Re: [ldapext] DBIS - new IETF drafts

Michael Ströder <> Fri, 10 January 2014 15:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 960851AE0AA for <>; Fri, 10 Jan 2014 07:19:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.839
X-Spam-Status: No, score=-2.839 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kthiknDzutet for <>; Fri, 10 Jan 2014 07:19:25 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 811D11AE06F for <>; Fri, 10 Jan 2014 07:19:25 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id B9DFD6075E; Fri, 10 Jan 2014 16:19:14 +0100 (CET)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7AyDv6Et3Zho; Fri, 10 Jan 2014 16:19:07 +0100 (CET)
Received: from [] (unknown []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Michael Str??der", Issuer "CA Cert Signing Authority" (verified OK)) by (Postfix) with ESMTPS id F11F4607FF; Fri, 10 Jan 2014 15:19:05 +0000 (UTC)
Message-ID: <>
Date: Fri, 10 Jan 2014 16:10:14 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 SeaMonkey/2.23
MIME-Version: 1.0
To: Mark R Bannister <>,
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms020109040206000906070903"
Subject: Re: [ldapext] DBIS - new IETF drafts
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 10 Jan 2014 15:19:28 -0000

Mark R Bannister wrote:
> On 09/01/2014 14:50, Michael Ströder wrote:
>> Mark R Bannister wrote:
>>> I don't personally like the idea
>>> of having per-user shadow attributes, however some might see it as a feature
>>> and there may be some edge cases where this is exactly what is required.
>> AFAICS today nobody is seriously using LDAP with shadow attributes anymore.
> Please provide me some empirical evidence that this assertion is true.

Not numbers but my impression from lurking on various directory-related
mailing lists.

>>> draft-behera-ldap-password-policy-10 is already widely deployed, you say?
>>> Then it must go higher up in my reading list.
>> Yes, it's the only standard considered widely deployed. You have to know it.
> Thanks.  Do we have any idea how widely adopted it is?

Currently everybody who wants to use LDAP password policy has to use it. It's
the only standard I know of for which is at least some client support implemented.

>>> Indeed, I agree, as stated earlier on I would whole-heartedly recommend
>>> against having user-specific policy settings.  However, providing the facility
>>> as an option for those who want to make minimal changes to their NIS
>>> environment is harmless.
>> If I replace NIS with LDAP I already have two options:
>> 1. Simply use RFC 2307(bis) for a naive transition
>> 2. Do a migration to really meaningful LDAP schema
>> IMHO with 2. I can drop all NIS specific things anyway. You have to decide
>> whether DBIS is just an improvement for 1. or a real innvotation for 2.
> It's 2.  Show me something I've done that's not "really meaningful" and we'll
> look at improving it.

Well, if you claim that you will implement a NIS/DBIS gateway you don't have
to define user-specific policy settings. You can map anything you want in your
gateway provided there's a reference from the user entry to the policy entry.
I'd go for a DN reference so you can make use of deref control.

Ciao, Michael.