Chaining vs Referrals ?? -Reply

[Ed Reed <Ed_Reed@novell.com>]

Technically, the chaining approach is required when full DUA-DSA
connectivity is not possible, either because there are multiple protocols
and the DUAs don't support them all, or because of intentional
discontinuities, such as Firewalls.

From a performance standpoint, the chaining model can, but may not,
afford superior cache support at the DSA, particularly if many DUAs
regularly access the same portions of the tree and can share cached
results of their queries.  A DUA can also do caching, of course, but the
cache will only retain what the DUA itself has requested, and cannot
leverage the results of other DUA queries.  Of course, any multi-user
cache will need to enforce all the access controls of the original source
data, and so prevent unauthorized DUAs from using authorized DUA
query results.  Could get tricky unless you really trust your DSAs.

NetWare Directory Services was implemented with a referrals only policy
at the DUA client libraries.  It chains resolve name operations, but that's it
for now.  To properly handle multiprotocol deployments we may need to
add chaining DSP.  Chaining authentication operations and delegating
access priviledges are the things which give us the most pause as we
consider how to procede.

Note, too, that chained operations are necessary when part of the
namespace is accessed via some other application protocol than
canonical DAP - say, via LDAP, NetWare NCPs, or such.  It's not strictly a
matter of transport protocols.

Ed Reed,
Novell, Inc.