Re: [ldapext] LDAP work at IETF...

Mark R Bannister <dbis@proseconsulting.co.uk> Sun, 01 February 2015 22:50 UTC

Return-Path: <dbis@proseconsulting.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF681A1B82 for <ldapext@ietfa.amsl.com>; Sun, 1 Feb 2015 14:50:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.1
X-Spam-Level: *
X-Spam-Status: No, score=1.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IHpJk5V79CL6 for <ldapext@ietfa.amsl.com>; Sun, 1 Feb 2015 14:50:38 -0800 (PST)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.64]) by ietfa.amsl.com (Postfix) with ESMTP id 3BEFC1A1B77 for <ldapext@ietf.org>; Sun, 1 Feb 2015 14:50:38 -0800 (PST)
Received: from host86-178-119-20.range86-178.btcentralplus.com ([86.178.119.20] helo=[192.168.1.67]) by mail5.atlas.pipex.net with esmtpa (Exim 4.71) (envelope-from <dbis@proseconsulting.co.uk>) id 1YI3Lh-00034f-4N; Sun, 01 Feb 2015 22:50:37 +0000
Message-ID: <54CEADBC.5070902@proseconsulting.co.uk>
Date: Sun, 01 Feb 2015 22:50:36 +0000
From: Mark R Bannister <dbis@proseconsulting.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: =?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?= <michael@stroeder.com>, ldapext@ietf.org
References: <etPan.54c553b0.19e21bb2.1f2@lpm.local> <54C77E7A.6010506@proseconsulting.co.uk> <54C7B32A.7050709@stroeder.com> <54C7FA23.7000101@proseconsulting.co.uk> <54C80DB9.10901@stroeder.com> <54C81EBD.3020804@proseconsulting.co.uk> <54C921AB.1090309@stroeder.com>
In-Reply-To: <54C921AB.1090309@stroeder.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailcore-Auth: 12040446
X-Mailcore-Domain: 1286164
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/4fSfCSuq8dOCLgSGF-jro56pDzI>
Subject: Re: [ldapext] LDAP work at IETF...
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Feb 2015 22:50:39 -0000

On 28/01/2015 17:51, Michael Ströder wrote:
> Mark R Bannister wrote:
>> On 27/01/2015 22:14, Michael Ströder wrote:
>>>> I think if people
>>>> started looking deeper into the DBIS internet drafts,
>>> I've looked into your drafts. But it differs very much from what I'm after. We
>>> had this discussion before: IMO netgroups must die, die, die...
>> This contradicts your earlier assertion that clients are hard-coded.  In the
>> same vein, clients are hard-coded to use netgroups, ergo netgroups cannot
>> "die, die, die".
> No contradiction, since IMO one can easily avoid using netgroups completely.

And use what instead?  When one needs to group together users and hosts 
in logical units,
what other pervasive choices are there?

> With my approach the ACLs on the LDAP server sort out what clients can
> actually see. Therefore you get the flexible access control without the client
> having to enforce e.g. login access control locally based on netgroups.

Ah, I see, so you're talking specifically of access control.  Yes, if 
all netgroups are there to do
is access control, then you can offload that as ACLs on the LDAP 
server.  But what about the
netgroups that are there to define application roles?

>
>> Rather than attempting to kill off something that is used extensively, and has
>> actually proved to be very useful in large UNIX/Linux estates (if a bit
>> clunky), I've embraced them, rationalised them, defined them in a neater and
>> queryable format, and complemented them with netservices.
> I'd avoid them and convert access control rules based on netgroups into
> another schema and let the LDAP server's ACL work through the data.

Agreed, great for access control.  But I don't see how that will work 
for the other netgroup
use-cases.

>> Apart from netgroups, which you are not a fan of, how else does DBIS differ
>> from what you're after?
> My main objective is that not the client system evaluates all the stuff. The
> client system should not see data not usable on the system. The client system
> acts as a dumb RFC2307(bis) and sudo-ldap client. Of course the client system
> still enforces file access permissions etc. locally.
>

I agree with you on that point.  Perhaps I could take a similar approach 
with DBIS.  I'm interested,
today the NSS library on Linux hosts does not have the identity of the 
requester.  It is quite normal
for there to be a service account used in the LDAP bind, or perhaps even 
an anonymous bind.
The LDAP server can then only usefully filter with ACLs data that is 
restricted to specific hosts,
but not to specific users.  So you are only solving half the problem, right?

Best regards,
Mark.