[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: gluing directories with draft-ietf-ldapext-locate-02.txt

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: RE: gluing directories with draft-ietf-ldapext-locate-02.txt
From: "Lloyd, Alan" <Alan.Lloyd@ca.com>
Date: Mon, 15 May 2000 19:05:10 -0400
Cc: ietf-ldapext@netscape.com
Yes DNS is good for a name service - BUT (some personal thoughts)

Directories - an OO distributed system with extensible standardised
information sets that one builds - so that the same information (a single
instance of information) can be used by many applications - such mail, HR,
catalogues, users and service profiles - certificate and authentication
regimes, integration with OA systems, configuration of network elements...

IE. Any directory system (that is of any use) must be distributed and
uniform in terms of authentication, access controls, schema management, the
ability to be used (accessed) in a local, wider and long distant context (as
per accessing the telephone system). This is required so that it can handle
high user authentication capacities, security, etc -  and distributed object
searching from logically central locations (how many users on line, how many
users have valid certs - that expire tomorrow, - etc. How do you manage
globally roaming users - and authenticating these via protected service
profiles ...  Its via the directory information model as designed for
V-ISPs, etc 

As the Internet merges with the telephone, mobile and the TV systems of this
planet - and the globalising carriers take over the management of the
Internet - how do you deal with managing London , logging onto their TV sets
at the rates of thousands a second? How do you know what these users want. ?
How does one deal with an information model that derives a Users profile -
onto a set of services where each service is a private internet for
commercial global organisations,  - who wish to deal with their customers
privately and from any access point on this planet (as per the telephone
system....


My continued concern with LDAP is that is re inventing an access protocol to
a directory system such as X.500 which has 80% more application than any
LDAP server can ever have. And that such mechanisms serve very little
purpose for those dealing with commercially required directory systems 

LDAP servers are now being seen by most as pointless objects - No scale, no
security (replicate everything to every where - and fragmented access
controls, etc) and every feature added to LDAP for a small  single server,
- just simply does not apply to large scale distributed system directories
that serve the prime function of a directory service as defined above...

ie a distributed information source which is logically accessed according to
a coherent authentication and access control policy - that has information
extensibility, robustness and predictable performance...

Adding non secure funny bits and dedicated information schema to small
servers and interconnecting them actually makes a mess.




BTW - Internet - well we our directory service is applied under quite a few
V-ISPs - for over the last three years - they are running in NZ, UK, EU,
US...

Unofficially we have just performed some testing where on a few distributed
LDAP accessed X.500 nodes (not replicated) holding 500M entries - we can
concurrently connect 125-150 M users...
You see with X.500 distributed system technology we can now address
authenticating the population of the US, etc coming on line via their
mobiles, TVs, etc at high capacity rates - to managed services with
selectable security profiles...

What was that about the Internet - IMHO the V-ISP architecture we are
running is the new internet/telephone/TV  infrastructure - Authenticated
Users (millions of then being managed by the service provider) -  for
commercial Organisations (as their customers) who want services as a
protected, private services to their own customers . and guess what - X.500
is the only standard that allows this to happen..

Simply because one must have a distributed trusted and protected logical
views of information with and extensible User - Service information model
that embraces PKI, etc.


Many organisations still think directories are about OA and their internal
staff  - well that's one view...

Others are now seeing them (X.500 directories ) as the only distributed
information technology that can scale and can manage their millions of
customers going on line to their core systems at the rates of thousands or
millions a second.

Why would I want a distributed directory that can hold 500M or upwards
entries - with user concurrency at this scale - its because I want to manage
500+M customers onto my online services - in a distributed context. - See
telephone systems.

If any one on this lists wants papers or slides, etc on the above - I will
be happy to forward them.


regards as always alan



	-----Original Message-----
	From:	Kurt D. Zeilenga 
	Sent:	Monday, May 15, 2000 8:08 PM
	To:	Lloyd, Alan
	Cc:	ietf-ldapext@netscape.com
	Subject:	RE: gluing directories with
draft-ietf-ldapext-locate-02.txt

	I think DNS is good glue.  It's proven itself time after time as
	being such.  I believe it wise to experiment with further
	leveraging of DNS.

	Yes, there are some limitations to DNS SRV location of services.
	However, in many ways, it's much more suitable to this task than
	X.500/LDAP.  Time will tell.  Maybe after a few months of operation,
	I'll write an I-D detailing lessons learned from this experiment.

	>To me this is definitely not what "large scale" directory users
want...an
	>unprotected, uncoordinated, non deterministic "information"
infrastructure

	ie: the Internet.  :-)

		Kurt
Prev by Date: Re: gluing directories with draft-ietf-ldapext-locate-02.txt
Next by Date: web site hosting
Index(es):
- Chronological
- Thread