Re: [Ldap-dir] DLAP Directorate review request for draft-dawkins-ldapext-subnot

[Ludovic Poitou <Ludovic.Poitou@Sun.COM>]

On Oct 15, 2009, at 2:41 AM, Steven Legg wrote:

>
> Hi Spencer,
>
> Kurt Zeilenga wrote:
>> The immediate question I have is "but why?"  That is, I'd like to  
>> understand better what the application requirements are so that I  
>> can analysis whether or not this mechanism mets those  
>> requirements.  I'd also like to understand better why none of the  
>> existing extensions in this area were (presumedly) found to do not  
>> address the application requirements.
>
> Ditto from me on the "but why". One thing the draft doesn't make clear
> is whether a subscription persists beyond the LDAP session that
> establishes it.

Ditto.


> That is, can an LDAP client create a subscription,
> end the session, and come back later with a new session and pick up
> the notifications for events that occurred in the meantime and occur
> subsequently ? If not, then this appears to be just another (though
> perhaps cleaner) way to do persistent search, for which there are
> already implementations.
>
> Have any LDAP server vendors expressed an interest in implementing  
> this
> subscription mechanism ?

We've had discussions with one of our customer who was interested in  
similar subscription / notification model, with the ability to end  
session, come back and retrieve notifications for all events since the  
end of the last session.

If this I-D is along the same line, we may implement such  
functionality in our server. There are definitely things to tidy up  
first.

Regards,

Ludovic.

>
> Regards,
> Steven
>
>> I am curious as to why firewalls and NATs are mentioned in the  
>> applicability of the specification.  Does this extension not have  
>> the same basic issues with firewalls and NATs that simple LDAP  
>> has?  That is, LDAP generally works just fine (*) through firewalls  
>> and NATs so long as they are configured to allow traversal, as most  
>> TCP-based client/server protocols do.  (* expecting issues with  
>> reverse NAT and knowledge references, and the like).
>> I didn't dig into the particulars of the extension protocol yet.  I  
>> defer comments here until I better understand the "why?".  But on  
>> first glance, I suspect it suffers from many of the problems folks  
>> have found in triggered searches and like extensions.
>> On security considerations, I suspect there are many considerations  
>> that this extension, by itself, raises.  Just referencing general  
>> LDAP security considerations seems quite inadequate to me.
>> -- Kurt
>> On Oct 14, 2009, at 1:07 PM, Alexey Melnikov wrote:
>>> Spencer Dawkins wrote:
>>>
>>>> Hi, LDAP Directorate,
>>>
>>> Hi Spencer,
>>>
>>>> Some of you may be aware of a 3GPP CT4 proposal to add a  
>>>> subscribe/notify capability to LDAP.
>>>>
>>>> I've been helping Xun Peng with a draft describing this  
>>>> extension, which I've just posted as http://www.ietf.org/id/draft-dawkins-ldapext-subnot-00.txt 
>>>> .
>>>>
>>>> Alexey told me that the next step was to request a review from  
>>>> the LDAP Directorate, asking for your opinion on AD-sponsoring  
>>>> this work, so I'm requesting your review.
>>>>
>>>> I will be present in Hiroshima for any face-to-face discussions  
>>>> that would be helpful.
>>>
>>> Do you want some time at the Apps Area meeting in Hiroshima  
>>> (Monday 9:00am)?
>>>
>>>> A note on timing - 3GPP CT4 is meeting the same week as IETF 76,  
>>>> and will be making a decision during that meeting on whether to  
>>>> use the approach described in this draft (and processed in the  
>>>> IETF) or to use an XML/SOAP alternative (not processed in the  
>>>> IETF). It would be extremely helpful to have your feedback before  
>>>> November 13 (when both IETF 76 and the CT4 meeting end).
>>>>
>>>> Thanks,
>>>>
>>>> Spencer
>>>
>>>
>>> _______________________________________________
>>> Ldap-dir mailing list
>>> Ldap-dir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ldap-dir
>> _______________________________________________
>> Ldap-dir mailing list
>> Ldap-dir@ietf.org
>> https://www.ietf.org/mailman/listinfo/ldap-dir
> _______________________________________________
> Ldap-dir mailing list
> Ldap-dir@ietf.org
> https://www.ietf.org/mailman/listinfo/ldap-dir

---
Ludovic Poitou                                    Sun Microsystems Inc.
OpenDS Community Manager            Directory Services
http://blogs.sun.com/Ludo/         Grenoble Engineering Center - France

Join OpenDS, https://opends.dev.java.net/servlets/ProjectMembershipRequest

Sun Microsystems requires the following notice:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE:  This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~