[Ldap-dir] Concerns about draft-ietf-nfsv4-federated-fs-protocol
Nicolas Williams <Nicolas.Williams@sun.com> Wed, 09 September 2009 16:20 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: ldap-dir@core3.amsl.com
Delivered-To: ldap-dir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B62843A6999 for <ldap-dir@core3.amsl.com>; Wed, 9 Sep 2009 09:20:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.23
X-Spam-Level:
X-Spam-Status: No, score=-5.23 tagged_above=-999 required=5 tests=[AWL=-0.384, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_15=0.6, J_CHICKENPOX_53=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xDe32ngEbHWf for <ldap-dir@core3.amsl.com>; Wed, 9 Sep 2009 09:20:42 -0700 (PDT)
Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by core3.amsl.com (Postfix) with ESMTP id 7E2AF3A6870 for <ldap-dir@ietf.org>; Wed, 9 Sep 2009 09:20:24 -0700 (PDT)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n89GKqpW029502 for <ldap-dir@ietf.org>; Wed, 9 Sep 2009 16:20:52 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n89GKq7Y014377 for <ldap-dir@ietf.org>; Wed, 9 Sep 2009 10:20:52 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n89G9rr5013161; Wed, 9 Sep 2009 11:09:53 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n89G9qRm013160; Wed, 9 Sep 2009 11:09:52 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Wed, 09 Sep 2009 11:09:52 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: ldap-dir@ietf.org, Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <20090909160952.GV1048@Sun.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.7i
X-Mailman-Approved-At: Thu, 10 Sep 2009 08:05:09 -0700
Subject: [Ldap-dir] Concerns about draft-ietf-nfsv4-federated-fs-protocol
X-BeenThere: ldap-dir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: LDAP Directorate <ldap-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ldap-dir>, <mailto:ldap-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldap-dir>
List-Post: <mailto:ldap-dir@ietf.org>
List-Help: <mailto:ldap-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldap-dir>, <mailto:ldap-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2009 16:20:43 -0000
Dear LDAP directorate, I have several issues with draft-ietf-nfsv4-federated-fs-protocol-03, of which at least two remain outstanding, and which the authors do not wish to address. My concerns: 1) It requires that searches have scope=one and base-DN="o=fedfs": " The base name (or suffix) of the NSDB directory information tree (DIT) is "o=fedfs". " and " The scope value of "one" restricts the search to the entry's children (rather than the entire subtree below the entry) and the filter ensures that only FSL entries are returned. " I believe this unnecessarily constrains deployment and will cause many problems. I also believe that this is probably an artifact of one or more of the authors needing to furnish a base DN to typical LDAP APIs, and the simplest (but wrong) thing to do was to hardcode it. The document also says the following, which, incidentally, is practically a corollary of the o=fedfs requirement: " Given the above configuration guidelines, an NSDB SHOULD be constructed using a dedicated LDAP directory. Separate LDAP directories may be used for other purposes, such as storing user account information. By using an LDAP directory dedicated to storing NSDB records, there is no need to disturb the configuration of any other LDAP directories that store information unrelated to an NSDB. " I don't think an RFC should make such a recommendation (really, a requirement). But more than anything I don't think an RFC should mandate the names of a DIT's namingContexts. (The example searches don't filter on objectClass, which may be another reason why the authors chose to segregate the NSDB from the rest of the DIT.) 2) The use of UUIDs for object naming to guarantee object DN uniqueness, while not necessarily a problem, seems unnecessary: the directory should ensure object DN uniqueness, thus there is no need to enforce uniqueness at the application layer! Specifically the I-D says: " Since LDAP requires a DN to be unique, this ensures that each FSN entry has a unique UUID value within the LDAP directory. " In particular it seems that the use of UUIDs derives from the fact that an NFSv4 federation is expected to consist of per-domain "NSDBs", where each NSDB is an LDAP DS or more, all with a flat NSDB object naming scheme (see issue (1)), but which is still expected to have federation- wide unique NSDB object names. That's where UUIDs as object names come in. Of course, there's no way in this scheme to know where an NSDB resides just from its name -- which begs the question of why a flat global NSDB object namespace is needed in the first place. I believe this document represents a gross misuse of LDAP. But I cannot convince the authors that that is the case. Hopefully the App Area will have a chance to review this document and review my concerns. Nico --
- [Ldap-dir] Concerns about draft-ietf-nfsv4-federa… Nicolas Williams
- Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-fe… Leif Johansson
- Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-fe… Nicolas Williams
- Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-fe… Leif Johansson
- Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-fe… Nicolas Williams