Re: [ldapext] Schema for posixGroup successor (RFC 2307 bis)
Andrew Findlay <andrew.findlay@skills-1st.co.uk> Thu, 12 February 2015 12:54 UTC
Return-Path: <andrew.findlay@skills-1st.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3A471A87C4 for <ldapext@ietfa.amsl.com>; Thu, 12 Feb 2015 04:54:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.098
X-Spam-Level: *
X-Spam-Status: No, score=1.098 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 126vpfUcVu-5 for <ldapext@ietfa.amsl.com>; Thu, 12 Feb 2015 04:54:39 -0800 (PST)
Received: from kea.ourshack.com (kea.ourshack.com [IPv6:2001:470:1f15:20::201]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 275421A87B9 for <ldapext@ietf.org>; Thu, 12 Feb 2015 04:54:39 -0800 (PST)
Received: from d.5.1.a.7.f.9.6.4.e.3.7.9.7.8.c.1.e.7.f.0.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:8d0:f7e1:c879:73e4:69f7:a15d] helo=slab.skills-1st.co.uk) by kea.ourshack.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1YLtHw-0004Do-Nj; Thu, 12 Feb 2015 12:54:36 +0000
Received: from andrew by slab.skills-1st.co.uk with local (Exim 4.83) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1YLtHw-0003pt-6W; Thu, 12 Feb 2015 12:54:36 +0000
Date: Thu, 12 Feb 2015 12:54:36 +0000
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: Michael Ströder <michael@stroeder.com>
Message-ID: <20150212125436.GI3229@slab.skills-1st.co.uk>
References: <54DB27C7.3060409@stroeder.com> <20150212102738.GC3229@slab.skills-1st.co.uk> <54DC8BD7.3040009@stroeder.com> <20150212114807.GG3229@slab.skills-1st.co.uk> <54DC941C.3070504@stroeder.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="J/dobhs11T7y2rNN"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <54DC941C.3070504@stroeder.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/MxeDAL_qVHj4ekUMZj_UWUdtoBI>
Cc: ldapext <ldapext@ietf.org>
Subject: Re: [ldapext] Schema for posixGroup successor (RFC 2307 bis)
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 12:54:43 -0000
On Thu, Feb 12, 2015 at 12:53:00PM +0100, Michael Ströder wrote: > Could you please go ahead pushing draft-findlay-ldap-groupofentries? OK. I won't have much time for this over the next month, but as a start I attach the original draft and a summary of the discussions surrounding it. The draft itself is quite simple, in that it proposes a group class that is very similar to the existing groupOfNames. The can of worms it opened up is not so easy to fix however :-) The main issues relate to nesting of groups: what it means, whether it should be allowed in a given case, and how clients and servers might split the work in dealing with potentially-nested groups. Some of the more likely solutions to those problems would remove the 'member' attribute from the groupOfEntries class, thus breaking your proposal... Here is the discussion summary: ----------------------------------------------------------------------- draft-findlay-ldap-groupofentries-00.txt discussion summary 2007-09-24 ====================================================================== On September 17th I introduced an I-D to create an LDAP group class that was capable of representing an empty group. The initial proposal was for the smallest possible change from the existing groupOfNames class. Most people who joined the discussion on ldapext@ietf.org were broadly in support of allowing empty groups, though some thought that any changes away from the status quo were doomed to fail. Howard Chu pointed out that groupOfUniqueNames is even worse than groupOfNames as the LDAP syntax for the nameAndOptionalUID attribute type cannot be parsed reliably. Kurt Zeilenga provided much detailed editorial advice, and posed a question about how to handle groups where the DSA is unwilling or unable to return some or all member names. Luke Howard suggested that the behaviour of nested groups should be defined. I was initially against an explicit definition, but was soon persuaded that there could be significant performance and security problems with ad-hoc nesting. At this point the discussion moved almost entirely to the consideration of nesting issues. Pete Rowley wanted an interface to be used by read-only clients to find out what groups a particular entry is a member of without caring about how the groups are defined. He suggested a memberOf attribute (presumably server-maintained) for this purpose. Michael Liben also liked this approach. Simo Sorce proposed a control for server-side group expansion, and Michael Ströder suggested that an extended operation for asking specific membership questions would be better. Howard Chu suggested that any such operation would need a depth limit parameter. Steven Legg proposed directMember and nestedGroups attributes, and Michael Ströder suggested that these might be a sufficient set to describe nested groups. I wondered whether nested groups should be split into those that could in turn have their own nested groups and those that could not, but Simo Sorce thought that people would never choose to use the more restrictive case. I was initially against dropping the original 'member' attribute, but Steven pointed out that having a new directMember attribute would allow people to define their own group classes and still take advantage of defined nesting semantics. Current situation ================= It seems to me that we now have these threads of development: 1) A new structural group class that can represent empty groups. This could go forward with the existing ambiguous member attribute or it could become the basis of a group representation with more carefully defined semantics using directMember. 2) A new auxiliary class and one or more attributes to represent groups that may contain other groups. For this to make much sense it would require the well-defined version of (1). In (1) and (2) I see the definitions of the attributes being the key, and would avoid requiring the use of the object classes to obtain the defined semantics. 3) A new control or extended operation so that a client can ask the server to do the heavy lifting involved with nested groups. 4) A new server-maintained attribute called memberOf to give an alternative way for clients to ask for membership information. AD already has such an attribute, and Pierangelo Masarati recently proposed one for OpenLDAP so there may be useful existing work to build on. 5) A document explaining why groupOfUniqueNames, uniqueMember and nameAndOptionalUID are bad, possibly leading to them being deprecated in the next revision of the core LDAP standards. I am willing to co-ordinate work on (1) and (2). Are there volunteers to take on the others? ----------------------------------------------------------------------- Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
- [ldapext] Schema for posixGroup successor (RFC 23… Michael Ströder
- Re: [ldapext] Schema for posixGroup successor (RF… Michael Ströder
- Re: [ldapext] Schema for posixGroup successor (RF… Simo Sorce
- Re: [ldapext] Schema for posixGroup successor (RF… Andrew Findlay
- Re: [ldapext] Schema for posixGroup successor (RF… Michael Ströder
- Re: [ldapext] Schema for posixGroup successor (RF… Andrew Findlay
- Re: [ldapext] Schema for posixGroup successor (RF… Michael Ströder
- Re: [ldapext] Schema for posixGroup successor (RF… Ludovic Poitou
- Re: [ldapext] Schema for posixGroup successor (RF… Michael Ströder
- Re: [ldapext] Schema for posixGroup successor (RF… Ludovic Poitou
- Re: [ldapext] Schema for posixGroup successor (RF… Andrew Findlay