[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: draft-ietf-ldapext-locate-01.txt - Discovering LDAP Services with DNS

To: 'James Benedict' <grunt@nortelnetworks.com>, RL 'Bob' Morgan <rlmorgan@cac.washington.edu>, Bruce Greenblatt <bgreenblatt@directory-applications.com>
Subject: RE: draft-ietf-ldapext-locate-01.txt - Discovering LDAP Services with DNS
From: Paul Leach <paulle@Exchange.Microsoft.com>
Date: Tue, 18 Jan 2000 19:30:03 -0800
Cc: ietf-ldapext@netscape.com
Resent-date: Tue, 18 Jan 2000 19:39:59 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <2JARjC.A.A0G.IITh4@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

-----Original Message-----
From: James Benedict [mailto:grunt@nortelnetworks.com]
Sent: Tuesday, January 18, 2000 6:58 PM
To: Paul Leach; RL 'Bob' Morgan; Bruce Greenblatt
Cc: ietf-ldapext@netscape.com
Subject: RE: draft-ietf-ldapext-locate-01.txt - Discovering LDAP Services
with DNS

> Agreed, but the value in making this computation is in having a high
degree 
> of confidence that it will be correct.  What I am saying is that there is
no 
> real way of gaining a high degree of confidence without having prior
knowledge 
> of the directory service.

It does not require prior knowledge about any one server -- just that enough
servers use the scheme to make it worthwhile to try -- since the alternative
is a _hard_ requirement for prior knowledge -- of the DNS name of the
server.

>> Since, as Bob points out, one is currently hosed if this 
>> guess is wrong, the 
>> incentive to make it be correct will be high. I think this is "a good 
>> thing". 
> 
> Agreed, to a point.  I think that having a domain-based directory tree can
be a good thing, in some cases, an OSI-based tree in others.  

I wasn't making any statement at all in that regard. I was saying that the
fact there was incentive to register the SRV records is a good thing.

> What this solution requires is some sort of agreement around two
assumptions:
> 1)  That "Internet" LDAP DNs are arranged by domain component, and 

No, it does not depend on any such agreement. It _allows_ _some_ people to
so arrange their DNs. In exchange, it lets them get resolved, without
requiring prior knowledge of the DNS name of the server holding the DN. I
think that that's a powerful incentive, enough to cause its use to be
widespread.

> 2)  The aforementioned domain components can, eventually, be resolved on
the internet. 
> (a third, and obvious assumption:  that this form of discovery is
supported) 
> I just don't think these are all that practical.

Seems easy, to me.

> What I would suggest is to 
> embed the DNS name of the Internet LDAP server in the DN, maybe as the
root.
> Something like: 
> cn=James Benedict, ou=sales, ou=employees, o=nortelnetworks,
ldap=ldap.nortelnetworks.com

Unfortunately, "ldap=" is not a legal DN component. It took RFC 2247 to make
"dc=" a legal DN component. 

We went through these kinds of alternatives in the process of coming up with
the current proposal.

Paul

Prev by Date: RE: draft-ietf-ldapext-locate-01.txt - Discovering LDAP Services with DNS
Next by Date: RE: draft-ietf-ldapext-locate-01.txt - Discovering LDAP Services with DNS
Index(es):
- Chronological
- Thread