Re: [ldapext] empty-groupOfNames-issue

Simo Sorce <simo@redhat.com> Fri, 04 December 2015 15:45 UTC

Return-Path: <simo@redhat.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A7B41A887F for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 07:45:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rc6_-AlguCNV for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 07:45:16 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E25401A882A for <ldapext@ietf.org>; Fri, 4 Dec 2015 07:44:49 -0800 (PST)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (Postfix) with ESMTPS id 7348BC07754F; Fri, 4 Dec 2015 15:44:49 +0000 (UTC)
Received: from willson.usersys.redhat.com ([10.3.113.3]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tB4Filx2022161 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 4 Dec 2015 10:44:48 -0500
Message-ID: <1449243887.3445.59.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Fri, 04 Dec 2015 10:44:47 -0500
In-Reply-To: <20151204134757.GE3643@slab.skills-1st.co.uk>
References: <5661765D.6040603@stroeder.com> <20151204134757.GE3643@slab.skills-1st.co.uk>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/jLUUjwuBRKEe4bYYdlGp4flhtXQ>
Cc: ldapext <ldapext@ietf.org>, Michael =?ISO-8859-1?Q?Str=F6der?= <michael@stroeder.com>
Subject: Re: [ldapext] empty-groupOfNames-issue
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 15:45:17 -0000

On Fri, 2015-12-04 at 13:47 +0000, Andrew Findlay wrote:
> On Fri, Dec 04, 2015 at 12:17:49PM +0100, Michael Ströder wrote:
> 
> > 1. Modified standard schema descriptions for 'groupOfNames' and
> > 'groupOfUniqueNames':
> > 
> > This is the work-around already chosen by various vendors:
> > The MUST member or MUST uniqueMember is turned into MAY.
> > 
> > + it just works, no interop-problems seen so far.
> > + no change required in LDAP clients
> > + no change required in access control rules
> > + no change required in other client or server-side code dealing with groups
> > 
> > - It violates standardization best practices, most notably IANA considerations.
> > - It could serve as a bad example to change standard schema at will.
> > 
> > Hopefully Rolf Sonneveld and Andrew Findlay will clearly comment on IANA
> > considerations.
> 
> I don't think there is an IANA consideration here. The modified schema
> is (currently) incorrect according to RFC4519 or is alternatively an
> experiment leading to a proposed change to a standard. In the latter
> case it would have to be accepted by IETF and published in a new RFC
> that obsoletes 4519. At that time, IANA would update the reference in
> the Object Identifiers table to point to the new document but would have
> no other involvement.
> 
> In practice I cannot see such a change ever being accepted into the
> standards track. If anything, the relatively wide distribution of
> non-conformant implementations makes a stronger case for deprecating
> these objectclasses for new deployments.
> 
> The definition of groupOfNames goes right back to X.521(1988) and it was
> already broken at that point:
> 
> a)	member was a mandatory attribute
> 
> b)	Nested groups were mentioned in the text but the semantics
> 	were left undefined
> 
> > -------------------------------------------------------------------------
> > 
> > 2. new object class 'groupOfEntries'
> > 
> > Andrew kindly wrote an mini I-D defining a new structural object class
> > 'groupOfEntries' simply with MAY member instead of MUST meant as direct
> > replacement for 'groupOfNames'.
> > 
> > http://tools.ietf.org/html/draft-findlay-ldap-groupofentries
> > 
> > + Very simple
> > + Fully compliant to standardization best practices
> > 
> > - It's not clear whether it was widely adopted in deployments.
> 
> Maybe not in the exact form I described in that I-D, but functionally
> equivalent objectclasses have been in most of my customers' systems.
> It could be argued that the corrupted form of groupOfNames described
> above is actually proof of widespread deployment of an analogous class.

My 2c:
An auxiliary class may be a better choice for a standard.

> > - small change required in LDAP clients for searching group entries
> > - small change required in access control rules
> > - small changes required in other client or server-side code dealing with groups
> 
> Andrew


-- 
Simo Sorce * Red Hat, Inc * New York