RE: Access Control, Administrative Areas, Replication and Distribution

["Paul Leach" <paulle@Exchange.Microsoft.com>]

I didn't say it removed the "fundamental" flaw, just the "security
flaw".

The "security flaw" was that updates to objects that were really a
collection of finer grained objects were getting lost.

Scenario:
Big object X is composed of set of small objects {A, B, C, ...}
User 1 changes X to {A', B, C, ...}
User 2 changes X to {A, B', C, ...} before user 1's changes get to him.
Whichever one wins the conflict resolution, the other one's change is
lost. These are "false conflicts", analagous to "false sharing" in DSM
systems.

If instead, A, B, C, were individually replicatable objects, then this
wouldn't happen. Only conflicts on individual items would be subject to
conflict. That's intrinsic.

Users just didn't expect the updates to X to get lost -- X in this case
was a group of users, and they were operating on _different_ users, so
they expected it to work.

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] 
> Sent: Wednesday, March 28, 2001 10:36 AM
> To: Paul Leach
> Cc: Albert.Langer@directory-designs.org; ietf-ldup@imc.org; 
> ietf-ldapext@netscape.com
> Subject: RE: Access Control, Administrative Areas, 
> Replication and Distribution
> 
> 
> At 06:02 PM 3/26/01 -0800, Paul Leach wrote:
> >The "fundamental" flaw is that Active Directory is loosely 
> consistent.
> >
> >BTW: the fix to this "security flaw" was to make the unit of 
> >replication finer grained. No "funadamental" redesign was needed.
> 
> I don't see how making replication finer grained removes
> the "fundamental" flaw, "loose consistency" between masters.
> 
> Kurt
> 
>