[Ldap-dir] Concerns about draft-ietf-nfsv4-federated-fs-protocol
Nicolas Williams <Nicolas.Williams@sun.com> Wed, 09 September 2009 16:20 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: ldap-dir@core3.amsl.com
Delivered-To: ldap-dir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B62843A6999 for <ldap-dir@core3.amsl.com>; Wed, 9 Sep 2009 09:20:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.23
X-Spam-Level:
X-Spam-Status: No, score=-5.23 tagged_above=-999 required=5 tests=[AWL=-0.384, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_15=0.6, J_CHICKENPOX_53=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xDe32ngEbHWf for <ldap-dir@core3.amsl.com>; Wed, 9 Sep 2009 09:20:42 -0700 (PDT)
Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by core3.amsl.com (Postfix) with ESMTP id 7E2AF3A6870 for <ldap-dir@ietf.org>; Wed, 9 Sep 2009 09:20:24 -0700 (PDT)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n89GKqpW029502 for <ldap-dir@ietf.org>; Wed, 9 Sep 2009 16:20:52 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n89GKq7Y014377 for <ldap-dir@ietf.org>; Wed, 9 Sep 2009 10:20:52 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n89G9rr5013161; Wed, 9 Sep 2009 11:09:53 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n89G9qRm013160; Wed, 9 Sep 2009 11:09:52 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Wed, 09 Sep 2009 11:09:52 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: ldap-dir@ietf.org, Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <20090909160952.GV1048@Sun.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.7i
X-Mailman-Approved-At: Thu, 10 Sep 2009 08:05:09 -0700
Subject: [Ldap-dir] Concerns about draft-ietf-nfsv4-federated-fs-protocol
X-BeenThere: ldap-dir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: LDAP Directorate <ldap-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ldap-dir>, <mailto:ldap-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldap-dir>
List-Post: <mailto:ldap-dir@ietf.org>
List-Help: <mailto:ldap-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldap-dir>, <mailto:ldap-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2009 16:20:43 -0000
Dear LDAP directorate,
I have several issues with draft-ietf-nfsv4-federated-fs-protocol-03, of
which at least two remain outstanding, and which the authors do not wish
to address. My concerns:
1) It requires that searches have scope=one and base-DN="o=fedfs":
"
The base name (or suffix) of the NSDB directory information tree
(DIT) is "o=fedfs".
"
and
"
The scope value of "one" restricts the
search to the entry's children (rather than the entire subtree below
the entry) and the filter ensures that only FSL entries are returned.
"
I believe this unnecessarily constrains deployment and will cause many
problems. I also believe that this is probably an artifact of one or
more of the authors needing to furnish a base DN to typical LDAP APIs,
and the simplest (but wrong) thing to do was to hardcode it.
The document also says the following, which, incidentally, is
practically a corollary of the o=fedfs requirement:
"
Given the above configuration guidelines, an NSDB SHOULD be
constructed using a dedicated LDAP directory. Separate LDAP
directories may be used for other purposes, such as storing user
account information. By using an LDAP directory dedicated to storing
NSDB records, there is no need to disturb the configuration of any
other LDAP directories that store information unrelated to an NSDB.
"
I don't think an RFC should make such a recommendation (really, a
requirement). But more than anything I don't think an RFC should
mandate the names of a DIT's namingContexts.
(The example searches don't filter on objectClass, which may be another
reason why the authors chose to segregate the NSDB from the rest of the
DIT.)
2) The use of UUIDs for object naming to guarantee object DN uniqueness,
while not necessarily a problem, seems unnecessary: the directory should
ensure object DN uniqueness, thus there is no need to enforce uniqueness
at the application layer!
Specifically the I-D says:
"
Since LDAP requires a DN to be unique, this ensures that each FSN
entry has a unique UUID value within the LDAP directory.
"
In particular it seems that the use of UUIDs derives from the fact that
an NFSv4 federation is expected to consist of per-domain "NSDBs", where
each NSDB is an LDAP DS or more, all with a flat NSDB object naming
scheme (see issue (1)), but which is still expected to have federation-
wide unique NSDB object names. That's where UUIDs as object names come
in. Of course, there's no way in this scheme to know where an NSDB
resides just from its name -- which begs the question of why a flat
global NSDB object namespace is needed in the first place.
I believe this document represents a gross misuse of LDAP. But I cannot
convince the authors that that is the case. Hopefully the App Area will
have a chance to review this document and review my concerns.
Nico
--
- [Ldap-dir] Concerns about draft-ietf-nfsv4-federa… Nicolas Williams
- Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-fe… Leif Johansson
- Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-fe… Nicolas Williams
- Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-fe… Leif Johansson
- Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-fe… Nicolas Williams