Re: [ldapext] LDAP work at IETF...
Mark R Bannister <dbis@proseconsulting.co.uk> Sun, 01 February 2015 22:50 UTC
Return-Path: <dbis@proseconsulting.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF681A1B82 for <ldapext@ietfa.amsl.com>; Sun, 1 Feb 2015 14:50:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.1
X-Spam-Level: *
X-Spam-Status: No, score=1.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IHpJk5V79CL6 for <ldapext@ietfa.amsl.com>; Sun, 1 Feb 2015 14:50:38 -0800 (PST)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.64]) by ietfa.amsl.com (Postfix) with ESMTP id 3BEFC1A1B77 for <ldapext@ietf.org>; Sun, 1 Feb 2015 14:50:38 -0800 (PST)
Received: from host86-178-119-20.range86-178.btcentralplus.com ([86.178.119.20] helo=[192.168.1.67]) by mail5.atlas.pipex.net with esmtpa (Exim 4.71) (envelope-from <dbis@proseconsulting.co.uk>) id 1YI3Lh-00034f-4N; Sun, 01 Feb 2015 22:50:37 +0000
Message-ID: <54CEADBC.5070902@proseconsulting.co.uk>
Date: Sun, 01 Feb 2015 22:50:36 +0000
From: Mark R Bannister <dbis@proseconsulting.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Michael Ströder <michael@stroeder.com>, ldapext@ietf.org
References: <etPan.54c553b0.19e21bb2.1f2@lpm.local> <54C77E7A.6010506@proseconsulting.co.uk> <54C7B32A.7050709@stroeder.com> <54C7FA23.7000101@proseconsulting.co.uk> <54C80DB9.10901@stroeder.com> <54C81EBD.3020804@proseconsulting.co.uk> <54C921AB.1090309@stroeder.com>
In-Reply-To: <54C921AB.1090309@stroeder.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailcore-Auth: 12040446
X-Mailcore-Domain: 1286164
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/4fSfCSuq8dOCLgSGF-jro56pDzI>
Subject: Re: [ldapext] LDAP work at IETF...
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Feb 2015 22:50:39 -0000
On 28/01/2015 17:51, Michael Ströder wrote: > Mark R Bannister wrote: >> On 27/01/2015 22:14, Michael Ströder wrote: >>>> I think if people >>>> started looking deeper into the DBIS internet drafts, >>> I've looked into your drafts. But it differs very much from what I'm after. We >>> had this discussion before: IMO netgroups must die, die, die... >> This contradicts your earlier assertion that clients are hard-coded. In the >> same vein, clients are hard-coded to use netgroups, ergo netgroups cannot >> "die, die, die". > No contradiction, since IMO one can easily avoid using netgroups completely. And use what instead? When one needs to group together users and hosts in logical units, what other pervasive choices are there? > With my approach the ACLs on the LDAP server sort out what clients can > actually see. Therefore you get the flexible access control without the client > having to enforce e.g. login access control locally based on netgroups. Ah, I see, so you're talking specifically of access control. Yes, if all netgroups are there to do is access control, then you can offload that as ACLs on the LDAP server. But what about the netgroups that are there to define application roles? > >> Rather than attempting to kill off something that is used extensively, and has >> actually proved to be very useful in large UNIX/Linux estates (if a bit >> clunky), I've embraced them, rationalised them, defined them in a neater and >> queryable format, and complemented them with netservices. > I'd avoid them and convert access control rules based on netgroups into > another schema and let the LDAP server's ACL work through the data. Agreed, great for access control. But I don't see how that will work for the other netgroup use-cases. >> Apart from netgroups, which you are not a fan of, how else does DBIS differ >> from what you're after? > My main objective is that not the client system evaluates all the stuff. The > client system should not see data not usable on the system. The client system > acts as a dumb RFC2307(bis) and sudo-ldap client. Of course the client system > still enforces file access permissions etc. locally. > I agree with you on that point. Perhaps I could take a similar approach with DBIS. I'm interested, today the NSS library on Linux hosts does not have the identity of the requester. It is quite normal for there to be a service account used in the LDAP bind, or perhaps even an anonymous bind. The LDAP server can then only usefully filter with ACLs data that is restricted to specific hosts, but not to specific users. So you are only solving half the problem, right? Best regards, Mark.
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- [ldapext] LDAP work at IETF... Ludovic Poitou
- Re: [ldapext] LDAP work at IETF... Gavin Henry
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Clément OUDOT
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Andrew Findlay
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- [ldapext] RFC2307, netgroups, DBIS (was: LDAP wor… michael-catchall@mail.stroeder.local (POP3)
- [ldapext] RFC2307, netgroups, DBIS (was: LDAP wor… michael-catchall@mail.stroeder.local (POP3)
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] LDAP work at IETF... Clément OUDOT
- Re: [ldapext] LDAP work at IETF... Ludovic Poitou
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] LDAP work at IETF... Barry Leiba
- Re: [ldapext] LDAP work at IETF... Barry Leiba
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Ludovic Poitou