Re: [ldapext] DBIS - new IETF drafts

[Charlie <medievalist@gmail.com>]

I (Charlie) said:
> 2) POSIX group semantics are the bane of open-source LDAP.  The
> functional paradigm that a member is an attribute of a group is
> fundamentally broken; group membership is an attribute of the member.
> The security concerns frequently raised concerning this are all either
> trivially solvable or pragmatically completely bogus.

Howard replied:
>Sorry but that makes no sense. It's the same as saying 'element e is a member of set S' >is true but 'set S contains element e' is false. If one is true then both must be true.

Perhaps I'm not conveying the concept well.  I'm talking about how
something is expressed and the results certain semantics actually have
on real life, on real human endeavors.  I'm not talking about the
academic equivalency of two forms of symbolic expression.

But it's true that it's no more difficult to add a "memberOf"
attribute to an object than it is to add a "Member" attribute to
another object.  The spurious efficiency of querying LDAP for a member
list (at least one member of which will be queried *again* nearly one
hundred percent of the time) instead of querying against a membership
filter is a mental bugaboo that has retarded progress in LDAP-capable
directory software.

POSIX group lists are an ill-considered hack that somebody (I think
Ritchie) haphazardly pasted onto Unix when they were still trying to
interact with GECOS systems.  They infect the filesystem paradigm and
the user management paradigm and make *nix lamer than it needs to be.
They discourage group nesting and just-in-time resolution and other
desirable practices that exist in the real world that directories are
trying to usefully represent.  Their flat list design ignores human
psychological and empirical organizational realities.

Dynamic groups and/or stored group queries are better, although I've
never seen an optimal implementation of either.  The groups that
people REALLY need to represent in their directories are things like
"the set of people on site competent to reconstitute the threadline"
and "the set of employees accessing the reactor robotics right now"
and "the set of objects in route to Dusseldorf".  Enterprise
directories that try to accurately model reality as it exists will be
far more pragmatically useful than those that simply regurgitate
inherently error-prone and outdated static lists.

POSIX groups suck.  They are the second worst thing in *nix.  OK,
maybe the 3rd.  A directory should never model /etc/groups... yes, it
should be able to generate group lists for POSIX compatibility, but
internally a directory should attempt a more powerful cognitive model
than a grocery list.

If people want to discuss this more, please split the topic off from
Mr. Bannister's thread or contact me privately, since he's already
replied to my post.

--Charlie