RE: Access Control, Administrative Areas, Replication and Distribution

["Paul Leach" <paulle@Exchange.Microsoft.com>]

> -----Original Message-----
> From: Albert Langer [mailto:Albert.Langer@directory-designs.org] 
> Sent: Monday, March 26, 2001 5:39 AM
> To: ietf-ldup@imc.org; ietf-ldapext@netscape.com
> Subject: Access Control, Administrative Areas, Replication 
> and Distribution
> 
> 
> Following links highlight serious problems that can arise 
> from not not working out access control together with 
> replication carefully enough.
> 
> Microsoft unable to supply a fix for more than a year due to 
> having to fundamentally redesign Active Directory to fix it:
> 
> http://www.nwfusion.com/archive/2001/117574_02-26-2001.html
> 
> http://www.microsoft.com/windows2000/news/bulletins/multivalrep.asp
> 
> Similar issues can arise with replication of administrative 
> policy etc.

Nonsense. The "fundamental" flaw is that Active Directory is loosely
consistent. It was proved almost two decades ago (by Brian Oki at PODC
1984, IIRC) that there is a hard instrinsic tradeoff between consistency
and availability. For many purposes, availability is more important.
Active Directory, and several other commercial products, are targeted at
this space, and LDUP is attempting to standardize such a protocol.

Many customers don't like intrinsic tradeoffs. They want both
consistency and high availability, even if it can be proved that it is
impossible. And almost no journalist understands any of this.

BTW: the fix to this "security flaw" was to make the unit of replication
finer grained. No "funadamental" redesign was needed.

You should use better evidence in your campaign.