[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - last call

To: ietf-ldapext@netscape.com
Subject: RE: Authentication Methods for LDAP - last call
From: edguer@cs.loyola.edu (Aydin Edguer)
Date: Thu, 06 Aug 1998 10:53:24 -0400
Resent-date: Thu, 06 Aug 1998 08:04:58 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"GdFQD2.0.Hv.OOSor"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> > Good grief. The argument set forth by you and some others essentially says
> > don't worry about mass deployments, or the Internet, or real businesses
> > that have more than ONE server, use a (by your own admission) weak security
> > mechanism (CRM-MD5) because it is simpler to implement and better than
> > passing clear text. This is bordering on the absurd. You will never
> > convince me, Steve, Paul, and others that work on distributed systems of
> > this argument.

Good grief.  The argument set forth by others does not say "don't worry
about mass deployments".  The arguments set forth says that LDAP applications 
that are not concerned with mass deployments should not have to worry about
the huge overhead that a global infrastructure requires.  The others are
saying that you don't deploy a nuclear weapon to kill a single mosquito.

The ability of X.500 and X.509 advocates to entirely miss the point that
their solutions should not be MANDATORY for everyone and that just because
there is a single MANDATORY method does not prevent people from offering
additional OPTIONAL methods that are standardized and interoperable is
bordering on the absurd.

> I also think that those who pronounce that 200,000 users on 1 LDAP
> server should get a bit of reality into their argument. Does anyone on
> this list that:
> a) a 200,000 staff company running a commercial business will use 1 LDAP
> server - that size of organisation will be distributed around - will
> require redundant backups and will require connectivity to other
> organisation's (trading partner) directory systems.
>
> b) this company wants to have a server system say 5 or 6 of them where
> they have to replicate everything in one to everything in another - and
> also with their trading partners.
> eg. Please buy 5 LDAP servers and then get 5 people to keep them in
> sync. 

I think that those who pronounce a requirement that all LDAP clients and
server must support X.509 certificates and who say that the only way to
replicate is using LDAP should get a bit of reality in their arguments.

There are many organizations that use LDAP as an interface to a traditional
RDBMS.  They already have complete replication capabilities built into
their database system and they don't need the wasted overhead of an LDAP
or X.500 replication technique.

There are many people who don't want to share their databases with their
trading partners, who are willing to use SPKI or non-LDAP based PKIX
methods to exchange certificates (things associated with Secure DNS)
while still using LDAP internally.

I have no problems with trying to build better tools and tools that can
actually scale to the whole world.  I think those would be good things,
but the fact that an airline needs a 747 to move people and cargo from
New York to San Francisco, does not mean I have to buy one for my daily
commute to work (just as the fact that you see a use for X.509 in LDAP
does not mean I need them in my work and making them MANDATORY will force
me to buy or implement them!).

Follow-Ups:
- RE: Authentication Methods for LDAP - last call
  - From: "John C. Strassner" <johns@cisco.com>

Prev by Date: RE: Authentication Methods for LDAP - last call
Next by Date: RE: RE: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread