Re: [ldapext] DBIS commentary
Simo Sorce <simo@redhat.com> Wed, 02 December 2015 01:21 UTC
Return-Path: <simo@redhat.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A13D1B3037 for <ldapext@ietfa.amsl.com>; Tue, 1 Dec 2015 17:21:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ZBaWrbJmVES for <ldapext@ietfa.amsl.com>; Tue, 1 Dec 2015 17:21:51 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC0881B3034 for <ldapext@ietf.org>; Tue, 1 Dec 2015 17:21:50 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id A0A0A8E22B; Wed, 2 Dec 2015 01:21:50 +0000 (UTC)
Received: from willson.usersys.redhat.com ([10.3.113.3]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tB21LmEX005831 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 1 Dec 2015 20:21:49 -0500
Message-ID: <1449019308.9040.38.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Jordan Brown <Jordan.Brown@oracle.com>
Date: Tue, 01 Dec 2015 20:21:48 -0500
In-Reply-To: <565DDE78.5030908@oracle.com>
References: <5655E4F0.7030809@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F618A3@OZWEX0209N1.msad.ms.com> <565CAC30.6010701@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F8EAFD@OZWEX0209N2.msad.ms.com> <565DDE78.5030908@oracle.com>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/xclO2bk8nN64eAj-7sdbPwPoyiQ>
Cc: "'ldapext@ietf.org'" <ldapext@ietf.org>
Subject: Re: [ldapext] DBIS commentary
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 01:21:53 -0000
On Tue, 2015-12-01 at 09:52 -0800, Jordan Brown wrote: > > I have people telling me groupOfNames doesn't work well for them > > because it can be a group of anything. > > Extra LDAP searches are required to figure out what type of object > > the members are. That leads to a rather inefficient system. > > > > There are two problems there: > > 1) A group could contain anything, even when you want it to only > contain one type. Administrator error could lead to incorrect > configurations. In programming-ese, it's not type-safe. One might > hope that you could set up metadata limiting the types of objects that > could be added to a group, like you can set up limits on the types of > objects that can be put in a container, but I don't know if you can. > One hopes that your administration UIs will help here - if you're > defining a group of users, the administration UI presumably knows that > and only lets you add users. At the same time, this flexibility > enables nested groups, which can be very useful. This is very true and there are products that can cope, there are also mechanism to more efficiently (at least latency wise) if you use controls like: https://tools.ietf.org/html/draft-masarati-ldap-deref-00 Both OpenLDAP and 389ds (for FreeIPA) implement this control and we use it in various clients. > 2) You have to do "extra" searches to get any real information on the > member. The control above helps quite a bit in cases where you really need to search. > Yes, that's a very big problem. The particular pain point is that > getgrnam and getgrgid are defined to return a list of the members of > the group, necessitating a search for *each* member. That gets pretty > painful when a group has thousands of members. It is fully broken indeed, based on age old databases that were very small and always local to the system. > I think the truly right answer there is to add new APIs that don't > retrieve the members, and even to redefine the existing APIs to not > retrieve the members, because there are almost no cases where it > actually makes sense to retrieve the list of members of a UNIX group. It would be nice to have a new API, although Posix has some wiggle room which we fully exploit in clients like Windbind and SSSD. Both clients simply do not return all members in the enumeration cases (getgrent) but only in the explicit group retrieve case (getgrnam). This is because Posix allows to omit results in the enumeration case according to some interpretations. > The standards provide some help in that there are hints in the UNIX > standard that the list of members returned may not be complete. Indeed, some admins complain about this so switches are provided in the above mentioned clients to behave "the classic way". And surprisingly very few systems really have a big issue with this. Given that any application that depends on full group enumeration is already fully broken and a performance liability on any enterprise system that has accounts in the thousands. > Also: Caching is your friend. Note also that the PADL version of > nss_ldap has a "nss_getgrent_skipmembers" option that disables > returning the list of members. Any client that doesn't do caching today is really a bad idea. > As long as we're talking about flaws in groupOfNames: there's also > the problem that "member" is a MUST attribute, and that makes empty > groups problematic. This was, in fact, such a big problem that in the FreeIPA product we decided to break with the standard and changed member to be MAY, never looked back on this choice. > Active Directory uses the same basic structure, but uses the "group" > class instead of groupOfNames, and for "group" the "member" attribute > is a MAY. RFC2307bis-02 replaces groupOfNames with groupOfMembers, > again with "member" as a MAY. > > (One might have hoped that you could have an attribute with a empty > list of values, but X.501 does not allow that.) > > > See previous reservations regarding groupOfNames. Imagine trying to > construct a > > search > > operation to find just host members, or just user members. > > Do note that the queries that you normally need are "is this host (or > user) a member of this group" and "what groups is this user a member > of". It's hard to find cases where you really want to ask "what are > the members of this group". The "is this X a member" and "what groups > is this X a member of" queries aren't bad at all with groupOfNames - > you have to do a lookup on X to get its DN, but then you > just do a natural (and efficient) search. Yes this is generally the case for "system level" clients, but indeed many poor administrative clients tend to do the former kind of query, because they think it is a good idea to show all the members, they tend to have some problems when the members reach the multiple tens of thousands :-) Simo. P.S. I switched to use my "corporate" email address so there is no confusion on what hat I may be wearing. -- Simo Sorce * Red Hat, Inc * New York
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] DBIS commentary Steven Legg
- Re: [ldapext] DBIS commentary Simo Sorce
- Re: [ldapext] DBIS commentary Charlie
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] DBIS commentary Ludovic Poitou
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] DBIS commentary Charlie
- Re: [ldapext] DBIS commentary Jordan Brown
- [ldapext] Case sensitivity of user/group names (w… Jordan Brown
- Re: [ldapext] DBIS commentary Simo Sorce
- Re: [ldapext] DBIS commentary Simo Sorce
- [ldapext] Using groupOfNames (or similar) for UNI… Jordan Brown
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] Case sensitivity of user/group name… Bannister, Mark
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] Using groupOfNames (or similar) for… Simo Sorce
- Re: [ldapext] Using groupOfNames (or similar) for… Jordan Brown
- Re: [ldapext] Using groupOfNames (or similar) for… Simo Sorce
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] DBIS commentary Bannister, Mark
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] DBIS commentary Jordan Brown
- Re: [ldapext] Case sensitivity of user/group name… Charlie
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] Case sensitivity of user/group name… Charlie
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] Case sensitivity of user/group name… Oza, Dhairesh
- [ldapext] Case sensitivity summary Andrew Findlay
- Re: [ldapext] Case sensitivity summary Michael Ströder
- [ldapext] draft-masarati-ldap-deref as ldapext wo… Michael Ströder
- Re: [ldapext] Case sensitivity summary Simo Sorce
- Re: [ldapext] draft-masarati-ldap-deref as ldapex… Howard Chu
- Re: [ldapext] draft-masarati-ldap-deref as ldapex… Simo Sorce
- Re: [ldapext] Case sensitivity summary Andrew Findlay
- Re: [ldapext] Case sensitivity summary Michael Ströder
- Re: [ldapext] Using groupOfNames (or similar) for… Andrew Findlay
- Re: [ldapext] Case sensitivity of user/group name… Jordan Brown
- Re: [ldapext] Case sensitivity summary Bannister, Mark
- Re: [ldapext] Case sensitivity summary Andrew Findlay
- Re: [ldapext] Case sensitivity summary Bannister, Mark