[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Authentication Methods for LDAP - last call
> -----Original Message-----
> From: Tim Howes [mailto:howes@netscape.com]
> Sent: Thursday, August 20, 1998 1:45 PM
>
> Paul Leach wrote:
> >
> > It won't help. Even if there were only one ACL per system (extremely
> > unlikely), you can never get to all the systems to change
> it, because _any
> > system in the world_ could have an ACL with the user's DN on it.
>
> The statement that "It won't help" is just not true.
> Perhaps you mean "It won't completely solve the problem".
> That is certainly true.
No, I meant that it doesn't even come close to solving the problem. Sure, it
makes it somewhat better. But it distracts from the real problem. See below.
> But it does help. In fact, it helps quite a lot.
>
> > Complete, up-to-date, knowledge in a distributed system is
> impossible.
>
> This is a true statement. But you seem to imply that
> the logical consequence of this is that complete, utter,
> unmitigated chaos must reign. That's not true, except
> perhaps in some computer science sense that is less than
> interesting to anybody using the technology.
The implication I intended is that realistic designs have to take this truth
into account.
In the case at hand, a realistic approach must _never_ need to munge all the
ACLs in the world, period. In such a case, reducing the number of ACLs by a
factor of 10, 100, or even 1000 or more is not needed (not on this account
anyway).
Paul