sense as extensible matching rules.
I really would like to try to understand your concerns. Could you please 
give me some links to chapters/sections in X.501 where I can find more 
details. Note: I've currently only access to the standard of the year 2006.
The class is generalizedTime' and during EQ/ORD matching two instances 
of generalizedTime' are compared:
  1. Attribute value of an entry (generalizedTime')
  2. Assertion value aka expanded-NOW (generalizedTime')
...
...
To publish a correct server current time time-stamp value within Root-DSE:

apply the bugfix from ITS#6541
and use -DCTM_G_DIFFERENTIAL_SERVERTIME

#ifdef's should, IMO, be generally avoided.
it will be removed as soon as the above mentioned bug is fixed in HEAD
...
...
To extend generalizedTime attribute types to also support "NOW" as 
assertion value:
    - use -DCTM_RFC4517_MR_AV_SYNTAX_VIOLATION
The generalized time syntax is not ours to alter.  Introduction of
such a change would, it seem, lead to interoperability problems.
In my opinion the chosen name for the #ifdef is more than obvious.
Additionally the related comment in the patch's source already say's 
that this "extension" is more a violation than an extension.
That's why the #ifdef currently is and probably stays in action (or will 
be removed) in the future. As a side-effect this #ifdef could possibly 
invoke some disussions... ;-)
It's probably worth to discuss this (violation) in more detail to 
provide a solution in regard to a broader applicability of this matching 
feature in LDAP. Broader/easier usage/readbility is also the background 
I've decided to skip the extensible matching rules and introduce EQ and 
ORD instead.
E.g. Clients that are connecting to a server that announces the 
supportedFeature "current time matching" could make notice of that and 
also support "NOW" as assertion value for createTimestamp and so on... 
(I've not very well thought about that in detail, yet).
You are right, it's just a work in progress and you are very welcome to 
join the discussion on ldapext.