[Date Prev][Date Next] [Chronological] [Thread] [Top]
[ldapext] draft-ietf-ldapext-locate

To: micharm@microsoft.com, paulle@microsoft.com, levone@microsoft.com, rlmorgan@washington.edu
Subject: [ldapext] draft-ietf-ldapext-locate
From: Patrik Fältström <paf@cisco.com>
Date: Tue, 13 Aug 2002 05:53:55 -0400
Cc: ldapext@ietf.org, Ned Freed <ned.freed@mrochek.com>, ietf-ldap@paf.se
Content-disposition: inline
Comments from the IESG:
-------
The document says:
      If there are no
      matching SRV records available for the converted DN the client SHOULD
      NOT attempt to 'walk the tree' by removing the least significant
      portion of the constructed fully qualified domain name.

The meaning of "SHOULD NOT" is "don't do this unless you understand the
implications". Well, I don't know where to look to understand the
implications.
Thus I think it would be useful to either make it a MUST NOT, or explain
something about the implications of using shorter labels.

Alternatively specify SHOULD NOT do this in general, but MUST NOT ever
use this with just one label (i.e. MUST NOT look for _ldap._tcp.<TLD>)
or something similar.

-------
The document is unclear (see next note) on:

(a) When this is to be used (only when not having the foggiest clue where a
record with a specific DN is, or every time a record is to be accessed?)

(b) How to handle the case when one have a DN which have both dc and non-dc
components. Example of this is when two records stored on two different
servers share the same dc components. IF those records per definition (of
this document) have to be stored on the same server, or referrals have to
be stored on them to point to the other, then this document has a scope
which is larger than at first glance. I.e. part from stating how to locate
a record using DNS, it also has an implicit result that DC is _the_ naming
convention for the Internet. Please explain.

-------
This document define a conversion that is over-restrictive.

        The output domain name is initially empty. The DN is processed in
        right-to-left order (i.e., beginning with the first RDN in the
        sequence of RDNs). An RDN is able to be converted if it (1)
        consists of a single AttributeTypeAndValue; (2) the attribute type
        is "DC"; and (3) the attribute value is non-null. If it can be
        converted, the attribute value is used as a domain name component
        (label). The first such value becomes the rightmost (i.e., most
        significant) domain name component, and successive converted RDN
        values extend to the left. If an RDN cannot be converted,
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        processing stops. If the output domain name is empty when
        ^^^^^^^^^^^^^^^^^
        processing stops, the DN cannot be converted into a domain name.

The underscored text should be removed and replaced with text that
states the non-DC RDN's are skipped over. So for example the DN:

        cn=Jeffrey Schiller,ou=LEES Laboratory,dc=lees,o=MIT,dc=mit,
        dc=edu

Can be unambiguously translated into:

        lees.mit.edu

Yet the underscored words make this translation invalid. With the
Underscored rule in place this DN would convert to just 'mit.edu'
which is not the desired result.

The additional flexibility offered will permit us to convert existing
PKI systems to make use of this feature without requiring all
certificates to be re-issued. It will also permit us to create DIT's
that can be delegated at more points rather then requiring all
structure to be at the very top where the DC components are, prior to
any non-DC component.

For example if MIT had a DIT with a top level name of:

      o=MIT,c=US

and a subordinate lab wanted to use this document, they could have a
delegated subtree like:

      ou=Lab for X,o=MIT,c=US

and then add a DC component below this as:

      dc=labx,dc=mit,dc=edu,ou=Lab for X,o=MIT,c=US

Under my more flexible approach this would work. Without the
flexibility they would be SOL until MIT redid its entire DIT to
be:

      o=MIT,c=US,dc=mit,dc=edu

and then they would have to be jointed in as:

      o=MIT,c=US,dc=labx,dc=mit,dc=edu

Ned: I have three concerns here:

(0) It isn't clear when this approach is supposed to be used. DNs are an
        integral part of *every* LDAP operation. Is it the intent that an
LDAP
        client check every DN it sees for DC fields and if it finds them use
        this approach. Or is it only appropriate in specific situations?

(1) This document specifies two things: How to translate a DN to a DNS
        name and how to use a DNS name to locate a corresponding LDAP
server.
        The document seems to imply that the latter is only used when a DNS
        name is produced by the former. I wonder if this restriction is a
good
        idea: Isn't the ability to use SRV records to locate more generally
        useful than this limited context?

        The answer to this may be no, but if so, the rationale for that
answer
        should be part of the specification.

(2) I don't see any provision for fallback to A records if SRV records
        don't exist. I can easily see this being a Bad Idea, if so, there
        should be an explicit prohibition of it in the document along with
        some explanation of why it is a bad idea.



-------
References should be split in normative and non-normative.
-------
I wonder about the reference to RFC1700, which has been obsoleted
by RFC3232, and that RFC actuallt talks about a DB that contains
the info. So How should this doc refer to that?
-------
Needs better abstract; doesn't even use the word "SRV". (and the rfc
editor will surely complain when they get it...)

Might be good to use SRV in the title as well, as opposed to just
"DNS". But this I'm less concerned about, as there are two steps, and
only the second step is SRV records.

E.g., maybe change:

            Discovering LDAP Services with DNS

To something like:

            Discovering LDAP Services with DNS SRV Resource Records

However, the rfc editor probably won't like the abbreviation
"SRV". Unfortunately, I don't think the acronym expands into anything
useful.
-------
I have three concerns here:

(0) It isn't clear when this approach is supposed to be used. DNs are an
    integral part of *every* LDAP operation. Is it the intent that an LDAP
    client check every DN it sees for DC fields and if it finds them use
    this approach. Or is it only appropriate in specific situations?

(1) This document specifies two things: How to translate a DN to a DNS
    name and how to use a DNS name to locate a corresponding LDAP server.
    The document seems to imply that the latter is only used when a DNS
    name is produced by the former. I wonder if this restriction is a good
    idea: Isn't the ability to use SRV records to locate more generally
    useful than this limited context?

    The answer to this may be no, but if so, the rationale for that answer
    should be part of the specification.

(2) I don't see any provision for fallback to A records if SRV records
    don't exist. I can easily see this being a Bad Idea, if so, there
    should be an explicit prohibition of it in the document along with
    some explanation of why it is a bad idea.





_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext
Follow-Ups:
- Re: [ldapext] draft-ietf-ldapext-locate
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Prev by Date: [ldapext] LDAP TS approved
Next by Date: RE: [ldapext] draft-ietf-ldapext-locate
Index(es):
- Chronological
- Thread