From: Quanah Gibson-Mount Date: Thu, 5 Feb 2009 21:05:29 +0000 (+0000) Subject: Update to -09, last available revision X-Git-Tag: OPENLDAP_REL_ENG_2_4_14~28 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=3e5bdf6df8a559428e4ee4ca283c48511f2454ef;p=openldap Update to -09, last available revision --- diff --git a/doc/drafts/draft-ietf-ldapext-ldapv3-vlv-xx.txt b/doc/drafts/draft-ietf-ldapext-ldapv3-vlv-xx.txt index 34ae435306..cb02ed640a 100644 --- a/doc/drafts/draft-ietf-ldapext-ldapv3-vlv-xx.txt +++ b/doc/drafts/draft-ietf-ldapext-ldapv3-vlv-xx.txt @@ -2,8 +2,8 @@ Internet-Draft D. Boreham, Bozeman Pass LDAPext Working Group J. Sermersheim, Novell Intended Category: Standards Track A. Kashi, Microsoft - -Expires: Nov 2002 May 2002 + +Expires: Jun 2003 Nov 2002 LDAP Extensions for Scrolling View Browsing of Search Results @@ -37,30 +37,49 @@ Expires: Nov 2002 May 2002 2. Abstract - This document describes a Virtual List View control extension for the + This document describes a Virtual List View extension for the Lightweight Directory Access Protocol (LDAP) Search operation. This - control is designed to allow the "virtual list box" feature, common + extension is designed to allow the "virtual list box" feature, common in existing commercial e-mail address book applications, to be supported efficiently by LDAP servers. LDAP servers' inability to support this client feature is a significant impediment to LDAP replacing proprietary protocols in commercial e-mail systems. - The control allows a client to specify that the server return, for a - given LDAP search with associated sort keys, a contiguous subset of + The extension allows a client to specify that the server return, for + a given LDAP search with associated sort keys, a contiguous subset of the search result set. This subset is specified in terms of offsets into the ordered list, or in terms of a greater than or equal comparison value. - Boreham et al Internet-Draft 1 - - LDAP Extensions for Scrolling View May 2002 + Boreham et al Internet-Draft 1 + + LDAP Extensions for Scrolling View Nov 2002 Browsing of Search Results 3. Conventions used in this document - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are - to be interpreted as described in RFC 2119 [Bradner97]. + The key words "MUST", "SHALL", "SHOULD", "SHOULD NOT", and "MAY" in + this document are to be interpreted as described in RFC 2119 + [Bradner97]. + + Protocol elements are described using ASN.1 [X.680]. The term "BER- + encoded" means the element is to be encoded using the Basic Encoding + Rules [X.690] under the restrictions detailed in Section 5.1 of + [LDAPPROT]. + + The phrase "subsequent virtual list request" is used in this document + to describe a search request accompanied by a VirtualListViewRequest + control, where the search base, scope, and filter are the same as a + previous search request also accompanied by a VirtualListViewRequest + control, and where the contextID of the subsequent + VirtualListViewRequest control, is set to that of the contextID in + the VirtualListViewResponse control that accompanied the previous + search response. + + The phrase "contiguous virtual list request" is used to describe a + subsequent virtual list request which is requesting search results + adjoining or overlapping the result returned from the prior virtual + list request. 4. Background @@ -80,14 +99,21 @@ Expires: Nov 2002 May 2002 only that information which is required to display the part of the list currently in view is fetched. The subject of this document is the interaction between client and server required to implement this - functionality in the context of the results from a sorted LDAP search - request. + functionality in the context of the results from an ordered [SSS] + Lightweight Directory Access Protocol (LDAP) search operation + [LDAPPROT]. For example, suppose an e-mail address book application displays a list view onto the list containing the names of all the holders of e- - mail accounts at a large university. The list is sorted + mail accounts at a large university. The list is ordered alphabetically. While there may be tens of thousands of entries in this list, the address book list view displays only 20 such accounts + + Boreham et al Internet-Draft 2 + + LDAP Extensions for Scrolling View Nov 2002 + Browsing of Search Results + at any one time. The list has an accompanying scroll bar and text input window for type-down. When first displayed, the list view shows the first 20 entries in the list, and the scroll bar slider is @@ -109,12 +135,6 @@ Expires: Nov 2002 May 2002 "B". When this happens, the scroll bar slider should also be updated to reflect the new relative location within the list. - Boreham et al Internet-Draft 2 - - LDAP Extensions for Scrolling View May 2002 - Browsing of Search Results - - This document defines a request control which extends the LDAP search operation. Always used in conjunction with the server side sorting control [SSS], this allows a client to retrieve selected portions of @@ -125,21 +145,32 @@ Expires: Nov 2002 May 2002 5. Client-Server Interaction The Virtual List View control extends a regular LDAP Search operation - which must also include a server-side sorting control [SSS]. Rather + which MUST also include a server-side sorting control [SSS]. Rather than returning the complete set of appropriate SearchResultEntry messages, the server is instructed to return a contiguous subset of - those entries, taken from the sorted result set, centered around a + those entries, taken from the ordered result set, centered around a particular target entry. Henceforth, in the interests of brevity, the - sorted search result set will be referred to as "the list". + ordered search result set will be referred to as "the list". - The sort control MAY contain any sort specification valid for the + The sort control may contain any sort specification valid for the server. The attributeType field in the first SortKeyList sequence - element has special significance for "typedown". + element has special significance for "typedown". The Virtual List + View control acts upon a set of ordered entries and this order must + be repeatable for all subsequent virtual list requests. The server- + side sorting control is intended to aid in this ordering, but other + mechanisms may need to be employed to produce a repeatable order-- + especially for entries that don't have a value of the sort key. The desired target entry and the number of entries to be returned, both before and after that target entry in the list, are determined by the client's VirtualListViewRequest control. + + Boreham et al Internet-Draft 3 + + LDAP Extensions for Scrolling View Nov 2002 + Browsing of Search Results + When the server returns the set of entries to the client, it attaches a VirtualListViewResponse control to the SearchResultDone message. The server returns in this control: its current estimate for the list @@ -165,12 +196,6 @@ Expires: Nov 2002 May 2002 entries in the list, and to take account of cases where the list size is changing during the time the user browses the list, and because the client needs a way to indicate specific list targets "beginning" - - Boreham et al Internet-Draft 3 - - LDAP Extensions for Scrolling View May 2002 - Browsing of Search Results - and "end", offsets within the list are transmitted between client and server as ratios---offset to content count. The server sends its latest estimate as to the number of entries in the list (content @@ -197,11 +222,17 @@ Expires: Nov 2002 May 2002 offset and content count: - an offset of one and a content count of non-one (Ci = 1, Cc != 1) indicates that the target is the first entry in the list. + + Boreham et al Internet-Draft 4 + + LDAP Extensions for Scrolling View Nov 2002 + Browsing of Search Results + - equivalent values (Ci = Cc) indicate that the target is the last entry in the list. - - a content count of zero, and a non-zero offset (Cc = 0, Ci != 0) - means the client has no idea what the content count is, the server - MUST use its own content count estimate in place of the client's. + - a content count of zero (Cc = 0, Ci != 0) means the client has no + idea what the content count is, the server MUST use its own + content count estimate in place of the client's. Because the server always returns contentCount and targetPosition, the client can always determine which of the returned entries is the @@ -209,7 +240,7 @@ Expires: Nov 2002 May 2002 number requested, the client is able to identify the target by simple arithmetic. Where the number of entries returned is not the same as the number requested (because the requested range crosses the - beginning or end of the list, or both), the client must use the + beginning or end of the list, or both), the client MUST use the target position and content count values returned by the server to identify the target entry. For example, suppose that 10 entries before and 10 after the target were requested, but the server returns @@ -218,18 +249,11 @@ Expires: Nov 2002 May 2002 the list, therefore the 13 entries returned are the first 13 entries in the list, and the target is the third one. - A server-generated context identifier MAY be returned to clients. A - client receiving a context identifier SHOULD return it unchanged in a - subsequent request which relates to the same list. The purpose of - - - Boreham et al Internet-Draft 4 - - LDAP Extensions for Scrolling View May 2002 - Browsing of Search Results - - this interaction is to enhance the performance and effectiveness of - servers which employ approximate positioning. + A server-generated contextID MAY be returned to clients. A client + receiving a contextID MUST return it unchanged or not return it at + all, in a subsequent request which relates to the same list. The + purpose of this interaction is to maintain state information between + the client and server. 6. The Controls @@ -242,56 +266,89 @@ Expires: Nov 2002 May 2002 This control is included in the SearchRequest message as part of the controls field of the LDAPMessage, as defined in Section 4.1.12 of - [LDAPv3]. The controlType is set to "2.16.840.1.113730.3.4.9". The - criticality SHOULD be set to TRUE. If this control is included in a - SearchRequest message, a Server Side Sorting request control [SSS] - MUST also be present in the message. The controlValue is an OCTET - STRING whose value is the BER-encoding of the following SEQUENCE: + [LDAPPROT]. The controlType is set to "2.16.840.1.113730.3.4.9". If + this control is included in a SearchRequest message, a Server Side + Sorting request control [SSS] MUST also be present in the message. + The controlValue, an OCTET STRING, is the BER-encoding of the + following SEQUENCE: VirtualListViewRequest ::= SEQUENCE { beforeCount INTEGER (0..maxInt), afterCount INTEGER (0..maxInt), - CHOICE { - byoffset [0] SEQUENCE { - offset INTEGER (0 .. maxInt), - contentCount INTEGER (0 .. maxInt) }, - greaterThanOrEqual [1] AssertionValue }, + target CHOICE { + byOffset [0] SEQUENCE { + offset INTEGER (1 .. maxInt), + contentCount INTEGER (0 .. maxInt) }, + + Boreham et al Internet-Draft 5 + + LDAP Extensions for Scrolling View Nov 2002 + Browsing of Search Results + + greaterThanOrEqual [1] AssertionValue }, contextID OCTET STRING OPTIONAL } beforeCount indicates how many entries before the target entry the - client wants the server to send. afterCount indicates the number of - entries after the target entry the client wants the server to send. + client wants the server to send. + + afterCount indicates the number of entries after the target entry the + client wants the server to send. + offset and contentCount identify the target entry as detailed in - section 4. greaterThanOrEqual is an attribute assertion value defined - in [LDAPv3]. If present, the value supplied in greaterThanOrEqual is - used to determine the target entry by comparison with the values of - the attribute specified as the primary sort key. The first list entry + section 5. + + greaterThanOrEqual is a matching rule assertion value defined in + [LDAPPROT]. The assertion value is encoded according to the ORDERING + matching rule for the attributeDescription in the sort control [SSS]. + If present, the value supplied in greaterThanOrEqual is used to + determine the target entry by comparison with the values of the + attribute specified as the primary sort key. The first list entry who's value is no less than (less than or equal to when the sort - order is reversed) the supplied value is the target entry. If - present, the contextID field contains the value of the most recently - received contextID field from a VirtualListViewResponse control. The - type AssertionValue and value maxInt are defined in [LDAPv3]. - contextID values have no validity outwith the connection on which - they were received. That is, a client should not submit a contextID - which it received from another connection, a connection now closed, - or a different server. + order is reversed) the supplied value is the target entry. + + If present, the contextID field contains the value of the most + recently received contextID field from a VirtualListViewResponse + control for the same list view. If the contextID is not known because + no contextID has been sent by the server in a VirtualListViewResponse + control, it SHALL be omitted. If the server receives a contextID that + is invalid, it SHALL fail the search operation and indicate the + failure with a protocolError (3) value in the virtualListViewResult + field of the VirtualListViewResponse. The contextID provides state + information between the client and server. This state information is + used by the server to ensure continuity contiguous virtual list + requests. When a server receives a VirtualListViewRequest control + that includes a contextID, it SHALL determine whether the client has + sent a contiguous virtual list request and SHALL provide contiguous + entries if possible. If a valid contextID is sent, and the server is + unable to determine whether contiguous data is requested, or is + unable to provide requested contiguous data, it SHALL fail the search + operation and indicate the failure with an unwillingToPerform (53) + value in the virtualListViewResult field of the + VirtualListViewResponse. contextID values have no validity outside + the connection and query with which they were received. A client MUST + NOT submit a contextID which it received from a different connection, + a different query, or a different server. + + The type AssertionValue and value maxInt are defined in [LDAPPROT]. 6.2. Response Control + + - Boreham et al Internet-Draft 5 - - LDAP Extensions for Scrolling View May 2002 + Boreham et al Internet-Draft 6 + + LDAP Extensions for Scrolling View Nov 2002 Browsing of Search Results - This control is included in the SearchResultDone message as part of - the controls field of the LDAPMessage, as defined in Section 4.1.12 - of [LDAPv3]. + If the request control is serviced, this response control is included + in the SearchResultDone message as part of the controls field of the + LDAPMessage, as defined in Section 4.1.12 of [LDAPPROT]. - The controlType is set to "2.16.840.1.113730.3.4.10". The criticality - is FALSE (MAY be absent). The controlValue is an OCTET STRING, whose - value is the BER encoding of a value of the following SEQUENCE: + The controlType is set to "2.16.840.1.113730.3.4.10". The + controlValue, an OCTET STRING, is the BER-encoding of the following + SEQUENCE: VirtualListViewResponse ::= SEQUENCE { targetPosition INTEGER (0 .. maxInt), @@ -299,128 +356,137 @@ Expires: Nov 2002 May 2002 virtualListViewResult ENUMERATED { success (0), operationsError (1), + protocolError (3), unwillingToPerform (53), insufficientAccessRights (50), - busy (51), timeLimitExceeded (3), adminLimitExceeded (11), + innapropriateMatching (18), sortControlMissing (60), offsetRangeError (61), - other (80) }, + other(80), + ... }, contextID OCTET STRING OPTIONAL } - targetPosition gives the list offset for the target entry. + targetPosition gives the list offset for the target entry. + contentCount gives the server's estimate of the current number of entries in the list. Together these give sufficient information for the client to update a list box slider position to match the newly retrieved entries and identify the target entry. The contentCount value returned SHOULD be used in a subsequent VirtualListViewRequest - control. contextID is a server-defined octet string. If present, the - contents of the contextID field SHOULD be returned to the server by a - client in a subsequent VirtualListViewRequest control. + control. + + contextID is a server-defined octet string. If present, the contents + of the contextID field SHOULD be returned to the server by a client + in a subsequent virtual list request. The presence of a contextID + here indicates that the server is willing to return contiguous data + from a subsequent search request which uses the same search criteria, + accompanied by a VirtualListViewRequest which indicates that the + client wishes to receive an adjoining page of data. The virtualListViewResult codes which are common to the LDAP - searchResponse (adminLimitExceeded, timeLimitExceeded, busy, - operationsError, unwillingToPerform, insufficientAccessRights) have - the same meanings as defined in [LDAPv3], but they pertain - specifically to the VLV operation. For example, the server could - exceed an administration limit processing a SearchRequest with a - VirtualListViewRequest control. However, the same administration - limit would not be exceeded should the same SearchRequest be - submitted by the client without the VirtualListViewRequest control. - In this case, the client can determine that an administration limit - has been exceeded in servicing the VLV request, and can if it chooses - resubmit the SearchRequest without the VirtualListViewRequest - control. + searchResultDone (adminLimitExceeded, timeLimitExceeded, + operationsError, unwillingToPerform, insufficientAccessRights, + success, other) have the same meanings as defined in [LDAPPROT], but + they pertain specifically to the VLV operation. For example, the + server could exceed a VLV-specific administrative limit while + processing a SearchRequest with a VirtualListViewRequest control. + Obviously, the same administrative limit would not be exceeded should + + Boreham et al Internet-Draft 7 + + LDAP Extensions for Scrolling View Nov 2002 + Browsing of Search Results + + the same SearchRequest be submitted by the client without the + VirtualListViewRequest control. In this case, the client can + determine that the administrative limit has been exceeded in + servicing the VLV request, and can if it chooses resubmit the + SearchRequest without the VirtualListViewRequest control, or with + different parameters. insufficientAccessRights means that the server denied the client permission to perform the VLV operation. - - Boreham et al Internet-Draft 6 - - LDAP Extensions for Scrolling View May 2002 - Browsing of Search Results - If the server determines that the results of the search presented - exceed the range specified in INTEGER values, it MUST return - offsetRangeError. + exceed the range specified in INTEGER values, or if the client + specifies an invalid offset or contentCount, the server MUST set the + virtualListViewResult value to offsetRangeError. 6.2.1 virtualListViewError A new LDAP error is introduced called virtualListViewError. Its value - is 76. - [Note to the IESG/IANA/RFC Editor: the value 76 has been suggested by - experts, had expert review, and is currently being used by some - implementations. The intent is to have this number designated as an - official IANA assigned LDAP Result Code (see draft-ietf-ldapbis-iana- - xx.txt, Section 3.5)] - - If the server returns any code other than success (0) for - virtualListViewResult, then the server SHOULD return - virtualListViewError as the resultCode of the SearchResultDone - message. + is 76. This error indicates that the search operation failed due to + the inclusion of the VirtualListViewRequest control. + If the resultCode in the SearchResultDone message is set to + virtualListViewError (76), then the virtualListViewResult value MUST + NOT be success (as virtualListViewResult indicates the specific error + condition). If resultCode in the SearchResultDone message is not set + to virtualListViewError (76), then the virtualListViewResult value + SHOULD be success (0) and its value MUST be ignored. 7. Protocol Example Here we walk through the client-server interaction for a specific virtual list view example: The task is to display a list of all 78564 - people in the US company "Ace Industry". This will be done by + persons in the US company "Ace Industry". This will be done by creating a graphical user interface object to display the list contents, and by repeatedly sending different versions of the same virtual list view search request to the server. The list view displays 20 entries on the screen at a time. - We form a search with baseDN "o=Ace Industry, c=us"; search scope - subtree; filter "objectClass=inetOrgPerson". We attach a server sort - order control to the search, specifying ascending sort on attribute - "cn". To this base search, we attach a virtual list view request - control with contents determined by the user activity and send the - search to the server. We display the results from each search in the - list window and update the slider position. + We form a search with baseObject of "o=Ace Industry,c=us"; scope of + wholeSubtree; and filter of "(objectClass=person)". We attach a + server-side sort control [SSS] to the search request, specifying + ascending sort on attribute "cn". To this search request, we attach a + virtual list view request control with contents determined by the + user activity and send the search request to the server. We display + the results from each search result entry in the list window and + update the slider position. When the list view is first displayed, we want to initialize the contents showing the beginning of the list. Therefore, we set - beforeCount = 0, afterCount = 19, contentCount = 0, offset = 1 and - send the request to the server. The server duly returns the first 20 - entries in the list, plus the content count = 78564 and - targetPosition = 1. We therefore leave the scroll bar slider at its + beforeCount to 0, afterCount to 19, contentCount to 0, offset to 1 + and send the request to the server. The server duly returns the first + + Boreham et al Internet-Draft 8 + + LDAP Extensions for Scrolling View Nov 2002 + Browsing of Search Results + + 20 entries in the list, plus a content count of 78564 and + targetPosition of 1. We therefore leave the scroll bar slider at its current location (the top of its range). Say that next the user drags the scroll bar slider down to the bottom of its range. We now wish to display the last 20 entries in the list, - so we set beforeCount = 19, afterCount = 0, contentCount = 78564, - offset = 78564 and send the request to the server. The server returns - - - Boreham et al Internet-Draft 7 - - LDAP Extensions for Scrolling View May 2002 - Browsing of Search Results - - the last 20 entries in the list, plus the content count = 78564 and - targetPosition = 78564. + so we set beforeCount to 19, afterCount to 0, contentCount to 78564, + offset to 78564 and send the request to the server. The server + returns the last 20 entries in the list, plus a content count of + 78564 and a targetPosition of 78564. Next the user presses a page up key. Our page size is 20, so we set - beforeCount = 0, afterCount = 19, contentCount = 78564, offset = + beforeCount to 0, afterCount to 19, contentCount to 78564, offset to 78564-19-20 and send the request to the server. The server returns - the preceding 20 entries in the list, plus the content count = 78564 - and targetPosition = 78525. + the preceding 20 entries in the list, plus a content count of 78564 + and a targetPosition of 78525. Now the user grabs the scroll bar slider and drags it to 68% of the - way down its travel. 68% of 78564 is 53424 so we set beforeCount = 9, - afterCount = 10, contentCount = 78564, offset = 53424 and send the - request to the server. The server returns the preceding 20 entries in - the list, plus the content count = 78564 and targetPosition = 53424. - - Lastly, the user types the letter "B". We set beforeCount = 9, - afterCount = 10 and greaterThanOrEqual = "B". The server finds the + way down its travel. 68% of 78564 is 53424 so we set beforeCount to + 9, afterCount to 10, contentCount to 78564, offset to 53424 and send + the request to the server. The server returns the preceding 20 + entries in the list, plus a content count of 78564 and a + targetPosition of 53424. + + Lastly, the user types the letter "B". We set beforeCount to 9, + afterCount to 10 and greaterThanOrEqual to "B". The server finds the first entry in the list not less than "B", let's say "Babs Jensen", and returns the nine preceding entries, the target entry, and the - proceeding 10 entries. The server returns content count = 78564 and - targetPosition = 5234 and so the client updates its scroll bar slider - to 6.7% of full scale. + proceeding 10 entries. The server returns a content count of 78564 + and a targetPosition of 5234 and so the client updates its scroll bar + slider to 6.7% of full scale. 8. Notes for Implementers @@ -440,40 +506,44 @@ Expires: Nov 2002 May 2002 information received from the list view code to match the format of the virtual list view request and response controls. - Client implementers should note that any offset value returned by the - server may be approximate. Do not design clients > which only operate - correctly when offsets are exact. + - Server implementers using indexing technology which features - approximate positioning should consider returning context identifiers - to clients. The use of a context identifier will allow the server to - distinguish between client requests which relate to different - displayed lists on the client. Consequently the server can decide - more intelligently whether to reposition an existing database cursor - - Boreham et al Internet-Draft 8 - - LDAP Extensions for Scrolling View May 2002 + Boreham et al Internet-Draft 9 + + LDAP Extensions for Scrolling View Nov 2002 Browsing of Search Results - accurately to within a short distance of its current position, or to - reposition to an approximate position. Thus the client will see - precise offsets for "short" repositioning (e.g. paging up or down), - but approximate offsets for a "long" reposition (e.g. a slider - movement). + Client implementers MUST be aware that any offset value returned by + the server might be approximate. Do not design clients that only + operate correctly when offsets are exact. However, if contextIDs are + used, and adjoining pages of information are requested, the server + will return contiguous data. - Server implementers are free to return status code unwillingToPerform - should their server be unable to service any particular VLV search. - This might be because the resolution of the search is computationally - infeasible, or because excessive server resources would be required - to service the search. + Server implementers using indexing technology which features + approximate positioning should consider returning contextIDs to + clients. The use of a contextID will allow the server to distinguish + between client requests which relate to different displayed lists on + the client. Consequently the server can decide more intelligently + whether to reposition an existing database cursor accurately to + within a short distance of its current position, or to reposition to + an approximate position. Thus the client will see precise offsets for + "short" repositioning (e.g. paging up or down), but approximate + offsets for a "long" reposition (e.g. a slider movement). + + Server implementers are free to return an LDAP result code of + virtualListViewError and a virtualListViewResult of + unwillingToPerform should their server be unable to service any + particular VLV search. This might be because the resolution of the + search is computationally infeasible, or because excessive server + resources would be required to service the search. Client implementers should note that this control is only defined on - a client interaction with a single server. If a server returns - referrals as a part of its response to the search request, the client - is responsible for deciding when and how to apply this control to the - referred-to servers, and how to collate the results from multiple - servers. + a client interaction with a single server. If a search scope spans + multiple naming contexts that are not held locally, search result + references will be returned, and may occur at any point in the search + operation. The client is responsible for deciding when and how to + apply this control to the referred-to servers, and how to collate the + results from multiple servers. 9. Relationship to "Simple Paged Results" @@ -494,7 +564,13 @@ Expires: Nov 2002 May 2002 Server implementers may wish to consider whether clients are able to consume excessive server resources in requesting virtual list operations. Access control to the feature itself; configuration - options limiting the featureÆs use to certain predetermined search + + Boreham et al Internet-Draft 10 + + LDAP Extensions for Scrolling View Nov 2002 + Browsing of Search Results + + options limiting the feature's use to certain predetermined search base DNs and filters; throttling mechanisms designed to limit the ability for one client to soak up server resources, may be appropriate. @@ -503,43 +579,68 @@ Expires: Nov 2002 May 2002 retrieve the complete contents, or a significant subset of the complete contents of the directory using this feature. This may be undesirable in some circumstances and consequently it may be - necessary to enforce some access control. - - - - - Boreham et al Internet-Draft 9 - - LDAP Extensions for Scrolling View May 2002 - Browsing of Search Results + necessary to enforce some access control or administrative limit. - Clients can, using this control, determine how many entries are - contained within a portion of the DIT. This may constitute a security - hazard. Again, access controls may be appropriate. + Clients can, using this control, determine how many entries match a + particular filter, before the entries are returned to the client. + This may require special processing in servers which perform access + control checks on entries to determine whether the existence of the + entry can be disclosed to the client. - Server implementers SHOULD exercise caution concerning the content of + Server implementers should exercise caution concerning the content of the contextID. Should the contextID contain internal server state, it may be possible for a malicious client to use that information to gain unauthorized access to information. +11. IANA Considerations + +11.1 Request for LDAP Result Code + + In accordance with section 3.6 of [LDAPIANA], it is requested that + IANA register the LDAP result code virtualListViewError (76) upon + Standards Action by the IESG. The value 76 has been suggested by + experts, had expert review, and is currently being used by some + implementations. If 76 is unavailable on not chosen, the value in the + paragraphs in Section 6.2.1 will need to be updated. The following + registration template is suggested: + + Subject: LDAP Result Code Registration + Person & email address to contact for further information: Jim + Sermersheim + Result Code Name: virtualListViewError + Specification: RFCXXXX + Author/Change Controller: IESG + Comments: request LDAP result codes be assigned + -11. Acknowledgements + +12. Acknowledgements Chris Weider, Anoop Anantha, and Michael Armijo of Microsoft co- authored previous versions of this document. -12. References + + + Boreham et al Internet-Draft 11 + + LDAP Extensions for Scrolling View Nov 2002 + Browsing of Search Results + +13. Normative References + + + [X.680] ITU-T Rec. X.680, "Abstract Syntax Notation One (ASN.1) - + Specification of Basic Notation", 1994. + [X.690] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: + Basic, Canonical, and Distinguished Encoding Rules", + 1994. - [LDAPv3] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory + [LDAPPROT] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory Access Protocol (v3)", Internet Standard, RFC 2251, December, 1997. - [SPaged] Weider, C., Herron, A., Anantha, A. and T. Howes, "LDAP - Control Extension for Simple Paged Results Manipulation", - RFC2696, September 1999. - [SSS] Wahl, M., Herron, A. and T. Howes, "LDAP Control Extension for Server Side Sorting of Search Results", RFC 2891, August, 2000. @@ -547,30 +648,18 @@ Expires: Nov 2002 May 2002 [Bradner97] Bradner, S., "Key Words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. + [LDAPIANA] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) + Considerations for the Lightweight Directory Access + Protocol (LDAP)", RFC 3383, September 2002. + +14. Informative References + [SPaged] Weider, C., Herron, A., Anantha, A. and T. Howes, "LDAP + Control Extension for Simple Paged Results Manipulation", + RFC2696, September 1999. - - - - - - - - - - - - - - - - - Boreham et al Internet-Draft 10 - - LDAP Extensions for Scrolling View May 2002 - Browsing of Search Results -13. Authors' Addresses +15. Authors' Addresses David Boreham Bozeman Pass, Inc @@ -578,7 +667,7 @@ Expires: Nov 2002 May 2002 david@bozemanpass.com Jim Sermersheim - Novell, Inc + Novell 1800 South Novell Place Provo, Utah 84606, USA jimse@novell.com @@ -589,9 +678,15 @@ Expires: Nov 2002 May 2002 Redmond, WA 98052, USA +1 425 882-8080 asafk@microsoft.com + + Boreham et al Internet-Draft 12 + + LDAP Extensions for Scrolling View Nov 2002 + Browsing of Search Results + -14. Full Copyright Statement +16. Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to @@ -620,6 +715,25 @@ Expires: Nov 2002 May 2002 + + + + + + + + + + + + + + + + + + + - Boreham et al Internet-Draft 11 \ No newline at end of file + Boreham et al Internet-Draft 13