Re: [ldapext] RFC2307, netgroups, DBIS
Michael Ströder <michael@stroeder.com> Wed, 11 February 2015 12:53 UTC
Return-Path: <michael@stroeder.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 593B81A887F for <ldapext@ietfa.amsl.com>; Wed, 11 Feb 2015 04:53:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Level:
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id voct1dyaWxry for <ldapext@ietfa.amsl.com>; Wed, 11 Feb 2015 04:53:17 -0800 (PST)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 444581A888C for <ldapext@ietf.org>; Wed, 11 Feb 2015 04:53:17 -0800 (PST)
Received: from srv4.stroeder.local (srv4.stroeder.local [10.1.1.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.stroeder.local", Issuer "stroeder.com Server CA no. 2009-07" (not verified)) by srv1.stroeder.com (Postfix) with ESMTPS id E6B4F1CF9B; Wed, 11 Feb 2015 12:53:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by srv4.stroeder.local (Postfix) with ESMTP id 382DD1D2A1; Wed, 11 Feb 2015 12:53:13 +0000 (UTC)
X-Virus-Scanned: amavisd-new at stroeder.local
Received: from srv4.stroeder.local ([127.0.0.1]) by localhost (srv4.stroeder.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QBo_1r4gF8se; Wed, 11 Feb 2015 12:52:58 +0000 (UTC)
Received: from nb2.stroeder.local (nb2.stroeder.local [10.1.1.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by srv4.stroeder.local (Postfix) with ESMTPS id CDA101CFB5; Wed, 11 Feb 2015 12:52:57 +0000 (UTC)
Message-ID: <54DB50A8.90601@stroeder.com>
Date: Wed, 11 Feb 2015 13:52:56 +0100
From: Michael Ströder <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 SeaMonkey/2.32.1
MIME-Version: 1.0
To: Mark R Bannister <dbis@proseconsulting.co.uk>
References: <etPan.54c553b0.19e21bb2.1f2@lpm.local> <54C77E7A.6010506@proseconsulting.co.uk> <54C7B32A.7050709@stroeder.com> <54C7FA23.7000101@proseconsulting.co.uk> <1422454472.32747.38.camel@ssimo.org> <54CEA9A4.1020709@proseconsulting.co.uk> <54CF5178.7040406@stroeder.com> <54D2955E.3010608@proseconsulting.co.uk> <54D2A8DF.8030002@stroeder.com> <54DB46E0.2040803@proseconsulting.co.uk>
In-Reply-To: <54DB46E0.2040803@proseconsulting.co.uk>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms080701030807000309070503"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/ygsQWfhFA1zGcPDBUOXgSCFc2fA>
Cc: ldapext@ietf.org
Subject: Re: [ldapext] RFC2307, netgroups, DBIS
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2015 12:53:20 -0000
Mark R Bannister wrote: > On 04/02/2015 23:18, Michael Ströder wrote: >> Mark R Bannister wrote: >>> michael@stroeder.com wrote: >>>> Mark R Bannister wrote: >>>>> On 28/01/2015 14:14, Simo wrote: >>>>>> It hurts me to curb enthusiasm, but I think your drafts are not a step >>>>>> forward, at most a step sideways, and ignore what's out there right now. >>>>> Given that they were written to fix specific deficiencies in RFC2307bis >>>>> that were causing pain in a number of very large enterprises I have worked >>>>> for, I don't see how they could be considered a step sideways. >>>> Maybe I did not look closely enough. Could you please point me to some text >>>> describing the specific deficiencies you solved in more detail? >>> Have at look at the abstract on page 2 of >>> http://www.ietf.org/id/draft-bannister-dbis-mapping-06.txt. One of the first >>> biggest requirements was reintroducing case sensitivity in a way that would be >>> fully compatible with NIS, see the description of the en (4.2) and rn (4.3) >>> attributes in particular. >> Yes, case-sensitive matching is an issue and I already saw that text in your >> drafts. I've simply added additional local constraints to the config limiting >> e.g. attribute 'uid' to lower-case values. So it was not that important to me. > > "Not that important to me" suggests, once again, that you are coming up > with a point solution, and not a solution that could be widely adopted. Not right. I simply have other priorities leading to another compromise. > I have designed a replacement for an RFC that can be very widely adopted. As already pointed out: Your approach is not backward compatible to PAM/NSS clients making hard-coded use of RFC 2307 schema. I have some doubts that it will be widely used. > Your approach to the 'uid' attribute precludes any other use of this > attribute within the same directory server by other applications and is > not standards-compliant. Could you please elaborate why defining local constraints is "not standards-compliant". I'm really eager to learn more about standards. ;-) Since you tend to solve things at the client side you could easily configure PAM/NSS clients to use an extensible LDAP filter using case-sensitive matching rule for searching users and groups by their name. >>> Also, another requirement was to fix the schema so >>> that duplicate alias names could be easily detected and prevented (1.2). >> Are you talking about this text? >> >> https://tools.ietf.org/html/draft-bannister-dbis-mapping-00#section-1.2 >> >> Frankly I don't get it (besides the SHALL for LDAP client configuration). > > As in http://sourceforge.net/p/dbis/wiki/Aliases. I know what LDAP alias entries are but I avoid using them. I suspect that you try to cure a problem caused by using a specific search base in your PAM/NSS client configuration. The approach is simply wrong. Instead I'd say fix your data and keep client config simple. ;-) >>> Strange appliances - not unless I can get the vendor to add support for DBIS. >> And that is exactly the point. > > That is no different with any new technology. As uptake spreads, and > customer demands increase, vendors add support for the new stuff. As DBIS > works with the old RFC2307/RFC2307bis schema as well, customers can begin > to use DBIS right away on the unices that they have control over, while the > appliances can continue to use the same data the old way. Then the > pressure increases on those vendors and over time they move to the new way > too. Change has to start somewhere. Good luck. >> Yes, making users, user groups and sudoers entries invisible if the client is >> not authorized to see them. > > You could do that with DBIS too, if you wanted. You could either use netgroup > constraints <http://sourceforge.net/p/dbis/wiki/Netgroup%20Constraints/> > (client-side), > and if you really want server-side restrictions in place, split the maps up > into separate places in the DIT > and use ACLs to restrict which hosts can see them. Your schema is not suitable to let *static* LDAP server ACLs work their way through the data. Ciao, Michael.
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- [ldapext] LDAP work at IETF... Ludovic Poitou
- Re: [ldapext] LDAP work at IETF... Gavin Henry
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Clément OUDOT
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Andrew Findlay
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- [ldapext] RFC2307, netgroups, DBIS (was: LDAP wor… michael-catchall@mail.stroeder.local (POP3)
- [ldapext] RFC2307, netgroups, DBIS (was: LDAP wor… michael-catchall@mail.stroeder.local (POP3)
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] LDAP work at IETF... Clément OUDOT
- Re: [ldapext] LDAP work at IETF... Ludovic Poitou
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] LDAP work at IETF... Barry Leiba
- Re: [ldapext] LDAP work at IETF... Barry Leiba
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Ludovic Poitou