Re: [ldapext] draft-stroeder-hashed-userpassword-values-01
Michael Ströder <michael@stroeder.com> Fri, 15 March 2013 22:44 UTC
Return-Path: <michael@stroeder.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF32621F86C1 for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 15:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.239
X-Spam-Level:
X-Spam-Status: No, score=-3.239 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8OtwxjsvcUz7 for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 15:44:59 -0700 (PDT)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by ietfa.amsl.com (Postfix) with ESMTP id D6CC51F0D07 for <ldapext@ietf.org>; Fri, 15 Mar 2013 15:44:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by srv1.stroeder.com (Postfix) with ESMTP id 0E133603D6; Fri, 15 Mar 2013 23:44:49 +0100 (CET)
X-Virus-Scanned: amavisd-new at stroeder.com
Received: from srv1.stroeder.com ([127.0.0.1]) by localhost (srv1.stroeder.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBBL-Z9BZvfV; Fri, 15 Mar 2013 23:44:38 +0100 (CET)
Received: from [10.1.0.2] (unknown [10.1.0.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by srv1.stroeder.com (Postfix) with ESMTPS id 868AF60327; Fri, 15 Mar 2013 22:44:37 +0000 (UTC)
Message-ID: <5143A455.80205@stroeder.com>
Date: Fri, 15 Mar 2013 23:44:37 +0100
From: Michael Ströder <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 SeaMonkey/2.16.2
MIME-Version: 1.0
To: Howard Chu <hyc@highlandsun.com>, ldapext <ldapext@ietf.org>
References: <5103F924.2070800@stroeder.com> <CABBgLkcnK7WfthFOBD5Esfz+g1izcKoGgtxzKKDntc0i=E7LOQ@mail.gmail.com> <510782A6.7050209@stroeder.com> <3ED81CD8-59DA-482E-8AFA-C68E53A62067@isode.com> <51410020.4020800@stroeder.com> <20130314001901.GN18706@slab.skills-1st.co.uk> <5141F560.6040805@highlandsun.com> <5142171C.6090807@stroeder.com> <51421EC9.6060502@highlandsun.com> <514222B0.9090107@stroeder.com> <51431F8D.3030701@highlandsun.com>
In-Reply-To: <51431F8D.3030701@highlandsun.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070601010609050802080207"
Cc: "ldap@umich.edu" <ldap@umich.edu>
Subject: Re: [ldapext] draft-stroeder-hashed-userpassword-values-01
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 22:44:59 -0000
Howard Chu wrote: > Michael Ströder wrote: >> Another use-cases is dealing with data migration to server product of another >> vendor. > > In which case the Admin must look up the documentation of the other vendor's > product. Yes. But it's so much easier to ask a vendor whether the userPassword syntax adheres to some of the variants described in this document. Actually according to your statement above it's a pretty good example why such a document is needed. >>> Finally, an objectclass that defines "MUST userPassword" also has to be >>> considered broken. (Reminds me of groupOfNames / MUST member.) >> >> That's simply your personal opinion not a strong objecting argument. > > You're obviously missing the bigger picture then. I don't. But this document is not about schema design anyway. > I shouldn't need to remind > you of all the trouble that "MUST member" has caused. Ok, let's go for this example... I remember Kurt pointing out one use-case for "MUST member" during discussion about draft-findlay-ldap-groupofentries: You can check whether 'member' is empty or whether access was prohibited by ACLs. Not that I'm *personally* in favour of such a use-case (up to now). But another deployer could have good reasons to want that and it was good to read Kurt's hint about something I personally did not think about before. Or maybe even I personally might have such a use-case in the future. So stating that "MUST userPassword" is broken in any case for every deployment is pretty presumptuous. > In this case, deleting a userPassword is a straightforward way of disabling > authentication for an account. It's one possibility to do it. It's not the variant I prefer though. And also normal user accounts for humans are not the only user accounts to consider. > If your schema prevents this mechanism your schema is broken. That's > not an opinion, that's fact. I strongly disagree for various reasons we should discuss in another thread if you really want. >> Yes. But this would just be another scheme to be defined somewhere else. >> This draft does not claim to cover everything you could ever stuff into >> 'userPassword'. > > But defining a formal syntax as you're doing *does* exactly that. Which is why > I'm telling you you're making a mistake. This draft does not claim that the formal syntax specified therein is the only possible syntax for 'userPassword' ever used. If you suggest wording to make that more clear I'd of course consider it to be added. Ciao, Michael.
- [ldapext] Any implementations using userPassword;… Michael Ströder
- Re: [ldapext] Any implementations using userPassw… Luke Howard
- Re: [ldapext] Any implementations using userPassw… Andrew Sciberras
- Re: [ldapext] Any implementations using userPassw… Michael Ströder
- Re: [ldapext] Any implementations using userPassw… Kurt Zeilenga
- [ldapext] draft-stroeder-hashed-userpassword-valu… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Kurt Zeilenga
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- [ldapext] draft-stroeder-hashed-userpassword-valu… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Andrew Findlay
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Ludovic Poitou
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Howard Chu
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Kurt Zeilenga
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Andrew Findlay
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Kurt Zeilenga
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Andrew Findlay
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Andrew Findlay
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Hallvard Breien Furuseth