[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: FW: Request for LDAP

To: <lbs2@cdc.gov>, <ietf-ldapext@netscape.com>
Subject: Re: FW: Request for LDAP
From: "Ed Reed" <eer@OnCallDBA.COM>
Date: Fri, 06 Apr 2001 10:06:47 -0600
Content-disposition: inline
Dear Lander -

A couple of comments with regard to your request:

1) you should understand that standards progression is a relatively
slow process...a good idea, once proposed, will need to be taken
up by some number of techology providers (ie, vendors) to consider
how best to standardize an approach to the solution, then they'll
build products and services which attempt to do the job, and then
they'll figure out which approach works well for standarization.  In
the best of cases, you would expect the process to take a couple
of years to have multiple interoperable products on the market
place doing what you propose.  That may not make the deadline
for your project rollout ;-), but that's okay, there are other ways...

2) A number of vendors are working with nested group definitions
to provide functionality similar to what you describe.  Most of them
rely on a centralized database to assist with the list explosion
process (ie, the recursive enumeration of group members to 
obtain the full set of unique members).  

Previous attempts to 
do this in the distributed environment without some centralized
database to do the recursive enumeration have proven to have
such bad performance that many vendors have avoided the
whole subject altogether.  Centralized indexing databases, like
the global catalog in Microsoft's Active Directory Service, and a 
variety of meta-directory solutions from companies
like Critical Path, Novell, etc., are examples of what are
still proprietary approaches to the problem, but ones which might
meet your immediate needs.  Some solutions already provide
nested group semantics.

3) You're welcome to join the IETF working group dealing with
LDAP features, extensions, and requirements.  Please visit
http://www.ietf.org/html.charters/ldapext-charter.html
for information the working group, and instructions for 
joining the mailing list.

Regards,
Ed Reed
>>> "Stoddard, Lander" <lbs2@cdc.gov> 04/06/01 09:45AM >>>
Dear LDAP standards working group - 

Please consider the request below.

thanks, Lander

Lander Stoddard
Associate Director for Strategic Planning
  and Information Management
Scientific Resources Program
National Center for Infectious Diseases
Centers for Disease Control and Prevention
lstoddard@cdc.gov 


-----Original Message-----
From: Tim Howes [mailto:howes@loudcloud.com] 
Sent: Thursday, April 05, 2001 4:34 PM
To: Stoddard, Lander
Subject: Re: Request for LDAP


Hi. Sounds like a reasonable request to me, one I've
in fact heard before. You might send it to Mark Wahl
<mark.wahl@sun.com> or Mark Smith <mcs@netscape.com>,
both of whom are still actively involved in the LDAP
standardization process (I am not). Or, you could
try sending your request to ietf-ldapext@netscape.com,
the LDAP standards working group mailing list.

Hope that helps.       -- Tim

"Stoddard, Lander" wrote:
> 
> Tim -
> 
> I just read your article "LDAP: Use as Directed"  Thanks for the great
work.
> 
> I am trying to architect a distributed directory and have run into a
> functional roadblock that I think should be part of the LDAP spec.  I
don't
> know who else to send this to since I have no entree to the LDAP standards
> body.
> 
> The needed functionality is a recursive search for group membership.  We
can
> build something to do this but I think it optimally should be language
> independent.  It's a common enough problem that I think there should be a
> common solution.  Consider the following scenario:
> 
> We are going to build a public health directory to manage access to
> applications and distribution of information.  Tom X is in an
organizational
> role of State Epidemiologist for State Q.  All state epidemiologists are
> members of
> the group All State Epidemiologists.  There are some 50 surveillance
> applications for which there is an application role that the state
> epidemiologists have access to.  After a person authenticates, I want to
> present them with a list of authorized applications and approles to choose
> from.
> 
> So, there is orgperson object in an orgrole object/group.  There is an
> orggroup object containing orgrole objects.  There is an application group
> containing applicationrole groups.  With the current LDAP query
> functionality, I have to place individual orgperson objects into the
approle
> groups.
> 
> For ease of directory management, the better thing would be to put the
> orggroup into the approle group.  Then if Tom X is replaced by Mary Y, the
> only change that has to be made is the membership of the orgrole, not the
> membership of the org group and 50 approles.  I would like an LDAP
function
> that recursively searches down through the group until it finds all the
> orgperson objects and then do a match against the provided DN.  And I
would
> like the LDAP directory to do the work.
> 
> What do you think?  Is this a reasonable request that can be submitted?  I
> know we can code this and distribute the component to our servers, but it
> will probably be language specific.  Just seems like there ought to be an
> LDAP solution.
> 
> thanks for your consideration,
> Lander
> 
> Lander Stoddard
> Associate Director for Strategic Planning
>   and Information Management
> Scientific Resources Program
> National Center for Infectious Diseases
> Centers for Disease Control and Prevention
> lstoddard@cdc.gov 


=================
Ed Reed
Reed-Matthews, Inc.
+1 801 796 7065
http://www.Reed-Matthews.COM
Prev by Date: draft-ietf-ldup-subentry-08.txt (with attachment, this time)
Next by Date: Re: createSaslClient by the Java LDAP API
Index(es):
- Chronological
- Thread