Kurt Zeilenga wrote:
On Dec 27, 2008, at 2:46 AM, ando@sys-net.it wrote:
empty or "*" ; all user, except attrs that need to be explicitly req. "+" ; all operational
<all including attrs that need to be explicitly requested> <...>
I note that the specification of '+' does allow a server not to provide all operational attributes. That is, a server is allowed to only return some operational attributes when requested by name.
... based on how expensive their computation is. In fact, we do not exploit this too much in slapd(8), where '+' usually triggers operational all attributes evaluation. Probably, we should add the possibility to configure whether the most expensive are computed or not when not explicitly requested.
This is not so with '*' (or empty list).
well, according to RFC4511, Section 4.5.1.8.:
Client implementors should note that even if all user attributes are requested, some attributes and/or attribute values of the entry may not be included in Search results due to access controls or other restrictions.
The restrictions we're discussing may well fit into this.
However, that said, I see no particular issue with a server choosing to return a particular user applications attribute only when requested by name. I see this simply as an administrative restriction... and those are always allowed.
Exactly.
(I also note that use of '*' (or empty list) and '+' should generally be limited to requests formed by a human. It is bad (but all to common) practice for application-specific directory clients to ask for everything. They should really only ask for what they are prepared to make use of.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
-
ando@sys-net.it