RE: Authentication Methods for LDAP - last call

[Paul Leach <paulle@microsoft.com>]

> -----Original Message-----
> From: Tim Howes [mailto:howes@netscape.com]
> Sent: Thursday, August 20, 1998 12:09 PM
> To: Paul Leach
> Cc: 'Chris Newman'; IETF LDAP Extensions WG
> Subject: Re: Authentication Methods for LDAP - last call
> 
> 
> Paul Leach wrote:
> > 
> > > > As will all the ACLs on which the user's DN is present.
> > >
> > > ACLs can be fixed by a brute-force query-replace on the directory.
> > > Password verifiers can't.
> > 
> > You've missed a slight problem of scale in the real world.
> > The user's DN is on ACLs could be on 100s of directory 
> servers in just one
> > organization, and could be on ACLs in 1000s of 
> organizations' directories
> > world-wide. And in integrated environments, they could be 
> on the ACLs on
> > files on possibly 10,000 file servers, just in one 
> organization. Result: a
> > brute-force query-replace is not feasible.
> > 
> > It's like saying that brute force can defeat any encryption 
> algorithm (given
> > enough time) -- true but not relevant.
> > 
> > And how do you change a user's DN in scripts that munge ACLs?
> 
> Just a small side comment on user DNs in ACLs. The
> maintenance of ACLs can be quite a nightmare for this
> very reason. Which is why I advocate access control
> schemes that require far fewer ACLs, generally do not
> require changing ACLs in individual entries, and do not
> require changing ACLs when entries move.

It won't help. Even if there were only one ACL per system (extremely
unlikely), you can never get to all the systems to change it, because _any
system in the world_ could have an ACL with the user's DN on it.

Complete, up-to-date, knowledge in a distributed system is impossible.

Paul