IETF Logo Mail Archive

Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-federated-fs-protocol

Leif Johansson <leifj@it.su.se> Thu, 10 September 2009 15:57 UTC

Return-Path: <leifj@it.su.se>
X-Original-To: ldap-dir@core3.amsl.com
Delivered-To: ldap-dir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BB0C3A67F0 for <ldap-dir@core3.amsl.com>; Thu, 10 Sep 2009 08:57:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.049
X-Spam-Level:
X-Spam-Status: No, score=-5.049 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, J_CHICKENPOX_15=0.6, J_CHICKENPOX_53=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Czx8wOhmpxvZ for <ldap-dir@core3.amsl.com>; Thu, 10 Sep 2009 08:57:40 -0700 (PDT)
Received: from smtp.su.se (smtp3.su.se [130.237.93.228]) by core3.amsl.com (Postfix) with ESMTP id 0A7CB3A6975 for <ldap-dir@ietf.org>; Thu, 10 Sep 2009 08:57:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.su.se (Postfix) with ESMTP id 403893BF3D; Thu, 10 Sep 2009 17:58:12 +0200 (CEST)
Received: from smtp.su.se ([127.0.0.1]) by localhost (smtp3.su.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 05274-01-90; Thu, 10 Sep 2009 17:58:11 +0200 (CEST)
Received: from klapautius.localnet (unknown [80.122.97.74]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.su.se (Postfix) with ESMTP id 07A1B3C674; Thu, 10 Sep 2009 17:58:10 +0200 (CEST)
From: Leif Johansson <leifj@it.su.se>
Organization: Stockholm university
To: ldap-dir@ietf.org
Date: Thu, 10 Sep 2009 17:58:05 +0200
User-Agent: KMail/1.11.2 (Linux/2.6.28-15-generic; KDE/4.2.2; i686; ; )
References: <20090909160952.GV1048@Sun.COM>
In-Reply-To: <20090909160952.GV1048@Sun.COM>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2490202.V2fDJGhXmW"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
Message-Id: <200909101758.10049.leifj@it.su.se>
X-Virus-Scanned: by amavisd-new at smtp.su.se
Cc: Nicolas Williams <Nicolas.Williams@sun.com>
Subject: Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-federated-fs-protocol
X-BeenThere: ldap-dir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: LDAP Directorate <ldap-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ldap-dir>, <mailto:ldap-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldap-dir>
List-Post: <mailto:ldap-dir@ietf.org>
List-Help: <mailto:ldap-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldap-dir>, <mailto:ldap-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2009 15:57:41 -0000

On Wednesday 09 September 2009 18.09.52 Nicolas Williams wrote:
> Dear LDAP directorate,
>
> I have several issues with draft-ietf-nfsv4-federated-fs-protocol-03, of
> which at least two remain outstanding, and which the authors do not wish
> to address.  My concerns:
>

I had a conversation with them at the last IETF and voiced similar concerns. 
While I mostly agree with you (comments on details in line) I'm not sure how 
serious they are for practical deployment of this stuff.

> 1) It requires that searches have scope=one and base-DN="o=fedfs":
>
> "
>    The base name (or suffix) of the NSDB directory information tree
>    (DIT) is "o=fedfs".
> "
>
> and
>
> "
>                             The scope value of "one" restricts the
>    search to the entry's children (rather than the entire subtree below
>    the entry) and the filter ensures that only FSL entries are returned.
> "
>
> I believe this unnecessarily constrains deployment and will cause many
> problems.  I also believe that this is probably an artifact of one or
> more of the authors needing to furnish a base DN to typical LDAP APIs,
> and the simplest (but wrong) thing to do was to hardcode it.
>
> The document also says the following, which, incidentally, is
> practically a corollary of the o=fedfs requirement:
>
> "
>    Given the above configuration guidelines, an NSDB SHOULD be
>    constructed using a dedicated LDAP directory.  Separate LDAP
>    directories may be used for other purposes, such as storing user
>    account information.  By using an LDAP directory dedicated to storing
>    NSDB records, there is no need to disturb the configuration of any
>    other LDAP directories that store information unrelated to an NSDB.
> "
>
> I don't think an RFC should make such a recommendation (really, a
> requirement).  But more than anything I don't think an RFC should
> mandate the names of a DIT's namingContexts.
>
> (The example searches don't filter on objectClass, which may be another
> reason why the authors chose to segregate the NSDB from the rest of the
> DIT.)
>

It is quite possible (and I explained how in Stockholm) to redesign the 
searches to remove all of these requirements.

However I'm not sure anyone will ever deploy NSDB along with any other
directory information anyway because NSDB requires read access to all
data in the subtree. I've found that most directory admins can't manage
access rights and asking them to stick a large dataset in their systems 
with public access is like asking a DNS admin to add a RR for which there is 
no GUI in the admin tool. The result is consternation at best.

I believe that practically speaking NSDB will run on dedicated directory 
servers administrated separately from other directory servers in the
enterprise no matter how hard you try and I don't see how that is 
such a big problem...

Having said that I do agree with the technical points you make.

> 2) The use of UUIDs for object naming to guarantee object DN uniqueness,
> while not necessarily a problem, seems unnecessary: the directory should
> ensure object DN uniqueness, thus there is no need to enforce uniqueness
> at the application layer!
>

Well yes but since you can't "lock" a name you can't first figure out which
name to give your new entry and then go away and create it - unless you
depend on extensions for transaction-like grouping of operations in LDAP.

Personally I think its fine to say MUST be unique and suggest (in an 
implementation note) how you can achieve uniqueness using UUIDs.

> Specifically the I-D says:
>
> "
>    Since LDAP requires a DN to be unique, this ensures that each FSN
>    entry has a unique UUID value within the LDAP directory.
> "
>
> In particular it seems that the use of UUIDs derives from the fact that
> an NFSv4 federation is expected to consist of per-domain "NSDBs", where
> each NSDB is an LDAP DS or more, all with a flat NSDB object naming
> scheme (see issue (1)), but which is still expected to have federation-
> wide unique NSDB object names.  That's where UUIDs as object names come
> in.  Of course, there's no way in this scheme to know where an NSDB
> resides just from its name -- which begs the question of why a flat
> global NSDB object namespace is needed in the first place.
>
> I believe this document represents a gross misuse of LDAP.  But I cannot
> convince the authors that that is the case.  Hopefully the App Area will
> have a chance to review this document and review my concerns.

I think gross misuse is an overstatement. Do they use LDAP the way a
normal identity-oriented directory does? Nope. Will that be the end of
the world as we know it? Probably not.

Let me emphasise that I mostly agree with your points and that I've 
explained how to avoid some of these issues to the authors. My 
impression is that if there are good reasons to redesign the spec then
the authors would do that. They don't strike me as unreasonable.

The problem is that I can't really see how a redesign will have a 
significant impact on the real-world deployment of this or (conversely) 
how this spec fundamentally hurts LDAP. I would love to be wrong about
this though!

	Cheers Leif

v2.23.0 | Report a Bug | By Email