Re: [ldapext] DBIS - new IETF drafts

Howard Chu <> Mon, 13 January 2014 03:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0E2561AD8DC for <>; Sun, 12 Jan 2014 19:00:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.54
X-Spam-Status: No, score=-0.54 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4VT7_4JUaxE0 for <>; Sun, 12 Jan 2014 19:00:02 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 500C71AD8C4 for <>; Sun, 12 Jan 2014 19:00:02 -0800 (PST)
Received: from [] (localhost []) by (Postfix) with ESMTP id 43A8584ECD; Sun, 12 Jan 2014 21:59:49 -0500 (EST)
Message-ID: <>
Date: Sun, 12 Jan 2014 18:59:48 -0800
From: Howard Chu <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1
MIME-Version: 1.0
To: Charlie <>, Mark R Bannister <>, ldapext <>
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [ldapext] DBIS - new IETF drafts
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Jan 2014 03:00:04 -0000

Charlie wrote:
> What I have learned from about a decade of quietly following LDAP
> across multiple forums and lists is the following:

> 2) POSIX group semantics are the bane of open-source LDAP.  The
> functional paradigm that a member is an attribute of a group is
> fundamentally broken; group membership is an attribute of the member.
> The security concerns frequently raised concerning this are all either
> trivially solvable or pragmatically completely bogus.

Sorry but that makes no sense. It's the same as saying 'element e is a member 
of set S' is true but 'set S contains element e' is false. If one is true then 
both must be true.

Of course there are two different ways to view it. From a sysadmin's point of 
view, what is important is knowing which users are the member of a group. From 
an individual user's point of view, knowing which groups they belong to is 
more important. In real life, users will login many times more frequently than 
sysadmins will manipulate group memberships, so you may decide that optimizing 
for the user check is more important. But while sysadmin manipulation may be 
infrequent, the consequences of making a mistake are high, so data models up 
till now have been designed to make the sysadmin view more straightforward. 
Complexity for the user's perspective is simple to automate and never have to 
worry about ever again.

I think it would be a mistake to lose sight of this distinction.

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP