Howard Chu wrote:
But IMO it's worth thinking about how to deal in slapd with the wording "MAY or MAY NOT include the RDN attribute(s)" found in RFC4511 today.
Ultimately, there's nothing to think about. RFC2251 is now obsolete and RFC4511 is the spec, so we'll have to change to comply. It's just a question of someone who feels strongly enough getting motivated to write the patch.
The more I re-read that sentence, the more I think OpenLDAP's slapd still behaves correctly (or, the spec is ambiguous). In fact, according to RFC 4511, now a request that is missing any naming attributes or distinguished values would be legitimate, from a client's perspective, but the server has to ensure that entries conform to user and system schema. So, unless the meaning of "ensure" requires the server to proactively modify the request to "ensure" it complies, simply analyzing it and returning an error code if it doesn't comply, IMHO, complies with the spec. In other words:
CLIENT
| | | v
ADD REQUEST (missing naming attrs/distinguished vals)
- here the request is still valid
-----------------------------------------------------
- here it is no longer valid
|/ x /|\ v
SERVER
So I'd interpret it in the sense that it's not the client's duty to check if the request complies, but a non-compliant request remains invalid.
--- o --- o ---
The issue about OpenLDAP's slapd being able to proactively modify a non-compliant add request in order to make it compliant is a completely different business; this could be easily be accomplished by an overlay, much like slapo-addpartial.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------