[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Beginning taxonomy for finding LDAP servers.

To: 'Ryan Moats' <jayhawk@att.com>, ietf-ldapext@netscape.com
Subject: RE: Beginning taxonomy for finding LDAP servers.
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Date: Fri, 07 May 1999 09:12:17 +1000
Resent-date: Thu, 06 May 1999 16:50:14 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"CfcPwD.A.IcD.sqiM3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Yes - this issue is dealt with by navigation/knowledge within X.500
distributed directory systems - 
I think the issue of finding disconnected - non distributed servers has
to be dealt with by knowledge stored somewhere - Its just a case of
quantity, scale and where - Unfortunately this approach will always hit
scaleing issues and be expensive to configure - so any mechanism that
means handraulically configuring "knowledge" will hit a wall.

I would also like to say that distributed directory services can be
"subject" based ie.. Books - Subject, Subect,, etc and in addition
directory systems can include lagacy databases as search engines - so
any mechanism used should not be considered as compatable with DNS, etc


I think the same issue will apply to this knowledge management issue -
that has hit the "referral" between LDAP servers and replication issue.

ie. Many are announcing that their LDAP servers support referrals. How
ever, in an authenticated environment, if server A refers you to server
B and then you access server B. Server B must have your entry in it so
that you can be authenticated. And if those users on server B want to
see server A then server B has to be replicated to server A. ie a
Referral mechanism becomes pointless in an authenticated world - because
it implies one has to replicate everything to everywhere. Impossible.

It follws that if this is the case for free standing non distributed
LDAP servers - replicate to everywhere - how does the other "distributed
knowledge issue work"?

I detect conflict here and an aweful lot of operational human effort to
run LDAP only systems.

Delivering configuration of distributed namespace without the system
performing distributed mutual authentication - (as per X.500) is not a
viable approach. Simply because - in LDAP world you will have to
replicate - everything to everywhere.

Sorry to be me again - but I do get concerned that more mechanisms like
this just create more configuration and replication - without any added
utility.

X.500 provides distributed knowledge and distributed mutual
authentication to slove these issues.

regards alan


> -----Original Message-----
> From:	Ryan Moats 
> Sent:	Friday, May 07, 1999 5:22 AM
> To:	ietf-ldapext@netscape.com
> Subject:	Beginning taxonomy for finding LDAP servers.
> 
> Since the mailing list seems to have come back today, I am resending
> this...
> 
> Hi all-
> 
> Since I've been thinking on and off about this problem for a good long
> while now, I thought I'd kick off the discussion by listing the ways
> that
> I know of for finding LDAP servers.  I'm beginning to envision the
> work item on the LDAPEXT charter resulting in an informational level
> document
> (which I am volunteering to author or co-author as the case may be).
> 
> So...
> 
> 
> For LDAP clients finding Servers there are several different methods.
> This list is not complete, but should be considered the beginning of
> a taxonomy.
> 
> Method: Client configuration
> 
> In this case, the client administrator configures it with a list of
> known
> LDAP servers
> to send queries to.  This list will be right (initially), but
> modification
> to the list
> requires client updates and doesn't scale real well.
> 
> Method: WK DNS alias
> 
> If the DIT uses the "dc-naming scheme", then it is possible to
> construct the
> DNS names of potential servers using well known DNS aliases.  Without
> the
> use of
> the dc-naming scheme, it is possible to construct potential names
> based on
> the client's
> DNS name.  This has the shortcoming of being inexact and not
> supporting
> client roaming
> well when tunneling is not used.
> 
> Method: Service Location Protocol
> 
> A client that supports the service location protcol could do a SLP
> query for
> LDAP servers.
> This requires that the network be using SLP and and that the servers
> announce themselves.
> This method has the scaling drawbacks of SLP since it depends on that
> method.
> 
> Method: "discovery"
> 
> Besides using other methods, this method involves storing either the
> DN or
> related URL
> in the DNS in some way.  This method requires an administrator to
> configure
> the DNS with the
> information and the idea of storing either a DN or a URL in the DNS is
> a
> controversial one.
> The i-d that expounds this idea will not be renewed and is being taken
> off
> the service location
> WG's workplan.  This method would require persuation of the IESG to
> even
> reach
> experimental status.
> 
> Method: DHCP extensions
> 
> An expired internet-draft proposed using DHCP to deliver information
> about
> LDAP servers to a
> DHCP client. This requires that (a) the information be configured into
> the
> DHCP server and that
> the client both support DHCP and this extension.  Such a method would
> require resubmitting the
> DHCP and getting approval for it.
> 
> Method: CIP index objects
> 
> If LDAP servers are exchanging CIP index objects, then they can also
> exchange URL information for
> providing referalls to clients.  This would help by allowing a client
> to
> query a local server
> (that it discovered by one of the previous methods) and receive a
> referal to
> a non-local LDAP server
> which it could then query.
> 
> Comments are welcome as well as additional method brainstorming.
> 
> Ryan Moats

Follow-Ups:
- Re: Beginning taxonomy for finding LDAP servers.
  - From: dboreham@netscape.com (David Boreham)

Prev by Date: Re: A changeLogEntry and LDIF question ..
Next by Date: RE: Beginning taxonomy for finding LDAP servers.
Index(es):
- Chronological
- Thread