Re: [ldapext] empty-groupOfNames-issue
Andrew Findlay <andrew.findlay@skills-1st.co.uk> Fri, 04 December 2015 15:28 UTC
Return-Path: <andrew.findlay@skills-1st.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED7971A87CD for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 07:28:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q7p3r0QAQRsq for <ldapext@ietfa.amsl.com>; Fri, 4 Dec 2015 07:28:51 -0800 (PST)
Received: from kea.ourshack.com (kea.ourshack.com [IPv6:2001:470:1f15:20::201]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8D6E1A87CE for <ldapext@ietf.org>; Fri, 4 Dec 2015 07:25:14 -0800 (PST)
Received: from 4.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.e.7.f.0.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:8d0:f7e1::94] helo=slab.skills-1st.co.uk) by kea.ourshack.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1a4sER-0006Be-5K; Fri, 04 Dec 2015 15:25:11 +0000
Received: from andrew by slab.skills-1st.co.uk with local (Exim 4.85) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1a4sEQ-0002YD-Jz; Fri, 04 Dec 2015 15:25:10 +0000
Date: Fri, 04 Dec 2015 15:25:10 +0000
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: Michael Ströder <michael@stroeder.com>
Message-ID: <20151204152510.GG3643@slab.skills-1st.co.uk>
References: <5661765D.6040603@stroeder.com> <20151204134757.GE3643@slab.skills-1st.co.uk> <56619F0A.8060608@stroeder.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <56619F0A.8060608@stroeder.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/thlenRspvQ-9PA3B_ALydXDuLx0>
Cc: ldapext <ldapext@ietf.org>
Subject: Re: [ldapext] empty-groupOfNames-issue
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 15:28:53 -0000
On Fri, Dec 04, 2015 at 03:11:22PM +0100, Michael Ströder wrote: > Do you think that a complete replacement RFC _obsoleting_ RFC 4519 would be > needed? If the ldapext community would agree on changing the standard wouldn't > a small RFC _updating_ RFC 4519 also be sufficient? That may be possible, but I don't know enough about the conventions to be sure. > Please let us keep the scope limited to the empty-groupOfNames-issue. I'm not > keen on opening the can-of-worms on semantics of nested groups. Indeed. That needs tackling in due course, but it is a much bigger problem. > >> http://tools.ietf.org/html/draft-findlay-ldap-groupofentries > >> > >> + Very simple > >> + Fully compliant to standardization best practices > >> > >> - It's not clear whether it was widely adopted in deployments. > > > > Maybe not in the exact form I described in that I-D, but functionally > > equivalent objectclasses have been in most of my customers' systems. > > It could be argued that the corrupted form of groupOfNames described > > above is actually proof of widespread deployment of an analogous class. > > Hmm, the wording gets a bit blurry here. > How would you explain the clear distinction between 1. and 2.? There are exacly 2 differences between groupOfNames and groupOfEntries: 1) the member attribute is mandatory in groupOfNames but optional in groupOfEntries 2) the name and OID are different In practical terms, groupOfEntries is better because it allows for empty groups. The benefits are: a) Empty groups are reasonable things to have: the need for a group does not disappear just because there are no current members. b) Forcing groups to always contain at least one entry causes management systems to do silly things like adding an entry for a non-existent member or even making the group recursively a member of itself. These workarounds for the broken definition can cause security problems as well as just being awkward. There is no defined convention for doing this, so identifying the dummy member can be difficult. If several management systems can modify the same entry it is possible that it will accumulate several dummy members. Changing the existing groupOfNames to make member an optional attribute does not solve the problem: p) Existing management systems will continue to add dummy members but new ones will not know what to do about such values. q) New management systems will have to check the schema definition to find out whether member is mandatory or not. In effect, groupOfNames has been corrupted and is no longer a portable objectclass. On the other hand, the corrupt version of groupOfNames does serve as a proof that groupOfEntries is desired by the community because it is functionally identical. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
- [ldapext] empty-groupOfNames-issue Michael Ströder
- Re: [ldapext] empty-groupOfNames-issue Andrew Findlay
- Re: [ldapext] empty-groupOfNames-issue Michael Ströder
- Re: [ldapext] empty-groupOfNames-issue Andrew Findlay
- Re: [ldapext] empty-groupOfNames-issue Simo Sorce
- Re: [ldapext] empty-groupOfNames-issue Simo Sorce
- Re: [ldapext] empty-groupOfNames-issue Simo Sorce
- Re: [ldapext] empty-groupOfNames-issue Andrew Findlay
- Re: [ldapext] empty-groupOfNames-issue Michael Ströder
- Re: [ldapext] empty-groupOfNames-issue Michael Ströder
- Re: [ldapext] empty-groupOfNames-issue Simo Sorce
- Re: [ldapext] empty-groupOfNames-issue Jordan Brown