IETF Logo Mail Archive

Re: [ldapext] draft-stroeder-hashed-userpassword-values-01

Michael Ströder <michael@stroeder.com> Fri, 15 March 2013 22:44 UTC

Return-Path: <michael@stroeder.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF32621F86C1 for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 15:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.239
X-Spam-Level:
X-Spam-Status: No, score=-3.239 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8OtwxjsvcUz7 for <ldapext@ietfa.amsl.com>; Fri, 15 Mar 2013 15:44:59 -0700 (PDT)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by ietfa.amsl.com (Postfix) with ESMTP id D6CC51F0D07 for <ldapext@ietf.org>; Fri, 15 Mar 2013 15:44:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by srv1.stroeder.com (Postfix) with ESMTP id 0E133603D6; Fri, 15 Mar 2013 23:44:49 +0100 (CET)
X-Virus-Scanned: amavisd-new at stroeder.com
Received: from srv1.stroeder.com ([127.0.0.1]) by localhost (srv1.stroeder.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBBL-Z9BZvfV; Fri, 15 Mar 2013 23:44:38 +0100 (CET)
Received: from [10.1.0.2] (unknown [10.1.0.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by srv1.stroeder.com (Postfix) with ESMTPS id 868AF60327; Fri, 15 Mar 2013 22:44:37 +0000 (UTC)
Message-ID: <5143A455.80205@stroeder.com>
Date: Fri, 15 Mar 2013 23:44:37 +0100
From: Michael Ströder <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 SeaMonkey/2.16.2
MIME-Version: 1.0
To: Howard Chu <hyc@highlandsun.com>, ldapext <ldapext@ietf.org>
References: <5103F924.2070800@stroeder.com> <CABBgLkcnK7WfthFOBD5Esfz+g1izcKoGgtxzKKDntc0i=E7LOQ@mail.gmail.com> <510782A6.7050209@stroeder.com> <3ED81CD8-59DA-482E-8AFA-C68E53A62067@isode.com> <51410020.4020800@stroeder.com> <20130314001901.GN18706@slab.skills-1st.co.uk> <5141F560.6040805@highlandsun.com> <5142171C.6090807@stroeder.com> <51421EC9.6060502@highlandsun.com> <514222B0.9090107@stroeder.com> <51431F8D.3030701@highlandsun.com>
In-Reply-To: <51431F8D.3030701@highlandsun.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070601010609050802080207"
Cc: "ldap@umich.edu" <ldap@umich.edu>
Subject: Re: [ldapext] draft-stroeder-hashed-userpassword-values-01
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 22:44:59 -0000

Howard Chu wrote:
> Michael Ströder wrote:
>> Another use-cases is dealing with data migration to server product of another
>> vendor.
> 
> In which case the Admin must look up the documentation of the other vendor's
> product.

Yes. But it's so much easier to ask a vendor whether the userPassword syntax
adheres to some of the variants described in this document. Actually according
to your statement above it's a pretty good example why such a document is needed.

>>> Finally, an objectclass that defines "MUST userPassword" also has to be
>>> considered broken. (Reminds me of groupOfNames / MUST member.)
>>
>> That's simply your personal opinion not a strong objecting argument.
> 
> You're obviously missing the bigger picture then.

I don't. But this document is not about schema design anyway.

> I shouldn't need to remind
> you of all the trouble that "MUST member" has caused.

Ok, let's go for this example...

I remember Kurt pointing out one use-case for "MUST member" during discussion
about draft-findlay-ldap-groupofentries:
You can check whether 'member' is empty or whether access was prohibited by ACLs.

Not that I'm *personally* in favour of such a use-case (up to now). But
another deployer could have good reasons to want that and it was good to read
Kurt's hint about something I personally did not think about before. Or maybe
even I personally might have such a use-case in the future.

So stating that "MUST userPassword" is broken in any case for every deployment
is pretty presumptuous.

> In this case, deleting a userPassword is a straightforward way of disabling
> authentication for an account.

It's one possibility to do it.
It's not the variant I prefer though.

And also normal user accounts for humans are not the only user accounts to
consider.

> If your schema prevents this mechanism your schema is broken. That's
> not an opinion, that's fact.

I strongly disagree for various reasons we should discuss in another thread if
you really want.

>> Yes. But this would just be another scheme to be defined somewhere else.
>> This draft does not claim to cover everything you could ever stuff into
>> 'userPassword'.
> 
> But defining a formal syntax as you're doing *does* exactly that. Which is why
> I'm telling you you're making a mistake.

This draft does not claim that the formal syntax specified therein is the only
possible syntax for 'userPassword' ever used.

If you suggest wording to make that more clear I'd of course consider it to be
added.

Ciao, Michael.

v2.23.0 | Report a Bug | By Email