Re: [ldapext] LDAP Groups topic split-out

Michael Ströder <michael@stroeder.com> Fri, 04 December 2015 10:02 UTC

Return-Path: <michael@stroeder.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8586E1B2DE3 for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 02:02:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Level:
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LLTU0aij1aGa for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 02:02:35 -0800 (PST)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F10F51B2F37 for <ldapext@ietf.org>; Fri, 4 Dec 2015 02:02:34 -0800 (PST)
Received: from srv4.stroeder.local (unknown [10.1.1.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.stroeder.local", Issuer "stroeder.com Server CA no. 2009-07" (verified OK)) by srv1.stroeder.com (Postfix) with ESMTPS id CB5051CE55; Fri, 4 Dec 2015 10:02:31 +0000 (UTC)
Received: from nb2.stroeder.local (nb2.stroeder.local [10.1.1.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by srv4.stroeder.local (Postfix) with ESMTPS id 86D161D29F; Fri, 4 Dec 2015 10:02:30 +0000 (UTC)
To: Charlie <medievalist@gmail.com>, ldapext <ldapext@ietf.org>
References: <CAJb3uA57jHCfhN6tQB6Kc7uOGF3g4w6GVmr6+OnhD4=k5zqEzw@mail.gmail.com>
From: =?UTF-8?Q?Michael_Str=c3=b6der?= <michael@stroeder.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <566164B6.9080008@stroeder.com>
Date: Fri, 4 Dec 2015 11:02:30 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <CAJb3uA57jHCfhN6tQB6Kc7uOGF3g4w6GVmr6+OnhD4=k5zqEzw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020200070302080009000608"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/WrCEeI_ohW2NdzA1q4ndsES5YGg>
Subject: Re: [ldapext] LDAP Groups topic split-out
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 10:02:37 -0000

Charlie wrote:
> After reading David Foster Wallace on set theory, I wrote an RFC a
> couple years back to address the lack of a generic or globally useful
> grouping mechanism in LDAP-accessible directories.  Comments are
> welcomed.
> 
> http://typinganimal.net/rants/textify.php?f=draft-brooks-ldap-sets-00.txt

Although you will likely claim that your I-D also describes the problem in
general you're already endorsing a particular solution. :-/

I suspect that your mixed use of values in attribute 'psetMembership' will
rather contribute to the "hodgepodge of LDAP schema" you criticize than solving
problems.

Personally I don't see a strong need for generic "ur-objects" because one can
easily define such a schema for a particular deployment with custom schema with
particular semantics.

> If you're not up for a long-read, I would recommend just reading
> "Appendix D:  Other Efforts and their Shortcomings" which explains all
> the attempts to date and how they've failed to gain traction.

I agree with some of your points therein. But you have a wild mix of true issues
on one side and bad common practice with dummy objects on the other hand.

I'd say we should:
1. fix true issues (e.g. empty-group-problem) with a new I-D.
2. Add text (implementation notes, security considerations etc.) to prevent bad
practice.

For 2. you will never find text which prevents all people to shoot themselves in
the foot.

Ciao, Michael.