Re: [ldapext] empty-groupOfNames-issue

Simo Sorce <simo@redhat.com> Fri, 04 December 2015 15:58 UTC

Return-Path: <simo@redhat.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66CC11A88DE for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 07:58:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bwKBN3DW6mU for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 07:58:00 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 910581A88D2 for <ldapext@ietf.org>; Fri, 4 Dec 2015 07:58:00 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id 59CE0C0CC62C; Fri, 4 Dec 2015 15:58:00 +0000 (UTC)
Received: from willson.usersys.redhat.com ([10.3.113.3]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tB4FvwwX021240 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 4 Dec 2015 10:57:59 -0500
Message-ID: <1449244678.3445.66.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Fri, 04 Dec 2015 10:57:58 -0500
In-Reply-To: <1449244604.3445.65.camel@redhat.com>
References: <5661765D.6040603@stroeder.com> <20151204134757.GE3643@slab.skills-1st.co.uk> <56619F0A.8060608@stroeder.com> <20151204152510.GG3643@slab.skills-1st.co.uk> <1449244604.3445.65.camel@redhat.com>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/DiwYgRHuGccoXOfUx9WTUqASmac>
Cc: ldapext <ldapext@ietf.org>, Michael =?ISO-8859-1?Q?Str=F6der?= <michael@stroeder.com>
Subject: Re: [ldapext] empty-groupOfNames-issue
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 15:58:02 -0000

On Fri, 2015-12-04 at 10:56 -0500, Simo Sorce wrote:
> On Fri, 2015-12-04 at 15:25 +0000, Andrew Findlay wrote:
> > On Fri, Dec 04, 2015 at 03:11:22PM +0100, Michael Ströder wrote:
> > 
> > > Do you think that a complete replacement RFC _obsoleting_ RFC 4519 would be
> > > needed?  If the ldapext community would agree on changing the standard wouldn't
> > > a small RFC _updating_ RFC 4519 also be sufficient?
> > 
> > That may be possible, but I don't know enough about the conventions to
> > be sure.
> > 
> > > Please let us keep the scope limited to the empty-groupOfNames-issue.  I'm not
> > > keen on opening the can-of-worms on semantics of nested groups.
> > 
> > Indeed. That needs tackling in due course, but it is a much bigger problem.
> > 
> > > >> http://tools.ietf.org/html/draft-findlay-ldap-groupofentries
> > > >>
> > > >> + Very simple
> > > >> + Fully compliant to standardization best practices
> > > >>
> > > >> - It's not clear whether it was widely adopted in deployments.
> > > > 
> > > > Maybe not in the exact form I described in that I-D, but functionally
> > > > equivalent objectclasses have been in most of my customers' systems.
> > > > It could be argued that the corrupted form of groupOfNames described
> > > > above is actually proof of widespread deployment of an analogous class.
> > > 
> > > Hmm, the wording gets a bit blurry here.
> > > How would you explain the clear distinction between 1. and 2.?
> > 
> > There are exacly 2 differences between groupOfNames and groupOfEntries:
> > 
> > 1)	the member attribute is mandatory in groupOfNames but
> > 	optional in groupOfEntries
> > 
> > 2)	the name and OID are different
> > 
> > In practical terms, groupOfEntries is better because it allows for
> > empty groups. The benefits are:
> > 
> > a)	Empty groups are reasonable things to have: the need for a group
> > 	does not disappear just because there are no current members.
> > 
> > b)	Forcing groups to always contain at least one entry causes
> > 	management systems to do silly things like adding an entry for
> > 	a non-existent member or even making the group recursively a
> > 	member of itself. These workarounds for the broken definition
> > 	can cause security problems as well as just being awkward.
> > 	There is no defined convention for doing this, so identifying
> > 	the dummy member can be difficult. If several management systems
> > 	can modify the same entry it is possible that it will accumulate
> > 	several dummy members.
> > 
> > Changing the existing groupOfNames to make member an optional attribute
> > does not solve the problem:
> > 
> > p)	Existing management systems will continue to add dummy members
> > 	but new ones will not know what to do about such values.
> > 
> > q)	New management systems will have to check the schema definition
> > 	to find out whether member is mandatory or not.
> > 
> > In effect, groupOfNames has been corrupted and is no longer a portable
> > objectclass.
> 
> I do not agree with this conclusion.
> Realxing the constraint from MUST to MAY is forward compatible, and
> older tools can keep doing what they always did.
> 
> Given there is no provision in the old or new groupOfNames to have
> members that "make sense", software always need to be prepared to deal
> with bogus members, so p) is not a "problem to solve".
> 
> You may have a point with q) if you want to deal with a generic
> management system, but then your proposal to create a new objectlcass
> adds exactly the same problem, as the management system need to know
> what to use, except it makes it worse in 2 ways:
> 1) you have no way to find out what to do just by inspecting the schema
> because both classes may be in the schema, which do you choose ?
> 2) you have to change all client applications that are hardcoded to use
> groupOfNames
> 
> Looking at 1) and 2) then q) is a comparatively little price to pay.
> 
> > On the other hand, the corrupt version of groupOfNames does serve as
> > a proof that groupOfEntries is desired by the community because it is
> > functionally identical.
> 
> Yet it is not identical, see 2) above.

Just to be clear, I am not against groupOfEntries and necessarily in
favor of changing groupOfNames (although I did in our implementation), I
just wanted to express dissent on the conclusions you drew.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York