Re: ITS#8286 pending questions

[Quanah Gibson-Mount]

--On Wednesday, May 30, 2018 11:40 AM +0200 Michael Ströder 
 wrote:



Some more comments on a sub-set of the attributes.


Thanks!

On the attributes related to filesystem paths (logfile, etc), I was going 
with case ignore match since olcConfigFile and olcArgsFile are already 
caseIgnoreMatch.  I.e., the precedent for file paths is already set to be 
non-case specific.  So it seems to me that olcLogFile, olcPidFile, and 
oldModulePath, etc should all be caseIgnoreMatch for consistency.




Any EQUALITY matching rule needed at all?
If yes, use EQUALITY octetStringMatch as with userPassword.


Lack of matching rules is causing problems with cn=config replication, 
which isn't really highlighted in ITS#8286 (That problem arose later).  So 
the goal is to ensure all attributes used by cn=config have matching rules 
defined.



olcTCPBuffer -- case ignore match?


Also might contain listener URL. So maybe same like olcReferral even
though an LDAPI URI does not make sense with TCP buffers?


Sounds right.


olcTLSCipherSuite -- case ignore match?


I don't have a strong opinion on that because I don't have an oversight
how the supported crypto libs treat this strings.


Yeah, I'm not entirely sure on this one either.


olcTLSSECName -- case ignore match?


??? Cannot find this in 2.4 schema. Is that new in 2.5?


Yes, new in 2.5.


--- dds.c
olcDDSmaxTtl -- case ignore match?
olcDDSminTtl -- case ignore match?
olcDDSdefaultTtl -- case ignore match?
olcDDSinterval -- case ignore match?
olcDDStolerance -- case ignore match?


Why are the TTL attributes strings at all? I see no reason why there are
not defined as Integer syntax.


That's a very valid question, since the man page only allows numeric 
values.  But the schema defines them as directory strings instead of 
integers.  Looking at RFC 2589, the "entryTTL" that gets added to a dynamic 
object is specified as being an integer, so it seems to me that these 
attributes which control that value should also be required to be an 
integer.  Howard, your thoughts?  Is this a bug in the design of slapo-dds? 
If they are kept as strings, perhaps "numericStringMatch"?




--- memberof.c
olcMemberOfDangling -- case ignore match?


This serves as a good example for an enum type. I'd argue that it should
be limited to this particular set of lower-cased values.


Per the code, it already is limited to "ignore" or "drop" or "error".  The 
question here is what matching rule is necessary.  As far as I can tell 
it'd consider "igNore", "DroP", etc, all valid since it's just a directory 
string.



olcMemberOfGroupOC -- case ignore match?
olcMemberOfMemberAD -- case ignore match?
olcMemberOfMemberOfAD -- case ignore match?


AFAICS these always reference a single object class or attribute type.
So why not declare them with syntax OID?
Same suggestion for similar attributes of other overlays.


I'm concerned about changing SYNTAX for already released code.



olcMemberOfDanglingError -- case ignore match?


Is this just the LDAP error code?
If yes, define it as Integer.


It does seem it would make more sense as an integer.  However, I'm not sure 
that'd work well as a change for 2.4, perhaps 2.5 only.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS#8286 pending questions

[Michael Ströder]

Howard Chu wrote:
> Michael Ströder wrote:
>> Quanah Gibson-Mount wrote:
>>>  servers/slapd/bconfig.c ---
>>> olcInclude -- case ignore match?
>>
>> Is already defined with caseExactMatch via "SUP labeledURI".
>> IMO deriving from labeledURI does not make sense though.
> 
> olcInclude takes URIs. Typically file:// URIs. It could also take
> ldap:// URIs.

Ok. Anyway nothing to change because file and ldap URIs must be treated
case-sensitive.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: ITS#8286 pending questions

[Michael Ströder]

Some more comments on a sub-set of the attributes.

Quanah Gibson-Mount wrote:
> olcReferral -- case ignore match?

It's already declared SUP labeledURI and therefore has caseExactMatch.
This makes sense because it could specify an LDAPI URL with
case-sensitive socket path name.

> olcRootPw -- case exact match?

Any EQUALITY matching rule needed at all?
If yes, use EQUALITY octetStringMatch as with userPassword.

> olcTCPBuffer -- case ignore match?

Also might contain listener URL. So maybe same like olcReferral even
though an LDAPI URI does not make sense with TCP buffers?

> olcTLSCipherSuite -- case ignore match?

I don't have a strong opinion on that because I don't have an oversight
how the supported crypto libs treat this strings.

> olcTLSSECName -- case ignore match?

??? Cannot find this in 2.4 schema. Is that new in 2.5?

> olcTLSProtocolMin -- case ignore match?
> 
>  BACKENDS ---
> --- back-asyncmeta
> olcDbURI -- case ignore match?

Same like olcReferral.

> olcDbURI -- case ignore match?

Same like olcReferral for back-ldap and back-meta.

> --- back-sql
> olcDbHost -- case ignore match?

This could also contain a Unix domain socket?
If yes, caseExactMatch.

> olcDbName -- case ignore match?

Hmm, I'm not sure. Also not sure about all the attrs containing SQL
statements.

> --- dds.c
> olcDDSmaxTtl -- case ignore match?
> olcDDSminTtl -- case ignore match?
> olcDDSdefaultTtl -- case ignore match?
> olcDDSinterval -- case ignore match?
> olcDDStolerance -- case ignore match?

Why are the TTL attributes strings at all? I see no reason why there are
not defined as Integer syntax.

> --- memberof.c
> olcMemberOfDangling -- case ignore match?

This serves as a good example for an enum type. I'd argue that it should
be limited to this particular set of lower-cased values.

> olcMemberOfGroupOC -- case ignore match?
> olcMemberOfMemberAD -- case ignore match?
> olcMemberOfMemberOfAD -- case ignore match?

AFAICS these always reference a single object class or attribute type.
So why not declare them with syntax OID?
Same suggestion for similar attributes of other overlays.

> olcMemberOfDanglingError -- case ignore match?

Is this just the LDAP error code?
If yes, define it as Integer.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: ITS#8286 pending questions

[Howard Chu]

Michael Ströder wrote:

Quanah Gibson-Mount wrote:

I've done a first pass through the source tree adding missing matching
rules to the olc* attributes to address ITS#8286
().  However,
many of the attributes are string types, and can either be case
exact/ignore match.  The following is a list of those attributes, and my
best guess at which they should be.


It really depends on the default use-case and whether an attribute could
be used in a RDN or not.

Since POSIX file systems are case-sensitive I'd say that all attributes
containing file-system path names must be defined with caseExactMatch.

   Once I have a definitive answer on

these, I'll commit them:

 servers/slapd/bconfig.c ---
olcInclude -- case ignore match?


Is already defined with caseExactMatch via "SUP labeledURI".
IMO deriving from labeledURI does not make sense though.

Ciao, Michael.


olcInclude takes URIs. Typically file:// URIs. It could also take ldap:// URIs.

--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: ITS#8286 pending questions

[Michael Ströder]

Quanah Gibson-Mount wrote:
> I've done a first pass through the source tree adding missing matching
> rules to the olc* attributes to address ITS#8286
> ().  However,
> many of the attributes are string types, and can either be case
> exact/ignore match.  The following is a list of those attributes, and my
> best guess at which they should be.

It really depends on the default use-case and whether an attribute could
be used in a RDN or not.

Since POSIX file systems are case-sensitive I'd say that all attributes
containing file-system path names must be defined with caseExactMatch.

  Once I have a definitive answer on
> these, I'll commit them:
> 
>  servers/slapd/bconfig.c ---
> olcInclude -- case ignore match?

Is already defined with caseExactMatch via "SUP labeledURI".
IMO deriving from labeledURI does not make sense though.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

ITS#8286 pending questions

[Quanah Gibson-Mount]

I've done a first pass through the source tree adding missing matching 
rules to the olc* attributes to address ITS#8286 
().  However, many 
of the attributes are string types, and can either be case exact/ignore 
match.  The following is a list of those attributes, and my best guess at 
which they should be.  Once I have a definitive answer on these, I'll 
commit them:


 servers/slapd/bconfig.c ---
olcInclude -- case ignore match?
olcLogFile -- case ignore match?
olcModulePath -- case ignore match?
olcOverlay -- case ignore match?
olcPasswordCryptSaltFormat -- case ignore match?
olcPidFile -- case ignore match?
olcPluginLogFile -- case ignore match?
olcReferral -- case ignore match?
olcRootPw -- case exact match?
olcSaslAuxprops -- case ignore match?
olcSaslHost -- case exact match?
olcSaslRealm -- case exact match?
olcSaslSecProps -- case exact match?
olcSizeLimit -- case ignore match?
olcSubordinate -- case ignore match?
olcTCPBuffer -- case ignore match?
olcTimeLimit -- case ignore match?
olcTLSCACertificateFile -- case ignore match?
olcTLSCACertificatePath -- case ignore match?
olcTLSCertificateFile -- case ignore match?
olcTLSCertificatePath -- case ignore match?
olcTLSCertificateKey -- ??? (Private OID)
olcTLSCertificateKeyFile -- case ignore match?
olcTLSCipherSuite -- case ignore match?
olcTLSCRLCheck -- case ignore match?
olcTLSCRLFile -- case ignore match?
olcTLSRandFile -- case ignore match?
olcTLSVerifyClient -- case ignore match?
olcTLSDHParamFile -- case ignore match?
olcTLSSECName -- case ignore match?
olcTLSProtocolMin -- case ignore match?

 BACKENDS ---
--- back-asyncmeta
olcDbURI -- case ignore match?
olcDbStartTLS -- case ignore match? (also, seems to be misnamed and missing 
the "ldaps" option)

olcDbACLPasswd -- case exact match?
olcDbIDAssertBind -- case ignore match?
olcDbTFSupport -- case ignore match?
olcDbTimeout -- case ignore match?
olcDbIdleTimeout -- case ignore match?
olcDbCancel -- case ignore match?
olcDbQuarantine -- case ignore match?
olcDbDefaultTarget -- case ignore match?
olcDbDnCacheTtl -- case ignore match?
olcDbBindTimeout -- case ignore match?
olcDbOnErr -- case ignore match?
olcDbNretries -- case ignore match?
olcDbClientPr -- case ignore match?
olcDbKeepalive -- case ignore match?

--- back-bdb/hdb
olcDbCheckpoint -- case ignore match?
olcDbCryptFile -- case ignore match?
olcDbCryptKey -- case ignore match?
olcDbConfig -- IA5 case ignore match?
olcDbLockDetect -- case ignore match?
olcDbMode -- case ignore match?

--- back-ldap
olcDbURI -- case ignore match?
olcDbStartTLS -- case ignore match? (also, seems to be misnamed? old config 
parameter was just "tls")

olcDbACLPasswd -- case exact match?
olcDbACLBind -- case ignore match?
olcDbIDAssertPasswd -- case exact match?
olcDbIDAssertBind -- case ignore match?
olcDbIDAssertMode -- case ignore match?
olcDbTFSupport -- case ignore match?
olcDbTimeout -- case ignore match?
olcDbIdleTimeout -- case ignore match?
olcDbConnTtl -- case ignore match?
olcDbNetworkTimeout -- case ignore match?
olcDbCancel -- case ignore match?
olcDbQuarantine -- case ignore match?
olcDbOnErr -- case ignore match?
olcDbKeepalive -- case ignore match?

--- back-mdb
olcDbCheckpoint -- case ignore match?
olcDbMode -- case ignore match?

--- back-meta
olcDbURI -- case ignore match?
olcDbStartTLS -- case ignore match? (also, seems to be misnamed? old config 
parameter was just "tls")

olcDbACLPasswd -- case exact match?
olcDbIDAssertBind -- case ignore match?
olcDbTFSupport -- case ignore match?
olcDbTimeout -- case ignore match?
olcDbIdleTimeout -- case ignore match?
olcDbConnTtl -- case ignore match?
olcDbNetworkTimeout -- case ignore match?
olcDbCancel -- case ignore match?
olcDbQuarantine -- case ignore match?
olcDbDefaultTarget -- case ignore match?
olcDbDnCacheTtl -- case ignore match?
olcDbBindTimeout -- case ignore match?
olcDbOnErr -- case ignore match?
olcDbNretries -- case ignore match?
olcDbClientPr -- case ignore match?
olcDbKeepalive -- case ignore match?

--- back-sql
olcDbHost -- case ignore match?
olcDbName -- case ignore match?
olcDbUser -- case ignore match?
olcDbPass -- case exact match?
olcSqlConcatPattern -- case ignore match?
olcSqlSubtreeCond -- case ignore match?
olcSqlChildrenCond -- case ignore match?
olcSqlDnMatchCond-- case ignore match?
olcSqlOcQuery -- case ignore match?
olcSqlAtQuery -- case ignore match?
olcSqlInsEntryStmt -- case ignore match?
olcSqlUpperFunc -- case ignore match?
olcSqlStrcastFunc -- case ignore match?
olcSqlDelEntryStmt -- case ignore match?
olcSqlRenEntryStmt -- case ignore match?
olcSqlDelObjclassesStmt -- case ignore match?
olcSqlBaseObject -- case ignore match?
olcSqlLayer -- case ignore match?
olcSqlFetchAttrs -- case ignore match?
olcSqlAliasingKeyword -- case ignore match?
olcSqlAliasingQuote -- case ignore match?
olcSqlIdQuery -- case ignore match?

--