[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DN->DNS mapping in draft-ietf-ldapext-locate-05.txt

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: DN->DNS mapping in draft-ietf-ldapext-locate-05.txt
From: mcs@netscape.com (Mark C Smith)
Date: Thu, 22 Mar 2001 14:32:27 -0500
Cc: "RL 'Bob' Morgan" <rlmorgan@washington.edu>, IETF ldapext WG <ietf-ldapext@netscape.com>
Organization: iPlanet E-Commerce Solutions
References: <5.0.2.1.0.20010322124740.021c3af0@127.0.0.1>

To me, your point is just a reminder that we do not fully understand the
ramifications of the proposed change.  Of course other variants of the
basic algorithm are possible as well, such as:

a) Scan from the right of the DN until you find the first dc component.
b) Consume the dc components to form the DNS name, stopping when you see
a non-dc component.

In other words, don't use ALL of the dc components but just the most
significant set of adjacent ones.  If the above algorithm is followed,
each of these DNs would map to an example.com SRV lookup:

dc=consumer,dc=com,ou=domains,ou=consumer,ou=customers,dc=example,dc=com
uid=bjensen,dc=example,dc=com,o=Example Industries,c=US.
dc=bogus,uid=bjensen,dc=example,dc=com,o=Example Industries,c=US.

But again, what new issues will arise that we have not yet considered? 
And what flexibility have we given up that someone will want?

I don't strongly disagree with any of the points made so far, but I am
skeptical about one thing:  the value of making any changes to the
current algorithm.  It seems unlikely to me that PKI deployers will
really issue certificates that contain DNs like this:

    uid=bjensen,ou=accounting,dc=example,dc=com,o=Example
Industries,c=US

Given the fact that they will need to issue new certs, why wouldn't they
just add another directory naming context and use DNs like this:

    uid=bjensen,ou=accounting,dc=example,dc=com

They will want to make that transition someday anyway.  No?

-Mark Smith
 Netscape

"Kurt D. Zeilenga" wrote:
> 
> Just thought of another issue....  dc has uses outside of
> the naming of the context prefix.  I believe some applications
> create 'domain' and others (using dc names) entries under an
> ou to manage DNS RR.  In particular, in service provider
> environments where a provider using dc=example,dc=com as their
> naming context, might have a container
>   ou=domains,ou=consumer,ou=customers,dc=example,dc=com
> and desiring to add entries under this:
>   dc=consumer,dc=com,ou=domains,ou=consumer,ou=customers,dc=example,dc=com
> to manage the DNS RR for that consumer.  The existing DN to
> domain mapping would produce "example.com", the new mapping
> would produce "consumer.com.example.com".
> 
> Defining a "loose" DN to domain mapping might limit other uses
> of 'dc'.  It might be appropriate for those who are engaged in
> service provider forums could look into whether the mapping
> change would have a significant impact upon their current use
> of 'dc'.

Follow-Ups:
- Re: DN->DNS mapping in draft-ietf-ldapext-locate-05.txt
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
- Re: DN->DNS mapping in draft-ietf-ldapext-locate-05.txt
  - From: Michael Ströder <michael@stroeder.com>
- Re: DN->DNS mapping in draft-ietf-ldapext-locate-05.txt
  - From: Michael Helm <helm@fionn.es.net>

References:
- Re: DN->DNS mapping in draft-ietf-ldapext-locate-05.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: DN->DNS mapping in draft-ietf-ldapext-locate-05.txt
Next by Date: Re: DN->DNS mapping in draft-ietf-ldapext-locate-05.txt
Index(es):
- Chronological
- Thread