Re: [ldapext] Using groupOfNames (or similar) for UNIX groups and netgroups (was Re: DBIS commentary)
Jordan Brown <Jordan.Brown@oracle.com> Wed, 02 December 2015 18:09 UTC
Return-Path: <Jordan.Brown@oracle.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB3041ACDD1 for <ldapext@ietfa.amsl.com>; Wed, 2 Dec 2015 10:09:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0p5hB047BXvB for <ldapext@ietfa.amsl.com>; Wed, 2 Dec 2015 10:09:04 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DE631ACDCE for <ldapext@ietf.org>; Wed, 2 Dec 2015 10:09:04 -0800 (PST)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tB2I933w024124 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 2 Dec 2015 18:09:03 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id tB2I93ob004796 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 2 Dec 2015 18:09:03 GMT
Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id tB2I92Av005769; Wed, 2 Dec 2015 18:09:02 GMT
Received: from [10.159.249.98] (/10.159.249.98) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 02 Dec 2015 10:09:02 -0800
To: Simo Sorce <simo@redhat.com>
References: <5655E4F0.7030809@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F618A3@OZWEX0209N1.msad.ms.com> <565CAC30.6010701@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F8EAFD@OZWEX0209N2.msad.ms.com> <565DDE78.5030908@oracle.com> <1449019308.9040.38.camel@redhat.com> <565E55C3.9080404@oracle.com> <1449076861.9040.56.camel@redhat.com>
From: Jordan Brown <Jordan.Brown@oracle.com>
Message-ID: <565F33B7.4000801@oracle.com>
Date: Wed, 02 Dec 2015 10:08:55 -0800
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <1449076861.9040.56.camel@redhat.com>
Content-Type: multipart/alternative; boundary="------------040505020607040501020002"
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/S0C6JjXPS1nXfj3SDO6xZAq4hXk>
Cc: "'ldapext@ietf.org'" <ldapext@ietf.org>
Subject: Re: [ldapext] Using groupOfNames (or similar) for UNIX groups and netgroups (was Re: DBIS commentary)
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 18:09:07 -0000
On 12/2/2015 9:21 AM, Simo Sorce wrote: > On Tue, 2015-12-01 at 18:21 -0800, Jordan Brown wrote: >> [draft-masarati-ldap-deref-00] is indeed very interesting. I don't >> immediately see how it helps with the type-safety problem, though. >> Am I missing something? > The idea is that you can get all data up at once including objectclass > and then you can simply drop results that do not have the right > objectclass value. > It is a little more wasteful than being able to specify a secondary > filter (that would probably be a great addition to the draft), for the > search done on the attribute of the group entry, but it is still good > enough to efficiently get results as well as easily weed off unwanted > ones. OK, sure. (Better still would be to have some way to tell the directory to limit the types allowed.) >> Yes, and I infer that there's corresponding omissions in other parts of the >> standard. In the getgrent description, the standard describes omitting this >> information on the basis of security restrictions. Omitting the data there >> would not help security at all if you could immediately turn around and request >> it through getgrname and getgrgid. Meeting the security need would require >> having the restrictions in both places. > True, but are not doing this for security reasons, we are just taking > the fact that omissions are permissible as a blanket permission to omit > results, and clients should be prepared to deal with that. Right, but the standard describes it in terms of security. > After all the texts are vague and you could think that the security > measure expressed here is about not revealing group names. It explicitly mentions editing the list of members (emphasis added): http://pubs.opengroup.org/onlinepubs/9699919799/functions/getgrent.html An implementation that provides extended security controls may impose further implementation-defined restrictions on accessing the group database. In particular, the system may deny the existence of some or all of the group database entries associated with groups other than those groups associated with the caller *and may omit users other than the caller from the list of members of groups in database entries that are returned*. > The fact you can easily scan the whole group ID space is just the > annoying consequence of the fact most systems do not have a randomized > ID assignment policy and have a pretty limited ID space at just 32bit of > size or less. But hey, that's not my fault! :-) That too, but I was thinking about the list-of-members part... if you have a security reason for keeping the list of members hidden, it wouldn't do you any good to hide it from getgrent when the caller could then immediately retrieve it using getgrgid. >> We could address it through introducing a new object class (and here I include >> just grabbing "group" from AD or "groupOfNames" from RFC2307bis-02, not just >> creating a wholly new one), or by changing the definition. This is one of those >> cases where I'd say that breaking formal compatibility might well be appropriate. > Yes, it would be nice to change the class, because it is forward safe to > do so, if you created objects when the MUST was in place, nothing breaks > if you relax the constraint to MAY, at least from the POV of data > consistency in the directory. > > And I never found any software the specifically rely on the fact you > can't delete the last member attribute from a group for something. > Actually usually I saw software that had to use workarounds like adding > the group dn to itself (and concealing the self-reference in the UI) > when an admin wants to remove the last member but not remove the whole > group. The potential problem is a consumer that knows that the "member" attribute MUST be present, and freaks out if it isn't.
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] DBIS commentary Steven Legg
- Re: [ldapext] DBIS commentary Simo Sorce
- Re: [ldapext] DBIS commentary Charlie
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] DBIS commentary Ludovic Poitou
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] DBIS commentary Charlie
- Re: [ldapext] DBIS commentary Jordan Brown
- [ldapext] Case sensitivity of user/group names (w… Jordan Brown
- Re: [ldapext] DBIS commentary Simo Sorce
- Re: [ldapext] DBIS commentary Simo Sorce
- [ldapext] Using groupOfNames (or similar) for UNI… Jordan Brown
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] Case sensitivity of user/group name… Bannister, Mark
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] Using groupOfNames (or similar) for… Simo Sorce
- Re: [ldapext] Using groupOfNames (or similar) for… Jordan Brown
- Re: [ldapext] Using groupOfNames (or similar) for… Simo Sorce
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] Case sensitivity of user/group name… Charlie
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] Case sensitivity of user/group name… Charlie
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] Case sensitivity of user/group name… Oza, Dhairesh
- [ldapext] Case sensitivity summary Andrew Findlay
- Re: [ldapext] Case sensitivity summary Michael Ströder
- [ldapext] draft-masarati-ldap-deref as ldapext wo… Michael Ströder
- Re: [ldapext] Case sensitivity summary Simo Sorce
- Re: [ldapext] draft-masarati-ldap-deref as ldapex… Howard Chu
- Re: [ldapext] draft-masarati-ldap-deref as ldapex… Simo Sorce
- Re: [ldapext] Case sensitivity summary Andrew Findlay
- Re: [ldapext] Case sensitivity summary Michael Ströder
- Re: [ldapext] Using groupOfNames (or similar) for… Andrew Findlay
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] Case sensitivity summary Bannister, Mark
- Re: [ldapext] Case sensitivity summary Andrew Findlay
- Re: [ldapext] Case sensitivity summary Bannister, Mark