Re: [ldapext] RFC2307, netgroups, DBIS

Michael Ströder <> Wed, 11 February 2015 12:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 593B81A887F for <>; Wed, 11 Feb 2015 04:53:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id voct1dyaWxry for <>; Wed, 11 Feb 2015 04:53:17 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 444581A888C for <>; Wed, 11 Feb 2015 04:53:17 -0800 (PST)
Received: from srv4.stroeder.local (srv4.stroeder.local []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.stroeder.local", Issuer " Server CA no. 2009-07" (not verified)) by (Postfix) with ESMTPS id E6B4F1CF9B; Wed, 11 Feb 2015 12:53:14 +0000 (UTC)
Received: from localhost (localhost []) by srv4.stroeder.local (Postfix) with ESMTP id 382DD1D2A1; Wed, 11 Feb 2015 12:53:13 +0000 (UTC)
X-Virus-Scanned: amavisd-new at stroeder.local
Received: from srv4.stroeder.local ([]) by localhost (srv4.stroeder.local []) (amavisd-new, port 10024) with ESMTP id QBo_1r4gF8se; Wed, 11 Feb 2015 12:52:58 +0000 (UTC)
Received: from nb2.stroeder.local (nb2.stroeder.local []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by srv4.stroeder.local (Postfix) with ESMTPS id CDA101CFB5; Wed, 11 Feb 2015 12:52:57 +0000 (UTC)
Message-ID: <>
Date: Wed, 11 Feb 2015 13:52:56 +0100
From: =?UTF-8?Q?Michael_Str=c3=b6der?= <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 SeaMonkey/2.32.1
MIME-Version: 1.0
To: Mark R Bannister <>
References: <etPan.54c553b0.19e21bb2.1f2@lpm.local> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms080701030807000309070503"
Archived-At: <>
Subject: Re: [ldapext] RFC2307, netgroups, DBIS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Feb 2015 12:53:20 -0000

Mark R Bannister wrote:
> On 04/02/2015 23:18, Michael Ströder wrote:
>> Mark R Bannister wrote:
>>> wrote:
>>>> Mark R Bannister wrote:
>>>>> On 28/01/2015 14:14, Simo wrote:
>>>>>> It hurts me to curb enthusiasm, but I think your drafts are not a step
>>>>>> forward, at most a step sideways, and ignore what's out there right now.
>>>>> Given that they were written to fix specific deficiencies in RFC2307bis
>>>>> that were causing pain in a number of very large enterprises I have worked
>>>>> for, I don't see how they could be considered a step sideways.
>>>> Maybe I did not look closely enough. Could you please point me to some text
>>>> describing the specific deficiencies you solved in more detail?
>>> Have at look at the abstract on page 2 of
>>>  One of the first
>>> biggest requirements was reintroducing case sensitivity in a way that would be
>>> fully compatible with NIS, see the description of the en (4.2) and rn (4.3)
>>> attributes in particular.
>> Yes, case-sensitive matching is an issue and I already saw that text in your
>> drafts. I've simply added additional local constraints to the config limiting
>> e.g. attribute 'uid' to lower-case values. So it was not that important to me.
> "Not that important to me" suggests, once again, that you are coming up
> with a point solution, and not a solution that could be widely adopted.

Not right. I simply have other priorities leading to another compromise.

> I have designed a replacement for an RFC that can be very widely adopted.

As already pointed out:
Your approach is not backward compatible to PAM/NSS clients making hard-coded
use of RFC 2307 schema.  I have some doubts that it will be widely used.

> Your approach to the 'uid' attribute precludes any other use of this
> attribute within the same directory server by other applications and is
> not standards-compliant.

Could you please elaborate why defining local constraints is "not
standards-compliant".  I'm really eager to learn more about standards. ;-)

Since you tend to solve things at the client side you could easily configure
PAM/NSS clients to use an extensible LDAP filter using case-sensitive matching
rule for searching users and groups by their name.

>>> Also, another requirement was to fix the schema so
>>> that duplicate alias names could be easily detected and prevented (1.2).
>> Are you talking about this text?
>> Frankly I don't get it (besides the SHALL for LDAP client configuration).
> As in

I know what LDAP alias entries are but I avoid using them.  I suspect that you
try to cure a problem caused by using a specific search base in your PAM/NSS
client configuration.  The approach is simply wrong.

Instead I'd say fix your data and keep client config simple. ;-)

>>> Strange appliances - not unless I can get the vendor to add support for DBIS.
>> And that is exactly the point.
> That is no different with any new technology.  As uptake spreads, and
> customer demands increase, vendors add support for the new stuff.  As DBIS
> works with the old RFC2307/RFC2307bis schema as well, customers can begin
> to use DBIS right away on the unices that they have control over, while the
> appliances can continue to use the same data the old way.  Then the
> pressure increases on those vendors and over time they move to the new way
> too.  Change has to start somewhere.

Good luck.

>> Yes, making users, user groups and sudoers entries invisible if the client is
>> not authorized to see them.
> You could do that with DBIS too, if you wanted.  You could either use netgroup
> constraints <>
> (client-side),
> and if you really want server-side restrictions in place, split the maps up
> into separate places in the DIT
> and use ACLs to restrict which hosts can see them.

Your schema is not suitable to let *static* LDAP server ACLs work their way
through the data.

Ciao, Michael.