Re: [ldapext] DBIS - new IETF drafts
Charlie <medievalist@gmail.com> Mon, 13 January 2014 17:21 UTC
Return-Path: <medievalist@gmail.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B62DC1AE19C for <ldapext@ietfa.amsl.com>; Mon, 13 Jan 2014 09:21:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.979
X-Spam-Level:
X-Spam-Status: No, score=-0.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MISSING_HEADERS=1.021, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WW0KVMNQw06C for <ldapext@ietfa.amsl.com>; Mon, 13 Jan 2014 09:21:21 -0800 (PST)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) by ietfa.amsl.com (Postfix) with ESMTP id CC7BB1ADFD4 for <ldapext@ietf.org>; Mon, 13 Jan 2014 09:21:20 -0800 (PST)
Received: by mail-lb0-f174.google.com with SMTP id p9so3647624lbv.5 for <ldapext@ietf.org>; Mon, 13 Jan 2014 09:21:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=BDmhmgeynVvu1NN6HFbcTKQUEWDE8cSD3fxY8i4qOho=; b=OULhnjaLw2kQby4HdbWn44XQZ4lRqQ4Oma9C6VudPJoBMrwKkU1WnGVzOBDCNKn0d9 drDPOhmRQU+o3PTvg1uCYq4AVoJoUWJp65bGHBiVIuzwpCAeWjPIn+duixo1A4ey0ZHl tJD4NYUMn0oK28utiMcu+I7a1Xms0fyLel9cpmWXwqIKR1BWtMqttaMzzTFLRbvWm4bc Mj8haWGW0sFsaylZcNNd9gq4LDT3/r3981Wt4S01it1EFQkrt8edh0f6bdzN6lB2Ka/d cNAxBbu5UZmcA/mAyIyK0YlH0KCySvLIBPGhykyrq9ZWdduF9vt1sQlL/DWDzKDtgl/3 IOZg==
MIME-Version: 1.0
X-Received: by 10.152.170.168 with SMTP id an8mr4775890lac.39.1389633666619; Mon, 13 Jan 2014 09:21:06 -0800 (PST)
Received: by 10.112.141.65 with HTTP; Mon, 13 Jan 2014 09:21:06 -0800 (PST)
In-Reply-To: <52D356A4.3010508@highlandsun.com>
References: <1389133522.4574.30.camel@sorbet.thuis.net> <52CD9F94.2090707@stroeder.com> <52CDC249.8050407@proseconsulting.co.uk> <CAJb3uA6mXTXvBtFc1W=_eCYbfEgGJibdwu1zxU4BtiZvCw6-zg@mail.gmail.com> <52D356A4.3010508@highlandsun.com>
Date: Mon, 13 Jan 2014 12:21:06 -0500
Message-ID: <CAJb3uA7ufAkr5S9L6Hi4AaQV+DSMKA-Bg0kxFEizQf9TcwZAhA@mail.gmail.com>
From: Charlie <medievalist@gmail.com>
Cc: ldapext <ldapext@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [ldapext] DBIS - new IETF drafts
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2014 17:21:23 -0000
I (Charlie) said: > 2) POSIX group semantics are the bane of open-source LDAP. The > functional paradigm that a member is an attribute of a group is > fundamentally broken; group membership is an attribute of the member. > The security concerns frequently raised concerning this are all either > trivially solvable or pragmatically completely bogus. Howard replied: >Sorry but that makes no sense. It's the same as saying 'element e is a member of set S' >is true but 'set S contains element e' is false. If one is true then both must be true. Perhaps I'm not conveying the concept well. I'm talking about how something is expressed and the results certain semantics actually have on real life, on real human endeavors. I'm not talking about the academic equivalency of two forms of symbolic expression. But it's true that it's no more difficult to add a "memberOf" attribute to an object than it is to add a "Member" attribute to another object. The spurious efficiency of querying LDAP for a member list (at least one member of which will be queried *again* nearly one hundred percent of the time) instead of querying against a membership filter is a mental bugaboo that has retarded progress in LDAP-capable directory software. POSIX group lists are an ill-considered hack that somebody (I think Ritchie) haphazardly pasted onto Unix when they were still trying to interact with GECOS systems. They infect the filesystem paradigm and the user management paradigm and make *nix lamer than it needs to be. They discourage group nesting and just-in-time resolution and other desirable practices that exist in the real world that directories are trying to usefully represent. Their flat list design ignores human psychological and empirical organizational realities. Dynamic groups and/or stored group queries are better, although I've never seen an optimal implementation of either. The groups that people REALLY need to represent in their directories are things like "the set of people on site competent to reconstitute the threadline" and "the set of employees accessing the reactor robotics right now" and "the set of objects in route to Dusseldorf". Enterprise directories that try to accurately model reality as it exists will be far more pragmatically useful than those that simply regurgitate inherently error-prone and outdated static lists. POSIX groups suck. They are the second worst thing in *nix. OK, maybe the 3rd. A directory should never model /etc/groups... yes, it should be able to generate group lists for POSIX compatibility, but internally a directory should attempt a more powerful cognitive model than a grocery list. If people want to discuss this more, please split the topic off from Mr. Bannister's thread or contact me privately, since he's already replied to my post. --Charlie
- [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Arthur de Jong
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Ludovic Poitou
- Re: [ldapext] DBIS - new IETF drafts Clément OUDOT
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Charlie
- Re: [ldapext] DBIS - new IETF drafts Luke Howard
- Re: [ldapext] DBIS - new IETF drafts Neal-Joslin, Robert (3PAR Engineering)
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Luke Howard
- Re: [ldapext] DBIS - new IETF drafts Luke Howard
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Andrew Findlay
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Michael Ströder
- Re: [ldapext] DBIS - new IETF drafts Howard Chu
- Re: [ldapext] DBIS - new IETF drafts Charlie
- Re: [ldapext] DBIS - new IETF drafts Mark R Bannister