IETF Logo Mail Archive

Re: [ldapext] DBIS - new IETF drafts

Mark R Bannister <dbis@proseconsulting.co.uk> Wed, 08 January 2014 20:25 UTC

Return-Path: <dbis@proseconsulting.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 056811AE179 for <ldapext@ietfa.amsl.com>; Wed, 8 Jan 2014 12:25:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ev4Hz3Ox0U47 for <ldapext@ietfa.amsl.com>; Wed, 8 Jan 2014 12:25:04 -0800 (PST)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.61]) by ietfa.amsl.com (Postfix) with ESMTP id 5354E1AE186 for <ldapext@ietf.org>; Wed, 8 Jan 2014 12:25:00 -0800 (PST)
Received: from host109-155-253-4.range109-155.btcentralplus.com ([109.155.253.4] helo=[192.168.1.68]) by mail6.atlas.pipex.net with esmtpa (Exim 4.71) (envelope-from <dbis@proseconsulting.co.uk>) id 1W0zgI-0004iB-GM; Wed, 08 Jan 2014 20:24:50 +0000
Message-ID: <52CDB3FC.2000205@proseconsulting.co.uk>
Date: Wed, 08 Jan 2014 20:24:28 +0000
From: Mark R Bannister <dbis@proseconsulting.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Howard Chu <hyc@highlandsun.com>, ldapext@ietf.org
References: <52C9BED5.2080900@proseconsulting.co.uk> <52CAEA7D.5030002@highlandsun.com> <52CB194D.3090009@proseconsulting.co.uk> <52CB1DE3.6040000@highlandsun.com> <52CB2194.30907@proseconsulting.co.uk> <52CB26C6.1070406@highlandsun.com>
In-Reply-To: <52CB26C6.1070406@highlandsun.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailcore-Auth: 12040446
X-Mailcore-Domain: 1286164
Subject: Re: [ldapext] DBIS - new IETF drafts
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 20:25:06 -0000

On 06/01/2014 21:57, Howard Chu wrote:
> Mark R Bannister wrote:
>> Do you have any more alarming problems that can be turned into simple
>> requests?
>
> Just read thru 
> http://www.ietf.org/id/draft-bannister-dbis-policy-02.txt and again 
> there's a lot of redundant work here, this time in regards to 
> http://tools.ietf.org/html/draft-behera-ldap-password-policy-10

Originally I had shadow attributes mingled in with the user and group 
document, as it is in RFC2307, however I decided quite late on in fact 
that it would be better as a separate bolt-on option.  So it went into 
its own draft.  I thought I'd already made it clear in the drafts that 
password policies are best handled a separate way, however, DBIS would 
be incomplete if it did not support the old NIS way of doing it as 
well.  I don't personally like the idea of having per-user shadow 
attributes, however some might see it as a feature and there may be some 
edge cases where this is exactly what is required.  So, what's the harm 
in supporting it?  As long as I make it clear that it is not 
recommended, which is the intention of the following paragraph in 
section 1.1.1:

    It is RECOMMENDED that password policies are managed using native
    features in the LDAP Directory Server if available, or using
    Pluggable Authentication Modules [PAM] to provide consistency of
    security and centralised administration.  Whether or not the shadow
    attributes are used by the policy will vary between implementations.

Perhaps we can work this paragraph better.  I must admit I haven't seen 
draft-behera-ldap-password-policy-10 so I shall add that to my reading list.

>
> The obvious issue is collisions in some attribute descriptors with the 
> ppolicy spec, which is already widely deployed.

draft-behera-ldap-password-policy-10 is already widely deployed, you 
say?  Then it must go higher up in my reading list.

>
> More problematic is the data model itself, again. Storing the actual 
> policy settings in the user entries will be unmanageable for any 
> moderately large sized user population. This is one reason why 
> draft-behera uses dedicated policy objects. It is the client side 
> DUA's job to adapt the universal data store to the local host's 
> security implementation. And we already have 
> pam_ldap/nss_ldap/nss-pam-ldapd/nssov to perform these adaptations, so 
> I don't see much value in defining yet another new broken data model 
> that has no existing client support.

Indeed, I agree, as stated earlier on I would whole-heartedly recommend 
against having user-specific policy settings.  However, providing the 
facility as an option for those who want to make minimal changes to 
their NIS environment is harmless.

>
> As much as you claim to have read and absorbed the prior work in this 
> area, it really appears that you have ignored most of it.

Appearances can be deceptive.  If you ask me for a reason why I did 
something in a particular way, you'll realise I have actually put a lot 
of thought into the entire design.  I haven't ignored RFC2307 nor 
RFC2307bis, nor indeed any of the RFCs I make reference to in my 
drafts.  I was unaware of draft-behera-ldap-password-policy-10 so thank 
you for pointing this out.  I suspect it will not make a big difference 
short of perhaps becoming the recommended approach.  I'll review it and 
let you know what I think afterwards.

Best regards,
Mark.

v2.23.0 | Report a Bug | By Email