Re: [ldapext] empty-groupOfNames-issue
Simo Sorce <simo@redhat.com> Fri, 04 December 2015 15:58 UTC
Return-Path: <simo@redhat.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66CC11A88DE for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 07:58:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bwKBN3DW6mU for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 07:58:00 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 910581A88D2 for <ldapext@ietf.org>; Fri, 4 Dec 2015 07:58:00 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id 59CE0C0CC62C; Fri, 4 Dec 2015 15:58:00 +0000 (UTC)
Received: from willson.usersys.redhat.com ([10.3.113.3]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tB4FvwwX021240 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 4 Dec 2015 10:57:59 -0500
Message-ID: <1449244678.3445.66.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Fri, 04 Dec 2015 10:57:58 -0500
In-Reply-To: <1449244604.3445.65.camel@redhat.com>
References: <5661765D.6040603@stroeder.com> <20151204134757.GE3643@slab.skills-1st.co.uk> <56619F0A.8060608@stroeder.com> <20151204152510.GG3643@slab.skills-1st.co.uk> <1449244604.3445.65.camel@redhat.com>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/DiwYgRHuGccoXOfUx9WTUqASmac>
Cc: ldapext <ldapext@ietf.org>, Michael Ströder <michael@stroeder.com>
Subject: Re: [ldapext] empty-groupOfNames-issue
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 15:58:02 -0000
On Fri, 2015-12-04 at 10:56 -0500, Simo Sorce wrote: > On Fri, 2015-12-04 at 15:25 +0000, Andrew Findlay wrote: > > On Fri, Dec 04, 2015 at 03:11:22PM +0100, Michael Ströder wrote: > > > > > Do you think that a complete replacement RFC _obsoleting_ RFC 4519 would be > > > needed? If the ldapext community would agree on changing the standard wouldn't > > > a small RFC _updating_ RFC 4519 also be sufficient? > > > > That may be possible, but I don't know enough about the conventions to > > be sure. > > > > > Please let us keep the scope limited to the empty-groupOfNames-issue. I'm not > > > keen on opening the can-of-worms on semantics of nested groups. > > > > Indeed. That needs tackling in due course, but it is a much bigger problem. > > > > > >> http://tools.ietf.org/html/draft-findlay-ldap-groupofentries > > > >> > > > >> + Very simple > > > >> + Fully compliant to standardization best practices > > > >> > > > >> - It's not clear whether it was widely adopted in deployments. > > > > > > > > Maybe not in the exact form I described in that I-D, but functionally > > > > equivalent objectclasses have been in most of my customers' systems. > > > > It could be argued that the corrupted form of groupOfNames described > > > > above is actually proof of widespread deployment of an analogous class. > > > > > > Hmm, the wording gets a bit blurry here. > > > How would you explain the clear distinction between 1. and 2.? > > > > There are exacly 2 differences between groupOfNames and groupOfEntries: > > > > 1) the member attribute is mandatory in groupOfNames but > > optional in groupOfEntries > > > > 2) the name and OID are different > > > > In practical terms, groupOfEntries is better because it allows for > > empty groups. The benefits are: > > > > a) Empty groups are reasonable things to have: the need for a group > > does not disappear just because there are no current members. > > > > b) Forcing groups to always contain at least one entry causes > > management systems to do silly things like adding an entry for > > a non-existent member or even making the group recursively a > > member of itself. These workarounds for the broken definition > > can cause security problems as well as just being awkward. > > There is no defined convention for doing this, so identifying > > the dummy member can be difficult. If several management systems > > can modify the same entry it is possible that it will accumulate > > several dummy members. > > > > Changing the existing groupOfNames to make member an optional attribute > > does not solve the problem: > > > > p) Existing management systems will continue to add dummy members > > but new ones will not know what to do about such values. > > > > q) New management systems will have to check the schema definition > > to find out whether member is mandatory or not. > > > > In effect, groupOfNames has been corrupted and is no longer a portable > > objectclass. > > I do not agree with this conclusion. > Realxing the constraint from MUST to MAY is forward compatible, and > older tools can keep doing what they always did. > > Given there is no provision in the old or new groupOfNames to have > members that "make sense", software always need to be prepared to deal > with bogus members, so p) is not a "problem to solve". > > You may have a point with q) if you want to deal with a generic > management system, but then your proposal to create a new objectlcass > adds exactly the same problem, as the management system need to know > what to use, except it makes it worse in 2 ways: > 1) you have no way to find out what to do just by inspecting the schema > because both classes may be in the schema, which do you choose ? > 2) you have to change all client applications that are hardcoded to use > groupOfNames > > Looking at 1) and 2) then q) is a comparatively little price to pay. > > > On the other hand, the corrupt version of groupOfNames does serve as > > a proof that groupOfEntries is desired by the community because it is > > functionally identical. > > Yet it is not identical, see 2) above. Just to be clear, I am not against groupOfEntries and necessarily in favor of changing groupOfNames (although I did in our implementation), I just wanted to express dissent on the conclusions you drew. Simo. -- Simo Sorce * Red Hat, Inc * New York
- [ldapext] empty-groupOfNames-issue Michael Ströder
- Re: [ldapext] empty-groupOfNames-issue Andrew Findlay
- Re: [ldapext] empty-groupOfNames-issue Michael Ströder
- Re: [ldapext] empty-groupOfNames-issue Andrew Findlay
- Re: [ldapext] empty-groupOfNames-issue Simo Sorce
- Re: [ldapext] empty-groupOfNames-issue Simo Sorce
- Re: [ldapext] empty-groupOfNames-issue Simo Sorce
- Re: [ldapext] empty-groupOfNames-issue Andrew Findlay
- Re: [ldapext] empty-groupOfNames-issue Michael Ströder
- Re: [ldapext] empty-groupOfNames-issue Michael Ströder
- Re: [ldapext] empty-groupOfNames-issue Simo Sorce
- Re: [ldapext] empty-groupOfNames-issue Jordan Brown