11:49 a.m.
HI!
I'm using slapo-lastbind with 2.4.24 found under contrib/ which writes the
operational attribute authTimestamp to an entry. Now I have a use-case where a
LDAP client (connector continously pumping data from another non-OpenLDAP
directory server) should write this attribute to the OpenLDAP server. But even
when using the relax rules control this does not seem to be allowed.
Section 3.6. of draft-zeilenga-ldap-relax-03 says:
The subsections of this section discuss modification of various
operational attributes where their NO-USER-MODIFICATION constraint may
be relaxed. Future documents may specify where NO-USER-MODIFICATION
constraints on other operational attribute may be relaxed. In absence
of a document detailing that the NO-USER-MODIFICATION constraint on a
particular operational attribute may be relaxed, implementors SHOULD
assume relaxation of the constraint is not appropriate for that
attribute.
Hmm, since there's no formal spec for authTimestamp I'm lost here?
Ciao, Michael.
12:59 p.m.
On Mar 17, 2011, at 11:49 AM, Michael Ströder wrote:
HI!
I'm using slapo-lastbind with 2.4.24 found under contrib/ which writes the
operational attribute authTimestamp to an entry. Now I have a use-case where a
LDAP client (connector continously pumping data from another non-OpenLDAP
directory server) should write this attribute to the OpenLDAP server. But even
when using the relax rules control this does not seem to be allowed.
Section 3.6. of draft-zeilenga-ldap-relax-03 says:
The subsections of this section discuss modification of various
operational attributes where their NO-USER-MODIFICATION constraint may
be relaxed. Future documents may specify where NO-USER-MODIFICATION
constraints on other operational attribute may be relaxed. In absence
of a document detailing that the NO-USER-MODIFICATION constraint on a
particular operational attribute may be relaxed, implementors SHOULD
assume relaxation of the constraint is not appropriate for that
attribute.
Hmm, since there's no formal spec for authTimestamp I'm lost here?
The SHOULD here simply means "think before relax".
-- Kurt
3:05 a.m.
Kurt Zeilenga wrote:
On Mar 17, 2011, at 11:49 AM, Michael Ströder wrote:
> I'm using slapo-lastbind with 2.4.24 found under contrib/ which writes the
> operational attribute authTimestamp to an entry. Now I have a use-case where a
> LDAP client (connector continously pumping data from another non-OpenLDAP
> directory server) should write this attribute to the OpenLDAP server. But even
> when using the relax rules control this does not seem to be allowed.
>
> Section 3.6. of draft-zeilenga-ldap-relax-03 says:
>
> The subsections of this section discuss modification of various
> operational attributes where their NO-USER-MODIFICATION constraint may
> be relaxed. Future documents may specify where NO-USER-MODIFICATION
> constraints on other operational attribute may be relaxed. In absence
> of a document detailing that the NO-USER-MODIFICATION constraint on a
> particular operational attribute may be relaxed, implementors SHOULD
> assume relaxation of the constraint is not appropriate for that
> attribute.
>
> Hmm, since there's no formal spec for authTimestamp I'm lost here?
The SHOULD here simply means "think before relax".
So after thinking I'd vote for allowing authTimestamp to be set by a client
when relax rules control is in effect => ITS#6873
Ciaio, Michael.
4580
days inactive
4582
days old
2 comments
2 participants
participants (2)
-
Kurt Zeilenga -
Michael Ströder