[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Naming of ACLs, Replication etc

To: Steve Kille <S.Kille@isode.com>
Subject: Re: Naming of ACLs, Replication etc
From: Tim Howes <howes@netscape.com>
Date: Fri, 08 May 1998 09:20:01 -0700
Cc: ietf-ldapext@netscape.com
Delivered-to: ldapext-archive@critical-angle.com
Organization: Netscape Communications Corp.
References: <16161.894539656@isode.com>
Resent-date: Fri, 8 May 1998 09:22:54 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"fDG7c2.0.Ur5.S5pKr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Hi Steve,

One of the goals of this group is to develop a standard access
control model for LDAP. Under this charter, it is very likely
that anything this group produces in this area will be titled
"LDAP Access Control Model" or something pretty darn close.
Asking to keep LDAP out of the title is like asking the group to
change its charter. While it's possible to have that discussion
again, we already had it once and came to consensus. What new
information or argument do you have that could cause us to talk
about changing our charter? Keeping LDAP out of the title also
does not solve the problem. I think it will only cause more
confusion, not less.

On the subject of multiple access control models, I agree there
will be multiple models around, perhaps indefinitely. And we
must address this so, for example, replication does not occur
between servers with different models. But that's not an
argument for not developing a standard model.

Maybe I'm misinterpreting you, but it sounds like you'd rather
have the X.500 ACL model compete with other models in the market
than try to get the group to agree that the X.500 model should
be adopted as the standard one. I'd rather we at least have the
debate first. What's been missing from this debate with
respect to X.500 is more people like you - knowledgeable
advocates of the technology who can make a coherent complete
proposal about what it means to use X.500 as the model, how
it satisfies the requirements, where it falls short, etc.
The input we've had so far has not been in the form of a
proposal.

I see no evidence that having standard LDAP access control
is  controversial. You and other X.500 vendors most of all
should not find this controversial. What seems to be
controversial is whether LDAP will adopt the X.500 model
or not. The way to fix this is for you and other X.500
fans to get involved in the group and make your case for
the technology. Giving up on standardizing something just
because you fear there may be controversy over which model
is selected or designed, or that it might not be the
technology you advocate is no answer.
    -- Tim

Steve Kille wrote:

> Following some of the points made by Alan Lloyd, and the requests for
> clarification from Dave Boreham,  I thought it would be useful to try
> to restate the core point of my original message.
>
> I can see three broad "camps" on how directory services should be
> deployed (with various intermediate and combined views).
>
> 1) X.500 is the way to build a distributed directory.   Most in this
> camp believe that LDAP is also a good thing and a useful way to
> provide access into an X.500 directory (some believe that it would be
> better to have only DAP, but do accept the reality of LDAP access).
>
> 2) That a distributed directory should be built with LDAP only, and
> that all the missing pieces should be defined as a part of LDAP.  This
> camp generally views that X.500 is a dinosaur, and want to see it
> replaced with a full set of Internet directory specifications.
>
> 3) That a distributed directory should be built with (their)
> commercial proprietary products.   LDAP will be used for access.
> Replication protocols should be used for (low quality)
> synchronization, but not as a replacement for their (high quality)
> proprietary replication.  Those on this camp, tend to speak in line
> with camp 2, as they oppose X.500.
>
> There is a common view in all of these groups that LDAP AS AN ACCESS
> PROTOCOL is a good thing (or at least is something that is a market
> reality).
>
> My proposal was that LDAP should be used to refer only to the access
> protocol, and (typically optional) protocol extensions directly
> associated with this access protocol.  It seems to me that there is
> convergence on LDAP, and we should be working to make LDAP something
> that all players will want to support.
>
> There is going to be a real fight over the choice of replication
> protocols and access control mechanisms to be deployed.
>
> I think that LDAP is a wonderful thing, and want to support it.
>
> I think that the access control specified by X.500 is by far the best
> way forward for a directory accessed by LDAP.  Others want to specify
> different mechanisms, and it is clear from recent discussions that
> there are a number of possible alternate ways forward.
>
> Given the divergence,  I do not think that it is possible or desirable
> to have short term convergence on one mechanism.   I believe that we
> will see multiple specifications and that the market will decide.
>
> A large market clearly wants to have "LDAP Directories", meaning a
> directory service accessed by LDAP.
>
> I think that it will be perjorative to have one of the specifications
> for access control called "LDAP Access Control".   Rather,  I think
> that the various proposals should have names which do not include the
> name "LDAP".
>
> We should reserve LDAP for the access protocol which we all believe
> in, and not use it for new specifications which will be very
> contraversial.
>
> Steve Kille

Follow-Ups:
- Re: Naming of ACLs, Replication etc
  - From: Steve Kille <S.Kille@isode.com>

References:
- Re: Naming of ACLs, Replication etc
  - From: Steve Kille <S.Kille@isode.com>

Prev by Date: RE: ACL Policy should be a property of the partition of namespace...
Next by Date: Re: ACL Policy should be a property of the partition of namespace...
Index(es):
- Chronological
- Thread