IETF Logo Mail Archive

Re: Comments from Christian H. on LDAP

Tim Howes <tim@terminator.rs.itd.umich.edu> Wed, 06 January 1993 03:58 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa16773; 5 Jan 93 22:58 EST
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa16769; 5 Jan 93 22:58 EST
Received: from haig.cs.ucl.ac.uk by CNRI.Reston.VA.US id aa28883; 5 Jan 93 22:59 EST
Received: from terminator.rs.itd.umich.edu by haig.cs.ucl.ac.uk with Internet SMTP id <g.00364-0@haig.cs.ucl.ac.uk>; Wed, 6 Jan 1993 03:37:08 +0000
Received: from vertigo.rs.itd.umich.edu by terminator.rs.itd.umich.edu (5.67/2.2) id AA00907; Tue, 5 Jan 93 22:35:46 -0500
Message-Id: <9301060335.AA00907@terminator.rs.itd.umich.edu>
To: Christian Huitema <Christian.Huitema@sophia.inria.fr>
Cc: " (Russ Wright)" <wright@lbl.gov>, RARE & IETF OSI-DS wg <osi-ds@cs.ucl.ac.uk>
Subject: Re: Comments from Christian H. on LDAP
In-Reply-To: Your message of "Tue, 05 Jan 93 17:41:11 EST." <199301051641.AA11416@mitsou.inria.fr>
Date: Tue, 05 Jan 93 22:35:45 -0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Tim Howes <tim@terminator.rs.itd.umich.edu>

> From:    Christian Huitema <Christian.Huitema@sophia.inria.fr>
> To:      " (Russ Wright)" <wright@lbl.gov>

> 1- Allowing real time modification of the data does make the DSA
> software much more complex. You need authentication, but you also need
> journalling of updates, ability to recover, maintenance of index
> files, etc.

This is very true.  Authentication is needed anyway, though.  Lots of
people want to restrict read access based on who you are, not just modify
access.  The other stuff is a pain, but indexes have to be maintained by
something (even if things are updated only in batch).  Recovery and
journalling remain.  I look at what we run here at U of M, and don't
think we can do without updates very easily!

> 2- Allowing real time modification of the data base obliges you to
> keep a correspondance between what you send over the net and what you
> store in the data base. Suppose for example that you want to be able
> to display "Common Name", "Surname" and "Given Name", and that someone
> updates the "Surname" attribute. Should the new surname also appear in
> the Given name? On any traditional (e.g. SQL) data base, it would...

I'd say that would be ok (modifying surname also changes common name).
If your X.500 db is mapped onto an sql database, presumably it would
do just that.  Does doing this violate X.500 somehow?

> 3- Allowing real time modification *by the end user*, as opposed to
> modification by an administrator, gives the user the impression that
> the X.500 data base contains the "primary" version of the data. What
> happens if user Joe modifies its phone number Thursday but the X.500
> base is restored from an "up to date" version of the payroll data base
> Friday?
> 
> I know that the pure X.500 answer is that the payroll application
> should just use the X.500 data base. But are *YOU* willing to bet your
> payroll on that? For these reasons, I believe that having the "modify"
> operations in the X.500 protocol brings more trouble than services.
> And that these operations should not be part of a light weight white
> page service.

I said more about this in my previous message, but here's another thought.
Perhaps the payroll database should not use X.500, but X.500 should use
the payroll database as its back end....                       -- Tim

v2.8.7 | Report a Bug | By Email