Re: [ldapext] Summary of group discussion
"Keutel, Jochen" <mlists@keutel.de> Fri, 14 December 2007 10:43 UTC
Return-path: <ldapext-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J380y-0007A5-UI; Fri, 14 Dec 2007 05:43:32 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J380x-00079z-Jp for ldapext@ietf.org; Fri, 14 Dec 2007 05:43:31 -0500
Received: from moutng.kundenserver.de ([212.227.126.188]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1J380w-0002NC-LE for ldapext@ietf.org; Fri, 14 Dec 2007 05:43:31 -0500
Received: from [192.168.2.10] (p57BBE35E.dip.t-dialin.net [87.187.227.94]) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis) id 0MKwh2-1J380g3oad-0002Dj; Fri, 14 Dec 2007 11:43:16 +0100
Message-ID: <47625E32.7010504@keutel.de>
Date: Fri, 14 Dec 2007 11:42:58 +0100
From: "Keutel, Jochen" <mlists@keutel.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Subject: Re: [ldapext] Summary of group discussion
References: <20070924194342.GA9926@tile.skills-1st.co.uk>
In-Reply-To: <20070924194342.GA9926@tile.skills-1st.co.uk>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V01U2FsdGVkX1+quGh3kc5VgqMbuEm4ym++TeLy4k6ESnoQdtm ivTnTQNwYZEzxbxsNitrgFnoi3thn2CtFlTG9LcRKERjg8mfNq t7SZWWkPhNwHD1S3G0Y6mXEcz4m0u+C
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 42e3ed3f10a1d8bef690f09da16f507a
Cc: ldapext <ldapext@ietf.org>
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
Errors-To: ldapext-bounces@ietf.org
Hello Andrew, I'm definitely late in commenting this ... I just missed the discussion in September, sorry. One thing I'd like to add: X.501 defines the X.500 access control schema. Esp. it defines: ACIItem ::= SEQUENCE { identificationTag DirectoryString { ub-tag }, precedence Precedence, authenticationLevel AuthenticationLevel, itemOrUserFirst CHOICE { itemFirst [0] SEQUENCE { protectedItems ProtectedItems, itemPermissions SET OF ItemPermission }, userFirst [1] SEQUENCE { userClasses UserClasses, userPermissions SET OF UserPermission } } } UserClasses ::= SEQUENCE { allUsers [0] NULL OPTIONAL, thisEntry [1] NULL OPTIONAL, name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL, userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL, -- dn component shall be the name of an -- entry of GroupOfUniqueNames subtree [4] SET SIZE (1..MAX) OF SubtreeSpecification OPTIONAL } The referenced NameAndOptionalUID is defined in X.520: NameAndOptionalUID ::= SEQUENCE { dn DistinguishedName, uid UniqueIdentifier OPTIONAL } So here we have a unique identifier twice: Inside the groupOfUniqueNames and in the NameAndOptionalUID structure. Both are not used in the real world ... (at least I've never seen it). The problem I see: Products using this ACI schema (esp. X.500 based products as e.g. Siemens DirX or CriticalPath) do only work if the userGroup component of UserClasses is really a groupOfuniqueNames. Of course you can put the DN of a groupOfNames or groupOfEntries or ... into this field - but ACI checking won't work. So I see 2 points: 1. Shall X.501 be changed as well? 2. Shall this ACI issue be mentioned in your draft? Best regards, Jochen. Andrew Findlay schrieb: > draft-findlay-ldap-groupofentries-00.txt discussion summary 2007-09-24 > ====================================================================== > > On September 17th I introduced an I-D to create an LDAP group class > that was capable of representing an empty group. The initial proposal > was for the smallest possible change from the existing groupOfNames > class. > > Most people who joined the discussion on ldapext@ietf.org were broadly > in support of allowing empty groups, though some thought that any > changes away from the status quo were doomed to fail. > > Howard Chu pointed out that groupOfUniqueNames is even worse than > groupOfNames as the LDAP syntax for the nameAndOptionalUID attribute > type cannot be parsed reliably. > > Kurt Zeilenga provided much detailed editorial advice, and posed a > question about how to handle groups where the DSA is unwilling or > unable to return some or all member names. > > Luke Howard suggested that the behaviour of nested groups should be > defined. I was initially against an explicit definition, but was soon > persuaded that there could be significant performance and security > problems with ad-hoc nesting. At this point the discussion moved > almost entirely to the consideration of nesting issues. > > Pete Rowley wanted an interface to be used by read-only clients to find > out what groups a particular entry is a member of without caring about > how the groups are defined. He suggested a memberOf attribute (presumably > server-maintained) for this purpose. Michael Liben also liked this > approach. > > Simo Sorce proposed a control for server-side group expansion, and > Michael Ströder suggested that an extended operation for asking specific > membership questions would be better. Howard Chu suggested that any such > operation would need a depth limit parameter. > > Steven Legg proposed directMember and nestedGroups attributes, and > Michael Ströder suggested that these might be a sufficient set to > describe nested groups. I wondered whether nested groups should be split > into those that could in turn have their own nested groups and those > that could not, but Simo Sorce thought that people would never choose > to use the more restrictive case. I was initially against dropping the > original 'member' attribute, but Steven pointed out that having a new > directMember attribute would allow people to define their own group > classes and still take advantage of defined nesting semantics. > > > Current situation > ================= > > It seems to me that we now have these threads of development: > > 1) A new structural group class that can represent empty groups. > This could go forward with the existing ambiguous member > attribute or it could become the basis of a group > representation with more carefully defined semantics using > directMember. > > 2) A new auxiliary class and one or more attributes to represent > groups that may contain other groups. For this to make much > sense it would require the well-defined version of (1). > > In (1) and (2) I see the definitions of the attributes being > the key, and would avoid requiring the use of the object > classes to obtain the defined semantics. > > 3) A new control or extended operation so that a client can ask > the server to do the heavy lifting involved with nested > groups. > > 4) A new server-maintained attribute called memberOf to give an > alternative way for clients to ask for membership information. > AD already has such an attribute, and Pierangelo Masarati > recently proposed one for OpenLDAP so there may be useful > existing work to build on. > > 5) A document explaining why groupOfUniqueNames, > uniqueMember and nameAndOptionalUID are bad, possibly leading > to them being deprecated in the next revision of the core LDAP > standards. > > > I am willing to co-ordinate work on (1) and (2). Are there volunteers > to take on the others? > > Andrew _______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext
- [ldapext] Summary of group discussion Andrew Findlay
- Re: [ldapext] Summary of group discussion Howard Chu
- Re: [ldapext] Summary of group discussion Ludovic Poitou
- Re: [ldapext] Summary of group discussion Jaimon Jose
- Re: [ldapext] Summary of group discussion Jaimon Jose
- Re: [ldapext] Summary of group discussion Pete Rowley
- Re: [ldapext] Summary of group discussion Jaimon Jose
- Re: [ldapext] Summary of group discussion Pete Rowley
- Re: [ldapext] Summary of group discussion Gavin Henry
- Re: [ldapext] Summary of group discussion Keutel, Jochen
- Re: [ldapext] Summary of group discussion Howard Chu
- Re: [ldapext] Summary of group discussion Howard Chu
- Re: [ldapext] Summary of group discussion Michael Ströder
- Re: [ldapext] Summary of group discussion Howard Chu
- Re: [ldapext] Summary of group discussion Kurt Zeilenga