[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RE: Authentication Methods for LDAP - last call

To: "'Chris.Newman@INNOSOFT.COM '" <Chris.Newman@INNOSOFT.COM>, "'johns@cisco.com '" <johns@cisco.com>, 'John Haxby ' <jch@pwd.hp.com>
Subject: RE: RE: Authentication Methods for LDAP - last call
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Date: Fri, 07 Aug 1998 13:54:05 +1000
Cc: "'ietf-ldapext@netscape.com '" <ietf-ldapext@netscape.com>, "'S.Kille@isode.com '" <S.Kille@isode.com>
Resent-date: Thu, 06 Aug 1998 20:56:08 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"CxUTT1.0.FB5.Mhdor"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Thanks for the response John
----------
From: John Haxby
To: Alan.Lloyd@OpenDirectory.com.au; Chris.Newman@INNOSOFT.COM;
johns@cisco.com
Cc: ietf-ldapext@netscape.com; S.Kille@isode.com
Sent: 8/7/98 1:51:06 AM
Subject: RE: RE: Authentication Methods for LDAP - last call

Alan Lloyd wrote:
[snip]
I also think that those who pronounce that 200,000 users on 1 LDAP
server should get a bit of reality into their argument. Does anyone on
this list that:
a) a 200,000 staff company running a commercial business will use 1 LDAP
server - that size of organisation will be distributed around - will
require redundant backups and will require connectivity to other
organisation's (trading partner) directory systems.

b) this company wants to have a server system say 5 or 6 of them where
they have to replicate everything in one to everything in another - and
also with their trading partners.
eg. Please buy 5 LDAP servers and then get 5 people to keep them in
sync. 

(jch) There is a deployed instance of OpenMail supporting 220,000 users 
across 10-20 servers (I foget the exact number, sorry).  Each server 
has a copy of the directory and the replication mechanism is such that 
it effectively forbids changes to directory entries not owned by the 
local server.  In this instance CRAM-MD5 would scale remarkably well.

Alan:
There is a difference between a mail address book msystems and a fully
fledged orgainsational directory that contains account information,
customer records, task force unit details, etc, etc...

snip:
john: In the less common complex distributed environments where access 
to certain data is controlled by authentication, then there is a clear 
need for a better, distributed authentication mechanism.

If a simple authentication mechanism is mandated for the common, simple 
installation then that is just fine.  The less common, complex 
installations are likely to need something better and would probably 
want to disable the simpler, non-scalable authentication mechanisms.  
But there is still a place for those simple mechanisms ...

Thanks for agreeing with me - simpler ones are ok for simple things.. I
thought that we were dealing with directory support for a network with
100m users on it that need to interconnect with a variety of algorithms
through a distributed - trust model..

As said - local mechanisms to not a system make.

regards alan

Prev by Date: RE: Authentication Methods for LDAP - last call
Next by Date: Re: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread