Re: [ldapext] DBIS commentary
Jordan Brown <Jordan.Brown@oracle.com> Tue, 01 December 2015 17:53 UTC
Return-Path: <Jordan.Brown@oracle.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29BC71B2E00 for <ldapext@ietfa.amsl.com>; Tue, 1 Dec 2015 09:53:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mY8Y_tvHYPp9 for <ldapext@ietfa.amsl.com>; Tue, 1 Dec 2015 09:53:12 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7440D1B2DE3 for <ldapext@ietf.org>; Tue, 1 Dec 2015 09:53:05 -0800 (PST)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tB1Hr4fc031647 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 1 Dec 2015 17:53:04 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id tB1Hr4dX021987 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 1 Dec 2015 17:53:04 GMT
Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id tB1Hr4Tn022508; Tue, 1 Dec 2015 17:53:04 GMT
Received: from [10.159.135.55] (/10.159.135.55) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 01 Dec 2015 09:53:04 -0800
To: "Bannister, Mark" <Mark.Bannister@morganstanley.com>
References: <5655E4F0.7030809@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F618A3@OZWEX0209N1.msad.ms.com> <565CAC30.6010701@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F8EAFD@OZWEX0209N2.msad.ms.com>
From: Jordan Brown <Jordan.Brown@oracle.com>
Message-ID: <565DDE78.5030908@oracle.com>
Date: Tue, 01 Dec 2015 09:52:56 -0800
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <814F4E458AA9FF4E89CF1A9EDA0DE2A932F8EAFD@OZWEX0209N2.msad.ms.com>
Content-Type: multipart/alternative; boundary="------------080908010309080803020209"
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/EElV_sfvuGD1uSR0JSndn0POdu4>
Cc: "'ldapext@ietf.org'" <ldapext@ietf.org>
Subject: Re: [ldapext] DBIS commentary
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 17:53:19 -0000
On 12/1/2015 2:13 AM, Bannister, Mark wrote: > > > On the case-sensitivity front: we have a pretty fundamental disagreement. I > believe that UNIX names > > > must eventually become case-insensitive, that it is only a matter of time > until they do. > > Yes, you're right, this is a pretty fundamental disagreement. As I don't see > anyone else entering the > > debate supporting case sensitivity, I fear this will fail on a standards track. > I may just keep the > > software available as an alternative, and those who want it can use it, but I > think any hopes I had > > that DBIS might one day be a standard have just been dashed. I will continue to > answer some > > of your points anyway, just for completion. Those who agree with me are either > a) not speaking > > up or b) not reading this mailing list. > Do note again that RFC 4876 mapping would let you redirect the clients to use a custom case-sensitive attribute, or attributes from different auxiliary classes. > However, I would point out that you will meet resistance (and/or disgruntled > customers after the > > fact) if you attempt to change UNIX to be case-insensitive. > For the particular case of user names, I'll note that you're the first person I've talked to who isn't working directly on Solaris LDAP development who has even noticed that LDAP user names are case-insensitive, much less complained. > Btw, what was your plan for casesensitivity in filesystems? > Baby steps :-) I do think that that's inevitable too, just not as soon as user names. User names have more cross-platform impact, a more direct association to human names, and get typed by hand more often in many environments. Any environment that interoperates with Windows will end up with case-insensitive file names, at least in data file systems. Case-insensitivity is already an option on ZFS, and a "mixed" mode is the default on our storage appliances. > > UNIX is not the whole world, and the entire rest of the world is clear that > MARK, Mark, and mark > > > are the same person. > > With people, perhaps. With people vs. service accounts perhaps not. Perhaps I > have a user with > > a login name of 'sheila' but I also have a service account called 'SHEILA'. I > suppose next you will > > be proposing to redefine the English language by saying that case is unimportant > when starting > > sentences, or when writing proper nouns vs nouns? Be careful when you say "the > entire rest > > of the world", be sure you really know the entire rest of the world. I don't > claim to, but I do have > > real examples of problems that DBIS is solving today. > I'd suggest that having a login name that duplicates a service account name, except for case, is asking for trouble. Even in a relative bastion of UNIX like Oracle, we noticed that some of the corporate UIs present user names as all upper case. Case sensitivity is really quite unnatural for humans. There's no shortage of commercial systems that change the case of the left side of e-mail addresses, which will really mess you up if you're using the natural username@domain construction and your usernames are case-sensitive. They're wrong, but they're common. (And, importantly, almost nobody *notices* that they are wrong.) I doubt we'd want to go too far off into the weeds on English semantics, but I'd argue that case *is* unimportant when starting sentences. It helps to mark the beginning of the sentence, but does not otherwise affect the meaning of the word. When I say "Cars drive on roads" or "The cars are on the road", "Cars" and "cars" mean the same thing. For proper nouns you have a point - Oracle and an oracle are two different things. (Though even there, note the proper noun does not take an article.) However, user names are always proper nouns. Come to think of it, there's something interesting there. "Mark" and "Bannister" are both proper nouns, yet "mark" and "bannister" are common nouns. The only reason that we tolerate using "mark" and "bannister" as user names is that we internally convert them into their capitalized forms; treating them as common nouns as standard English would have us do wouldn't make any sense. > > My key point here is that DBIS should specify what attribute should replace > it, what attribute > > > clients are expected to use to populate the pw_gecos field in struct passwd. > > draft-bannister-dbis-passwd provides a suggestion already in 2.1.3.1: > > The posixUserAccount object class is auxiliary and must always be > > associated with another structural class. One such class is > > inetOrgPerson [RFC2798]. If user accounts were given the > > inetOrgPerson class, then displayName might be an appropriate value > > for the dbisMapGecos attribute. > > Given that the gecos field can encode anything in any format, I didn't think I > could realistically > > do any better than provide a suggestion. > I think you could safely specify displayName as a MAY attribute, and let people use RFC 4876 mapping if for some reason they want to use something else. Having two attribute-mapping mechanisms - RFC 4876 mapping and dbisMapGecos - seems bothersome. > > >> posixGroup / posixGroupAccount > > > >> > > > >> X.521 groupOfNames seems like a more appropriate basis for the definition > of a group. > > > > But that doesn't allow for GID number. > > > > > > A subclass does. > > I have people telling me groupOfNames doesn't work well for them because it can > be a group > > of anything. Extra LDAP searches are required to figure out what type of object > the members > > are. That leads to a rather inefficient system. > There are two problems there: 1) A group could contain anything, even when you want it to only contain one type. Administrator error could lead to incorrect configurations. In programming-ese, it's not type-safe. One might hope that you could set up metadata limiting the types of objects that could be added to a group, like you can set up limits on the types of objects that can be put in a container, but I don't know if you can. One hopes that your administration UIs will help here - if you're defining a group of users, the administration UI presumably knows that and only lets you add users. At the same time, this flexibility enables nested groups, which can be very useful. 2) You have to do "extra" searches to get any real information on the member. Yes, that's a very big problem. The particular pain point is that getgrnam and getgrgid are defined to return a list of the members of the group, necessitating a search for *each* member. That gets pretty painful when a group has thousands of members. I think the truly right answer there is to add new APIs that don't retrieve the members, and even to redefine the existing APIs to not retrieve the members, because there are almost no cases where it actually makes sense to retrieve the list of members of a UNIX group. The standards provide some help in that there are hints in the UNIX standard that the list of members returned may not be complete. Also: Caching is your friend. Note also that the PADL version of nss_ldap has a "nss_getgrent_skipmembers" option that disables returning the list of members. As long as we're talking about flaws in groupOfNames: there's also the problem that "member" is a MUST attribute, and that makes empty groups problematic. Active Directory uses the same basic structure, but uses the "group" class instead of groupOfNames, and for "group" the "member" attribute is a MAY. RFC2307bis-02 replaces groupOfNames with groupOfMembers, again with "member" as a MAY. (One might have hoped that you could have an attribute with a empty list of values, but X.501 does not allow that.) > See previous reservations regarding groupOfNames. Imagine trying to construct a > search > operation to find just host members, or just user members. Do note that the queries that you normally need are "is this host (or user) a member of this group" and "what groups is this user a member of". It's hard to find cases where you really want to ask "what are the members of this group". The "is this X a member" and "what groups is this X a member of" queries aren't bad at all with groupOfNames - you have to do a lookup on X to get its DN, but then you just do a natural (and efficient) search. > > Having two names that differ only in case lead to different port numbers seems > like a > > spectacularly bad idea. If there's an organization that has somehow found > themselves > > in such a mess then I'm very sorry for them > > <rant> > > Wait. NIS permitted this. If folk have done what NIS allowed them to do, and it > > fitted their working practice, then you can't blame them for that. If you don't > like it > > and want to label it "a mess", that's fine you can do that, but I do not want to > leave > > people behind. If you wish to call it a mess, then Sun Microsystems created the > mess, > > but it's infrastructure and we're stuck with it. Imagine if the electronics > industry in America > > started selling devices with only English three-pin plugs > <https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwiQzfjRs7rJAhUCKiYKHY6eCZoQFggiMAE&url=http%3A%2F%2Fwww.fastcodesign.com%2F3032807%2Fwhy-england-has-the-best-wall-sockets-on-earth&usg=AFQjCNEP4sremkvI56BoTb7D7rJhFaRbgg>, > citing that the original was a > > “bad design” and anyone who has found themselves in such a mess as to have > > incompatible wall sockets, well very sorry for them but that’s just tough luck. > > Right. You’d cause an outcry. Same thing applies here. With NIS a particular > > working practice was absolutely fine. Now it isn’t. And people are left to fix it > > themselves. I think that’s very bad. (And for those who say “NIS is dead”, that’s > > absolutely not true, there are large organisations still using NIS and who haven’t > > yet migrated to LDAP, perhaps because the migration to LDAP is too hard for > > them in the present climate). > > </rant> > Well, kind of. Yes, you were allowed to do it. That doesn't necessarily mean that it was ever a good idea. The structure of extension cords and power strips lets you daisy-chain them together to any length. That doesn't mean that it's a good idea to do it, or that the fire marshal won't cite you on your next office inspection. Also, remember that IANA, not NIS, is the authority on the definition of service names, and it defines them as case-insensitive. There's a very good argument that NIS treating them in a case-sensitive way is a bug.
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] DBIS commentary Steven Legg
- Re: [ldapext] DBIS commentary Simo Sorce
- Re: [ldapext] DBIS commentary Charlie
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] DBIS commentary Ludovic Poitou
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] DBIS commentary Charlie
- Re: [ldapext] DBIS commentary Jordan Brown
- [ldapext] Case sensitivity of user/group names (w… Jordan Brown
- Re: [ldapext] DBIS commentary Simo Sorce
- Re: [ldapext] DBIS commentary Simo Sorce
- [ldapext] Using groupOfNames (or similar) for UNI… Jordan Brown
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] Case sensitivity of user/group name… Bannister, Mark
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] Using groupOfNames (or similar) for… Simo Sorce
- Re: [ldapext] Using groupOfNames (or similar) for… Jordan Brown
- Re: [ldapext] Using groupOfNames (or similar) for… Simo Sorce
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] Case sensitivity of user/group name… Charlie
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] Case sensitivity of user/group name… Charlie
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] Case sensitivity of user/group name… Oza, Dhairesh
- [ldapext] Case sensitivity summary Andrew Findlay
- Re: [ldapext] Case sensitivity summary Michael Ströder
- [ldapext] draft-masarati-ldap-deref as ldapext wo… Michael Ströder
- Re: [ldapext] Case sensitivity summary Simo Sorce
- Re: [ldapext] draft-masarati-ldap-deref as ldapex… Howard Chu
- Re: [ldapext] draft-masarati-ldap-deref as ldapex… Simo Sorce
- Re: [ldapext] Case sensitivity summary Andrew Findlay
- Re: [ldapext] Case sensitivity summary Michael Ströder
- Re: [ldapext] Using groupOfNames (or similar) for… Andrew Findlay
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] Case sensitivity summary Bannister, Mark
- Re: [ldapext] Case sensitivity summary Andrew Findlay
- Re: [ldapext] Case sensitivity summary Bannister, Mark