[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Naming of ACLs, Replication etc

To: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Subject: Re: Naming of ACLs, Replication etc
From: Steve Kille <S.Kille@isode.com>
Date: Thu, 07 May 1998 12:14:16 +0100
Cc: "'James R. Cutler'" <James.Cutler@iscg.eds.com>, ietf-ldapext@netscape.com, Daryl Horsfall <Daryl.Horsfall@OpenDirectory.com.au>
Content-id: <16154.894539656.1@isode.com>
Delivered-to: ldapext-archive@critical-angle.com
In-reply-to: Your message of Tue, 05 May 1998 09:32:39 +1000. <D1A949D4508DD1119C8100400533BEDC03E7F3@DSG1>
Resent-date: Thu, 7 May 1998 04:16:49 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"rc2mF2.0.684.VWPKr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Following some of the points made by Alan Lloyd, and the requests for
clarification from Dave Boreham,  I thought it would be useful to try
to restate the core point of my original message.  

I can see three broad "camps" on how directory services should be
deployed (with various intermediate and combined views).

1) X.500 is the way to build a distributed directory.   Most in this
camp believe that LDAP is also a good thing and a useful way to
provide access into an X.500 directory (some believe that it would be
better to have only DAP, but do accept the reality of LDAP access).

2) That a distributed directory should be built with LDAP only, and
that all the missing pieces should be defined as a part of LDAP.  This
camp generally views that X.500 is a dinosaur, and want to see it
replaced with a full set of Internet directory specifications.

3) That a distributed directory should be built with (their)
commercial proprietary products.   LDAP will be used for access.
Replication protocols should be used for (low quality)
synchronization, but not as a replacement for their (high quality)
proprietary replication.  Those on this camp, tend to speak in line
with camp 2, as they oppose X.500.


There is a common view in all of these groups that LDAP AS AN ACCESS
PROTOCOL is a good thing (or at least is something that is a market
reality).

My proposal was that LDAP should be used to refer only to the access
protocol, and (typically optional) protocol extensions directly
associated with this access protocol.  It seems to me that there is
convergence on LDAP, and we should be working to make LDAP something
that all players will want to support.

There is going to be a real fight over the choice of replication
protocols and access control mechanisms to be deployed.     

I think that LDAP is a wonderful thing, and want to support it.  

I think that the access control specified by X.500 is by far the best
way forward for a directory accessed by LDAP.  Others want to specify
different mechanisms, and it is clear from recent discussions that
there are a number of possible alternate ways forward.

Given the divergence,  I do not think that it is possible or desirable
to have short term convergence on one mechanism.   I believe that we
will see multiple specifications and that the market will decide.

A large market clearly wants to have "LDAP Directories", meaning a
directory service accessed by LDAP.   

I think that it will be perjorative to have one of the specifications
for access control called "LDAP Access Control".   Rather,  I think
that the various proposals should have names which do not include the
name "LDAP".

We should reserve LDAP for the access protocol which we all believe
in, and not use it for new specifications which will be very
contraversial.   



Steve Kille

Follow-Ups:
- Re: Naming of ACLs, Replication etc
  - From: "James R. Cutler" <James.Cutler@iscg.eds.com>
- Re: Naming of ACLs, Replication etc
  - From: Tim Howes <howes@netscape.com>

Prev by Date: ACL Policy should be a property of the partition of a namespace...
Next by Date: Re: Naming of ACLs, Replication etc
Index(es):
- Chronological
- Thread