[glue-wg] LDAP Rendering

Paul Millar paul.millar at desy.de
Wed Apr 15 04:32:20 CDT 2009 

Hi Stephen,

Sorry, this one was delayed whilst I was away (helping run a training 
workshop, then Easter).

On Tuesday 31 March 2009 17:46:47 Burke, S (Stephen) wrote:
> [extensible filters instead of GlueChunkKey]
> For one thing you can't do wildcard queries with the extensible query
> format, 

I spent a little bit of time investigating this.  It's actually a complex, 
somewhat interesting and layered issue.

Having read (only the relevant bits of ;-) RFC-4511 I couldn't find anything 
to suggests that one cannot use substring match rules in an extensible 
filter.

However, from my reading of the RFC, it seems that the people writing LDAPv3 
spec. didn't really consider substring-like extensible filters since the ABNF 
in RFC-4515 removes the ability to specify an ASTERISK character in 
extensible filters.  In contrast, the ABNF in RFC-4511 (sec. 4.5.1) does not 
contain this restriction.  See:

	http://tools.ietf.org/html/rfc4515#section-3

The restriction in RFC-4515 contradicts RFC-4511 (sec. 4.5.1.7.7).  When 
describing extensible filters, it says:

	http://tools.ietf.org/html/rfc4511#section-4.5.1.7.7

	The matchingRule used for evaluation determines the
	syntax for the assertion value. [...]

So, using a substring-like matching rule should allow substring-like assertion 
values, in contradiction with the ABNF in RFC-4515.

In summary, one should be able to conduct substring query by explicitly 
specifying the matchingRule in an extensible filter.

However, all of this is doesn't matter since OpenLDAP currently doesn't 
support substring-like extensible filters.  Scanning through the src-code of 
the latest version, it seems to make a tacit assumption that the assertion 
value is formatted for exact-match-like filters and ASTERISK characters are 
forbidden.

However, even this is immaterial since clients MUST NOT (as in RFC 2119)  
conduct wildcard searches against the DN.  On page 5 of GLUE v2.0 spec:

	[...]. The ID MUST NOT be interpreted by the user or the
	system as having any meaning other than an identifier. [...]

Currently, we use the object's ID attribute in the RDNs to build the DNs.  
I believe filtering using a substring-like filter would imply that the ID 
attributes have some searchable structure, which contradicts the "[not] 
having any meaning" bit above.  So,  I interpret this to mean clients MUST 
NOT use wildcard searches in the DN.


> and for another it's often useful to query *for* the chunkey so you can
> extract the relevant ID, which is a lot easier than extracting it from
> the DN. 

This is certainly true:  LDAP provides a very limited ability to search across 
links (effectively dereferencing a link).  As an aside: there was a proposal 
to add support for cross-querying by adding a new matchingRule; however, the 
proposal seems to have been shot down due to interop. concerns.

With the scheme David is proposing, we could include the upward pointing 
links.  Omitting the objectClass declarations, this could be:

dn: GlueStorageShareID=someShare,GlueStorageServiceID=someSE,
  AdminDomain=aGridSite,o=grid
GlueStorageShareID: someShare
GlueStorageShareName: example storage share
GlueStorageShareStorageService: someSE

Cheers,

Paul.

More information about the glue-wg mailing list