RE: Authentication Methods for LDAP - last call

["John C. Strassner" <johns@cisco.com>]

At 10:53 AM 8/6/98 -0400, Aydin Edguer wrote:
>> > Good grief. The argument set forth by you and some others essentially
says
>> > don't worry about mass deployments, or the Internet, or real businesses
>> > that have more than ONE server, use a (by your own admission) weak
security
>> > mechanism (CRM-MD5) because it is simpler to implement and better than
>> > passing clear text. This is bordering on the absurd. You will never
>> > convince me, Steve, Paul, and others that work on distributed systems of
>> > this argument.
>
>Good grief.  The argument set forth by others does not say "don't worry
>about mass deployments".  The arguments set forth says that LDAP
applications 
>that are not concerned with mass deployments should not have to worry about
>the huge overhead that a global infrastructure requires.  The others are
>saying that you don't deploy a nuclear weapon to kill a single mosquito.

[js] But the point is that by insisting that CRAM-MD5 is a MUST for EVERY
use is equivalent to ignoring the needs of distributed systems. That is why
I offered the compromise.

>The ability of X.500 and X.509 advocates to entirely miss the point that
>their solutions should not be MANDATORY for everyone and that just because
>there is a single MANDATORY method does not prevent people from offering
>additional OPTIONAL methods that are standardized and interoperable is
>bordering on the absurd.
>
>> I also think that those who pronounce that 200,000 users on 1 LDAP
>> server should get a bit of reality into their argument. Does anyone on
>> this list that:
>> a) a 200,000 staff company running a commercial business will use 1 LDAP
>> server - that size of organisation will be distributed around - will
>> require redundant backups and will require connectivity to other
>> organisation's (trading partner) directory systems.
>>
>> b) this company wants to have a server system say 5 or 6 of them where
>> they have to replicate everything in one to everything in another - and
>> also with their trading partners.
>> eg. Please buy 5 LDAP servers and then get 5 people to keep them in
>> sync. 
>
>I think that those who pronounce a requirement that all LDAP clients and
>server must support X.509 certificates and who say that the only way to
>replicate is using LDAP should get a bit of reality in their arguments.

[js] perhaps you should reread my arguments. I actually said that I
preferred Kerberos, with certificates a second choice.

>There are many organizations that use LDAP as an interface to a traditional
>RDBMS.  They already have complete replication capabilities built into
>their database system and they don't need the wasted overhead of an LDAP
>or X.500 replication technique.
>
>There are many people who don't want to share their databases with their
>trading partners, who are willing to use SPKI or non-LDAP based PKIX
>methods to exchange certificates (things associated with Secure DNS)
>while still using LDAP internally.
>
>I have no problems with trying to build better tools and tools that can
>actually scale to the whole world.  I think those would be good things,
>but the fact that an airline needs a 747 to move people and cargo from
>New York to San Francisco, does not mean I have to buy one for my daily
>commute to work (just as the fact that you see a use for X.509 in LDAP
>does not mean I need them in my work and making them MANDATORY will force
>me to buy or implement them!).

[js] so why then do I have to use your mechanism when it can't and won't
work in my environment? All I asked for was a compromise! Sheesh!