Re: [ldapext] DBIS - new IETF drafts

Arthur de Jong <> Tue, 07 January 2014 22:25 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DEC1C1AE212 for <>; Tue, 7 Jan 2014 14:25:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.195
X-Spam-Status: No, score=0.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 79TpLitbh4Ff for <>; Tue, 7 Jan 2014 14:25:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D427F1AE20E for <>; Tue, 7 Jan 2014 14:25:33 -0800 (PST)
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id s07MPOiL001082; Tue, 7 Jan 2014 23:25:24 +0100 (CET) (envelope-from
Received: from [] ( []) by (Postfix) with ESMTP id 41ABCCB0B; Tue, 7 Jan 2014 23:25:22 +0100 (CET)
Message-ID: <>
From: Arthur de Jong <>
To: Mark R Bannister <>,
Date: Tue, 07 Jan 2014 23:25:22 +0100
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-hyrQtB4Ql9acFPKQOEho"
X-Mailer: Evolution 3.8.5-2+b1
Mime-Version: 1.0
X-Virus-Scanned: by XS4ALL Virus Scanner
X-Virus-Status: Clean
Subject: Re: [ldapext] DBIS - new IETF drafts
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Jan 2014 22:27:05 -0000


I'm the maintainer of nss-pam-ldapd, a PAM and NSS module that extracts
information from LDAP to map to Unix users, groups, and other maps
defined in RFC2307.

I quickyly went through draft-bannister-dbis-mapping-02.txt and
draft-bannister-dbis-passwd-01.txt and would like to add a few comments
(not very well organised, sorry).

For me, it is very interesting that the work is being done to to correct
some of the mistakes in RFC2307. I particularly like the idea of making
the attributes case sensitive and ensuring that values can appear only
once. Leaving out the case sensitivity filters from implementations
should make them a lot simpler. Mixing case sensitive and non-cases
sensitive interpretations of the same values can have security

The use of the term overlay may be confusing to users because that is
also used as one of the types of loadable modules of the OpenLDAP LDAP
server (slapd). I don't have a better alternative, sorry (the mechanism
is interesting though).

I personally wouldn't worry too much about the format of password
hashes. In an centralised network it would seem wiser to use a
centralised mechanism to authenticate users which already have plenty of
solutions available (LDAP bind authentication, Kerberos, etc.). Exposing
password hashes throughout the network is somewhat analogous to putting
password hashes in /etc/passwd instead of /etc/shadow.

I agree with Howard Chu that there must be a better format to store
timestamps and durations (mostly for shadow information) in. Something
that is interoperable with other systems.

I personally like the use of flat names to describe group membership. It
makes the semantics much simpler than dealing with things like the
member or uniqueMember attribute (at least from a client implementation

The use of distinguished names may seem more logical from an LDAP
structure point of view, but you will have to dereference any DN to a
user name for building up a group entry resulting in potentially a lot
of search operations to get complete data.

I was recently pointer to draft-masarati-ldap-deref-00 which I've just
implemented in nss-pam-ldapd. This would reduce the number of required
lookups but this draft isn't widely implemented (I think nss-pam-ldapd
is the second Open Source client application to use it).

On the other hand, the use of exactPrimary will also require another
lookup because POSIX getpwent() expects to return a numerical group id.

I haven't ready it fully yet but the combination of exactGroup in
posixUserAccount and exactUser in posixGroupAccount will leaver room for
different interpretations for which users belong to which group,
depending on which way you look. Adding nested groups to the mix will
make it more difficult to maintain consistency. I would say that it is
better to have one way of specifying group membership and not two.

Nested groups are also an interesting concept and I can see the value
from a data management perspective but it will again result in multiple
LDAP search operations, especially for queries to determine the groups
that contain a specific user (initgroups() implementations). If a user
is found to be a member of 10 groups in the first pass, for each of the
10 groups it needs to be determined whether these groups are again
member of some other groups.

Some of these performance issues can be addresses with caches but since
caches are one of the only two difficult things in computer science
doing without them is better. Let's keep things simple.

Also, you may be interested in looking at the nss-pam-ldapd code. It
seems to have a somewhat similar design as the ideas described in the
DBIS Reference Implementation. There is even a work-in-progress Python
implementation that you could replace with a DBIS implementation.

Anyway, that's it for now. Perhaps I'll take a further look in a few

-- arthur - - --