Re: [ldapext] RFC2307, netgroups, DBIS

Michael Ströder <> Wed, 04 February 2015 23:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D5B141A0016 for <>; Wed, 4 Feb 2015 15:19:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id h-3zbDBV4-R7 for <>; Wed, 4 Feb 2015 15:19:12 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5276D1A0011 for <>; Wed, 4 Feb 2015 15:19:12 -0800 (PST)
Received: from srv4.stroeder.local (srv4.stroeder.local []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.stroeder.local", Issuer " Server CA no. 2009-07" (not verified)) by (Postfix) with ESMTPS id 29A7A1CF77; Thu, 5 Feb 2015 00:19:09 +0100 (CET)
Received: from localhost (localhost []) by srv4.stroeder.local (Postfix) with ESMTP id 55BB11CE60; Thu, 5 Feb 2015 00:19:07 +0100 (CET)
X-Virus-Scanned: amavisd-new at stroeder.local
Received: from srv4.stroeder.local ([]) by localhost (srv4.stroeder.local []) (amavisd-new, port 10024) with ESMTP id Yni0SxilyGQF; Thu, 5 Feb 2015 00:18:56 +0100 (CET)
Received: from nb2.stroeder.local (nb2.stroeder.local []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by srv4.stroeder.local (Postfix) with ESMTPS id B203F1CE5F; Thu, 5 Feb 2015 00:18:55 +0100 (CET)
Message-ID: <>
Date: Thu, 05 Feb 2015 00:18:55 +0100
From: =?UTF-8?Q?Michael_Str=c3=b6der?= <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 SeaMonkey/2.32
MIME-Version: 1.0
To: Mark R Bannister <>
References: <etPan.54c553b0.19e21bb2.1f2@lpm.local> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms050701060001030909070509"
Archived-At: <>
Subject: Re: [ldapext] RFC2307, netgroups, DBIS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Feb 2015 23:19:15 -0000

Mark R Bannister wrote:
> wrote:
>> Mark R Bannister wrote:
>>> On 28/01/2015 14:14, Simo wrote:
>>>> It hurts me to curb enthusiasm, but I think your drafts are not a step
>>>> forward, at most a step sideways, and ignore what's out there right now.
>>> Given that they were written to fix specific deficiencies in RFC2307bis
>>> that were causing pain in a number of very large enterprises I have worked
>>> for, I don't see how they could be considered a step sideways.
>> Maybe I did not look closely enough. Could you please point me to some text
>> describing the specific deficiencies you solved in more detail?
> Have at look at the abstract on page 2 of
>  One of the first
> biggest requirements was reintroducing case sensitivity in a way that would be
> fully compatible with NIS, see the description of the en (4.2) and rn (4.3)
> attributes in particular.

Yes, case-sensitive matching is an issue and I already saw that text in your
drafts. I've simply added additional local constraints to the config limiting
e.g. attribute 'uid' to lower-case values. So it was not that important to me.

> Also, another requirement was to fix the schema so
> that duplicate alias names could be easily detected and prevented (1.2).

Are you talking about this text?

Frankly I don't get it (besides the SHALL for LDAP client configuration).

> Legacy unices ... depends how old we're talking.  I currently have something
> that works on RHEL4.8 and newer, and the large organisations I have spent most
> of my time with over the past 5 years are at a point where RHEL4.8 is their
> oldest legacy now.

That's pretty old right now.

> Strange appliances - not unless I can get the vendor to add support for DBIS.

And that is exactly the point.

> However, even the appliances I've worked with support local class & attribute
> remapping rules, 

Unfortunately there are counter examples where you cannot configure local
class & attribute remapping rules.

>> My approach is to lower the configuration level the client has to support by
>> filtering what's delivered to the client at the LDAP server.
> By filtering, you mean just removing entries from maps?

Yes, making users, user groups and sudoers entries invisible if the client is
not authorized to see them.

> But you still have an old schema to support

What the client sees is fully compatible to RFC2307(bis) and sudo-ldap schema.

> that wasn't fully NIS compatible to begin with ...

I don't care about full NIS feature set. I've replaced it with something
different. ;-)

Ciao, Michael.