HI!
I'm using slapo-lastbind with 2.4.24 found under contrib/ which writes the operational attribute authTimestamp to an entry. Now I have a use-case where a LDAP client (connector continously pumping data from another non-OpenLDAP directory server) should write this attribute to the OpenLDAP server. But even when using the relax rules control this does not seem to be allowed.
Section 3.6. of draft-zeilenga-ldap-relax-03 says:
The subsections of this section discuss modification of various operational attributes where their NO-USER-MODIFICATION constraint may be relaxed. Future documents may specify where NO-USER-MODIFICATION constraints on other operational attribute may be relaxed. In absence of a document detailing that the NO-USER-MODIFICATION constraint on a particular operational attribute may be relaxed, implementors SHOULD assume relaxation of the constraint is not appropriate for that attribute.
Hmm, since there's no formal spec for authTimestamp I'm lost here?
Ciao, Michael.
On Mar 17, 2011, at 11:49 AM, Michael Ströder wrote:
HI!
I'm using slapo-lastbind with 2.4.24 found under contrib/ which writes the operational attribute authTimestamp to an entry. Now I have a use-case where a LDAP client (connector continously pumping data from another non-OpenLDAP directory server) should write this attribute to the OpenLDAP server. But even when using the relax rules control this does not seem to be allowed.
Section 3.6. of draft-zeilenga-ldap-relax-03 says:
The subsections of this section discuss modification of various operational attributes where their NO-USER-MODIFICATION constraint may be relaxed. Future documents may specify where NO-USER-MODIFICATION constraints on other operational attribute may be relaxed. In absence of a document detailing that the NO-USER-MODIFICATION constraint on a particular operational attribute may be relaxed, implementors SHOULD assume relaxation of the constraint is not appropriate for that attribute.
Hmm, since there's no formal spec for authTimestamp I'm lost here?
The SHOULD here simply means "think before relax".
-- Kurt
Kurt Zeilenga wrote:
On Mar 17, 2011, at 11:49 AM, Michael Ströder wrote:
I'm using slapo-lastbind with 2.4.24 found under contrib/ which writes the operational attribute authTimestamp to an entry. Now I have a use-case where a LDAP client (connector continously pumping data from another non-OpenLDAP directory server) should write this attribute to the OpenLDAP server. But even when using the relax rules control this does not seem to be allowed.
Section 3.6. of draft-zeilenga-ldap-relax-03 says:
The subsections of this section discuss modification of various operational attributes where their NO-USER-MODIFICATION constraint may be relaxed. Future documents may specify where NO-USER-MODIFICATION constraints on other operational attribute may be relaxed. In absence of a document detailing that the NO-USER-MODIFICATION constraint on a particular operational attribute may be relaxed, implementors SHOULD assume relaxation of the constraint is not appropriate for that attribute.
Hmm, since there's no formal spec for authTimestamp I'm lost here?
The SHOULD here simply means "think before relax".
So after thinking I'd vote for allowing authTimestamp to be set by a client when relax rules control is in effect => ITS#6873
Ciaio, Michael.
-
Kurt Zeilenga -
Michael Ströder