[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: LDAP Access Control
>
> -----Original Message-----
> From: Tim Howes [mailto:howes@netscape.com]
> Sent: Tuesday, June 09, 1998 7:09 PM
> To: ietf-ldapext@netscape.com
> Subject: LDAP Access Control
>
>
> Hi all. It appears to Mark and me, your LDAPEXT co-chairs,
> that the ACL discussions have broken down and are no longer
> producing anything constructive. This message is our attempt
> to put things back on track. To do this effectively, we need
> your help and participation. Please read this message
> carefully and respond to the questions posed.
>
> We are not taking a vote, we are simply trying to gauge the
> consensus in the group. There have been several vocal views
> expressed, and we need to determine which ones (if any!) have
> the support of the group. If this looks like rehashing of
> old ground, please bear with us one more time. Please note
> that the reply-to on this message points to Mark and me. If
> you would like to reply to the whole list, please feel free
> to do so.
>
>
> QUESTION 1: Do you believe LDAPEXT should be trying to define
> requirements, framework, and/or a model for access control in
> LDAP directories?
AL: NO - I think it is wrong to specify an access control
framework without a distributed system model, a directory admin model
and an authentication framework - as per X.500. I think that putting
every thing under the banner of LDAP - which is a limited access
protocol - is just using LDAP ext as "gladbag" for anything to do with
directories and this is also wrong.
I find that access controls and authentication of distributed
systems is a serious matter in commercial product and requires
considerable investment. I also find it absolutely odd that the world is
adopting X.509, and LDAP was formed on X.500, but there seems to be
outright refusal of the X.500 ACI model in LDAP land - which in terms of
object engineering -the X.500 Auth/ACI model is correctly applied and
works.
Proprietary solutions may be in the market place - but they have
a high cost - particularly when the swing is to distributed object
oriented engineering and a common auth/aci model as per X.500/509.
ie. WE HAVE a STANDARD for ACI and AUTHENTICATION that is
proven, is being adopted and deployed and is pretty good in tems of its
concepts and engineering. The two, Auth and ACI cannot be separated.
> QUESTION 2: Do you basically support the access control
> requirements draft (draft-ietf-ldapext-acl-reqts-00.txt)?
AL: NO
> QUESTION 3: Do you basically support the access control model
> draft (draft-ietf-ldapext-acl-model-00.txt)?
AL : NO, NO, NO - its got more holes than a string vest.
> QUESTION 4: Do you think we should adopt the X.500(1993)
> basic access control model as the starting point for the LDAP
> access control model?
AL: The Prescritive ACI model is better for large scale
directory systems - But this needs a directory admin model - as per
X.500 - but so does BAC.
> QUESTION 5: Do you think we should specify only a framework
> for identifying access control models, and not define a
> single standards-track model for LDAP at this time?
>
LDAP is full of holes and issues because it has no framework
(for distribution or distributed authentication and access controls) or
useful - real compliance tables. In addition Global Electronic Commerce
- which includes Certficate Path processing and distributed mutual
authentication between servers to support distributed user
authentication makes LDAP-only technology USELESS as a directory SYSTEM.
Many are realising that LDAP has run its course because it has
no framework, no architecture, is inefficient, does not scale, does not
support global EC, cannot be compliance tested, is open ended
development without a framework, is introducing wierd things like
transactions ???
LDAP has become a Heavyweight - Limited DAP and very messy and
there seems to be a trend on this planet that big organisations are not
investing in an LDAP - LDAP server only model - simply because this
requires that one replicates every thing to everywhere and does not
scale - because of all the above issues
X.500 core systems is the game in town - all towns.
> Please let us know what you think. If nobody responds to
> these questions, we'll assume that you support the direction
> stated in the charter and worked on in the group so far,
> which is to define an LDAP access control model, and to
> support the requirements and proposed model drafts.
>
Perhaps if no one is responding that might be a signal of
absolute rejection of the requirements and the proposal - Perhaps the
Yes voters should declare themselves - otherwise the industry could
judge the LDAP work as nothing more than "lightweight" ideas that will
fall to bits when implemented.
Defining an LDAP ACI model is an option - But single server ACI
models will be abolutely useless. And X.500 already has the upper hand.
Let the market decide - And if there are no strong Yes votes -
should we judge this LDAP effort as "why bother".
Just use X.500.
In providing YES votes can those people also provide their
company names and identify that they are developing LDAP server or X.500
technology.
System trust and commercial investment in this area is a
serious issue and needs to be guided by the industry - Good ideas are
useful - but they have to be commercially qualified. OpenDirectory will
not invest in weak unscaleable Auth and ACI ideas as this will
absolutely compromise our LDAP/X.500 products and the businesses that
use them.
"Lightweight Access Controls" is not something we will go to the
market with.
regards alan
> Tim Howes and Mark Wahl
>