[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP Knowledge draft

To: "'d.w.chadwick@iti.salford.ac.uk'" <d.w.chadwick@iti.salford.ac.uk>
Subject: RE: LDAP Knowledge draft
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Date: Mon, 02 Aug 1999 11:41:14 +1000
Cc: ietf-ldapext@netscape.com
Resent-date: Sun, 01 Aug 1999 18:41:44 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"90nyzC.A.aXD.SdPp3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Thanks for that David.


But where are these certificates placed in the system if it is not X.500
- using mutual trust and authentication.  Are they in a seperate
database which is accessed by the LDAP server using LDAP? If so what
about name issues. Does the LDAP server hold the same LDAP namespace as
the LDAP enabled database with named certficates and CRLs in it.

In addition - how does one relate ACI profiles to externally
authenticated users. Dont you still have to configure each 
LDAP server with its users and their ACI - and no doubt this will be
replicated between all servers.


So in reality one has to replicate every thing to every where if using
LDAP servers and the directory entries contains the user password. Thus
if one has to replicate LDAP entries to many servers (say 5 or more)
then User password management is hit or miss (eg if one server is down
at the time of updates).

And if one puts use certificates and CRLs in User and CA entries in a
LDAP server, then one has to replicate this to everywhere ie. Such a PKI
is unworkable - in fact this is worse than user password management with
replicated LDAP servers.

However - if what you say is that certs and CRLs can be read by the LDAP
server and its Users  from a seperate PKI database without
authentication, then one does not need to replicate User entry info
everything to everywhere.. However, configuration of this central CRL
and Cert database must follow the naming rules of the "non replicated"
LDAP server farm it supports.  ie one needs a central server to support
the distributed namespace of LDAP servers and this must be shared -
operationally..

This sounds like a dogs breakfast to me ..I wonder if any one wants to
buy such a system - and operationally run it, when all you need to do is
use LDAP accessed X.500 to avoid this "complexity"?


Is the reality now that X.500 solves the operational complexity of LDAP
when LDAP was supposed to be a simpler X.500? :-) 
 
regards alan



> -----Original Message-----
> From:	David Chadwick 
> Sent:	Wednesday, July 28, 1999 9:56 AM
> To:	Alan Lloyd; ietf-ldapext@netscape.com
> Subject:	Re: LDAP Knowledge draft
> 
> 
> > 
> > Perhaps the draft should mention in the security section ..
> > This mechanism is only applied in read only, non authenticated
> systems
> > 
> 
> We have been through this before and we agree that password 
> based authentication does require replication everywhere, but PKI 
> based authentication does not if certificates and CRls can first be 
> retrieved without authentication.
> 
> David
> 
> > regards alan
> > 
> > 
> 
> 
> ***************************************************
> 
> David Chadwick
> IS Institute, University of Salford, Salford M5 4WT
> Tel +44 161 295 5351  Fax +44 161 745 8169
> Mobile +44 790 167 0359
> *NEW* Email D.W.Chadwick@salford.ac.uk *NEW*
> Home Page  http://www.salford.ac.uk/its024/chadwick.htm
> Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
> X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
> Entrust key validation string MLJ9-DU5T-HV8J
> 
> ***************************************************

Prev by Date: RE: Named Referrals Questions.
Next by Date: Re: Authmeth/DIGEST-MD5
Index(es):
- Chronological
- Thread