Re: [ldapext] DBIS - new IETF drafts
Mark R Bannister <dbis@proseconsulting.co.uk> Wed, 08 January 2014 20:25 UTC
Return-Path: <dbis@proseconsulting.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 056811AE179 for <ldapext@ietfa.amsl.com>; Wed, 8 Jan 2014 12:25:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ev4Hz3Ox0U47 for <ldapext@ietfa.amsl.com>; Wed, 8 Jan 2014 12:25:04 -0800 (PST)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.61]) by ietfa.amsl.com (Postfix) with ESMTP id 5354E1AE186 for <ldapext@ietf.org>; Wed, 8 Jan 2014 12:25:00 -0800 (PST)
Received: from host109-155-253-4.range109-155.btcentralplus.com ([109.155.253.4] helo=[192.168.1.68]) by mail6.atlas.pipex.net with esmtpa (Exim 4.71) (envelope-from <dbis@proseconsulting.co.uk>) id 1W0zgI-0004iB-GM; Wed, 08 Jan 2014 20:24:50 +0000
Message-ID: <52CDB3FC.2000205@proseconsulting.co.uk>
Date: Wed, 08 Jan 2014 20:24:28 +0000
From: Mark R Bannister <dbis@proseconsulting.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Howard Chu <hyc@highlandsun.com>, ldapext@ietf.org
References: <52C9BED5.2080900@proseconsulting.co.uk> <52CAEA7D.5030002@highlandsun.com> <52CB194D.3090009@proseconsulting.co.uk> <52CB1DE3.6040000@highlandsun.com> <52CB2194.30907@proseconsulting.co.uk> <52CB26C6.1070406@highlandsun.com>
In-Reply-To: <52CB26C6.1070406@highlandsun.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailcore-Auth: 12040446
X-Mailcore-Domain: 1286164
Subject: Re: [ldapext] DBIS - new IETF drafts
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 20:25:06 -0000
On 06/01/2014 21:57, Howard Chu wrote: > Mark R Bannister wrote: >> Do you have any more alarming problems that can be turned into simple >> requests? > > Just read thru > http://www.ietf.org/id/draft-bannister-dbis-policy-02.txt and again > there's a lot of redundant work here, this time in regards to > http://tools.ietf.org/html/draft-behera-ldap-password-policy-10 Originally I had shadow attributes mingled in with the user and group document, as it is in RFC2307, however I decided quite late on in fact that it would be better as a separate bolt-on option. So it went into its own draft. I thought I'd already made it clear in the drafts that password policies are best handled a separate way, however, DBIS would be incomplete if it did not support the old NIS way of doing it as well. I don't personally like the idea of having per-user shadow attributes, however some might see it as a feature and there may be some edge cases where this is exactly what is required. So, what's the harm in supporting it? As long as I make it clear that it is not recommended, which is the intention of the following paragraph in section 1.1.1: It is RECOMMENDED that password policies are managed using native features in the LDAP Directory Server if available, or using Pluggable Authentication Modules [PAM] to provide consistency of security and centralised administration. Whether or not the shadow attributes are used by the policy will vary between implementations. Perhaps we can work this paragraph better. I must admit I haven't seen draft-behera-ldap-password-policy-10 so I shall add that to my reading list. > > The obvious issue is collisions in some attribute descriptors with the > ppolicy spec, which is already widely deployed. draft-behera-ldap-password-policy-10 is already widely deployed, you say? Then it must go higher up in my reading list. > > More problematic is the data model itself, again. Storing the actual > policy settings in the user entries will be unmanageable for any > moderately large sized user population. This is one reason why > draft-behera uses dedicated policy objects. It is the client side > DUA's job to adapt the universal data store to the local host's > security implementation. And we already have > pam_ldap/nss_ldap/nss-pam-ldapd/nssov to perform these adaptations, so > I don't see much value in defining yet another new broken data model > that has no existing client support. Indeed, I agree, as stated earlier on I would whole-heartedly recommend against having user-specific policy settings. However, providing the facility as an option for those who want to make minimal changes to their NIS environment is harmless. > > As much as you claim to have read and absorbed the prior work in this > area, it really appears that you have ignored most of it. Appearances can be deceptive. If you ask me for a reason why I did something in a particular way, you'll realise I have actually put a lot of thought into the entire design. I haven't ignored RFC2307 nor RFC2307bis, nor indeed any of the RFCs I make reference to in my drafts. I was unaware of draft-behera-ldap-password-policy-10 so thank you for pointing this out. I suspect it will not make a big difference short of perhaps becoming the recommended approach. I'll review it and let you know what I think afterwards. Best regards, Mark.
- [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Arthur de Jong
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Ludovic Poitou
- Re: [ldapext] DBIS - new IETF drafts Clément OUDOT
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Charlie
- Re: [ldapext] DBIS - new IETF drafts Luke Howard
- Re: [ldapext] DBIS - new IETF drafts Neal-Joslin, Robert (3PAR Engineering)
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Luke Howard
- Re: [ldapext] DBIS - new IETF drafts Luke Howard
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Charlie
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister