[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: [ldapext] draft-ietf-ldapext-locate

To: Patrik Fältström <paf@cisco.com>
Subject: Re: [ldapext] draft-ietf-ldapext-locate
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 13 Aug 2002 21:36:05 -0700
Cc: micharm@microsoft.com, paulle@microsoft.com, levone@microsoft.com, rlmorgan@washington.edu, ldapext@ietf.org, Ned Freed <ned.freed@mrochek.com>, ietf-ldap@paf.se
In-reply-to: <24876124.1029218035@localhost>
At 02:53 AM 2002-08-13, Patrik Fältström wrote:
>This document define a conversion that is over-restrictive.

I disagree.   I also note that this issue has been discussed
repeatedly on the list and, IMO, consensus has been that the
current specification is appropriately restrictive.

>        The output domain name is initially empty. The DN is processed in
>        right-to-left order (i.e., beginning with the first RDN in the
>        sequence of RDNs). An RDN is able to be converted if it (1)
>        consists of a single AttributeTypeAndValue; (2) the attribute type
>        is "DC"; and (3) the attribute value is non-null. If it can be
>        converted, the attribute value is used as a domain name component
>        (label). The first such value becomes the rightmost (i.e., most
>        significant) domain name component, and successive converted RDN
>        values extend to the left. If an RDN cannot be converted,
>                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        processing stops. If the output domain name is empty when
>        ^^^^^^^^^^^^^^^^^
>        processing stops, the DN cannot be converted into a domain name.
>
>The underscored text should be removed and replaced with text that
>states the non-DC RDN's are skipped over. So for example the DN:
>
>        cn=Jeffrey Schiller,ou=LEES Laboratory,dc=lees,o=MIT,dc=mit,
>        dc=edu
>
>Can be unambiguously translated into:
>
>        lees.mit.edu

so would:
        DC=less,DC=MIT,DC=MIT,OU=domains,O=example,c=DE

but one should not reasonably expect servers listed at
_ldap._tcp.less.mit.edu to have knowledge of this DN.  A
user attempting to access DC=less,DC=MIT,DC=MIT,OU=domains,O=example,c=DE
would be astonished if their client connected to servers
listed _ldap._tcp.less.mit.edu.

>Yet the underscored words make this translation invalid. With the
>Underscored rule in place this DN would convert to just 'mit.edu'
>which is not the desired result.

This IS the desired result.  Domain components have two common
uses are used together (or separately).  1) naming prefixes,
2) naming of objects associated with domain.  For example,
consider the DN.
        dc=example,dc=com,ou=domains,dc=example,dc=net

This is, the organization owning example.net has an entry
holding information about the domain example.com.  The mapping
suggested by Jeff would require the owner of example.net
maintain DNS SRV records associated with com.example.net
and example.com.example.net.  This is not desirable.

Consider the DN, dc=example,dc=com,ou=domains,o=ISP,c=UK where
the entry represents services (not necessarily DNS services)
which the ISP provides domain name example.com.  It would
be reasonable to presume _ldap._tcp.example.com referred to the
LDAP server holding "dc=example,dc=com,ou=domains,o=ISP,c=UK".
This is not desirable.

Or, more to the point, it is only reasonable to assume that
that _ldap._tcp.example.com refers to server with knowledge
of dc=example,dc=com.

>The additional flexibility offered will permit us to convert existing
>PKI systems to make use of this feature without requiring all
>certificates to be re-issued.

Converting from existing naming to DC naming doesn't require
this flexibility.  Switching from one naming practice to
another should be done directly.  That is, switching from
  cn=Jeffrey Schiller,ou=LEES Laboratory,o=MIT (or whatever)
to
  cn=Jeffrey Schiller,dc=lees,dc=mit,dc=edu

should be done without creating intermediate naming practices,
such as:
  cn=Jeffrey Schiller,ou=LEES Laboratory,dc=lees,o=MIT,dc=mit,dc=edu

Intermediate naming practices are evil and should be avoided.

>It will also permit us to create DIT's
>that can be delegated at more points rather then requiring all
>structure to be at the very top where the DC components are, prior to
>any non-DC component.
>
>For example if MIT had a DIT with a top level name of:
>
>      o=MIT,c=US
>
>and a subordinate lab wanted to use this document, they could have a
>delegated subtree like:
>
>      ou=Lab for X,o=MIT,c=US
>
>and then add a DC component below this as:
>
>      dc=labx,dc=mit,dc=edu,ou=Lab for X,o=MIT,c=US

No.  They would establish a server with knowledge of
"dc=labx,dc=mit,dc=edu".

They could treat "ou=Lab for X,o=MIT,c=US" and
"ou=Lab for X,o=MIT,c=US" as independent subtrees
or relate these subtrees using aliases or referrals.


>Under my more flexible approach this would work. Without the
>flexibility they would be SOL until MIT redid its entire DIT to
>be:

No.  See above.


>      o=MIT,c=US,dc=mit,dc=edu
>
>and then they would have to be jointed in as:
>
>      o=MIT,c=US,dc=labx,dc=mit,dc=edu
>
>Ned: I have three concerns here:
>
>(0) It isn't clear when this approach is supposed to be used. DNs are an
>integral part of *every* LDAP operation. Is it the intent that an
>LDAP client check every DN it sees for DC fields and if it finds them use
>this approach. Or is it only appropriate in specific situations?

It is intended to be a general mechanism for locating LDAP servers
having knowledge of directory objects associated with a DN in
absence of location information.  This DN may have been provided
to the application via LDAP or other means.  If the DN was provided
with location information, such as a LDAP URL with host part,
that information should be used.  Howeer, where the DN is provided
without any location information, this mechanism provides a means,
for a subset of DNs (those using RFC 2247 naming), for the
application to locate servers with knowledge of the DN.

This application may be an LDAP client or server.  OpenLDAP's server,
for example, can use this mechanism to generate referrals to clients
requesting DN which it otherwise has no knowledge of.

>(1) This document specifies two things: How to translate a DN to a DNS
>name and how to use a DNS name to locate a corresponding LDAP
>server.

I argue that the document specifies one process, to locate LDAP
servers with knowledge of a particular DN, which has two steps.

>The document seems to imply that the latter is only used when a DNS
>name is produced by the former. I wonder if this restriction is a
>good idea: Isn't the ability to use SRV records to locate more generally
>useful than this limited context?

I don't believe this document restricts how DNS SRV records
can be used.  It also doesn't restrict construction of additional
processes for locating LDAP servers with knowledge of a particular
DN.  In fact, draft-zeilenga-ldap-x500-locate suggests a process
for DNs using geo-political naming.

Additionally, DNS SRVs could be used to answer questions such
as "Are there LDAP servers associated with this domain?".
Of course, this would be followed by, "What DN is used by
the owner of this domain for their objects?".  If a listed
server provides 100s of namingContext, which one is the right one?
Luckily, we have RFC 2247 which says how the owner of the
domain should name objects.

>The answer to this may be no, but if so, the rationale for that
>answer should be part of the specification.
>
>(2) I don't see any provision for fallback to A records if SRV records
>        don't exist. I can easily see this being a Bad Idea, if so, there
>        should be an explicit prohibition of it in the document along with
>        some explanation of why it is a bad idea.

It is a bad idea.  A short explanation would be appropriate.




>-------
>References should be split in normative and non-normative.
>-------
>I wonder about the reference to RFC1700, which has been obsoleted
>by RFC3232, and that RFC actuallt talks about a DB that contains
>the info. So How should this doc refer to that?
>-------
>Needs better abstract; doesn't even use the word "SRV". (and the rfc
>editor will surely complain when they get it...)
>
>Might be good to use SRV in the title as well, as opposed to just
>"DNS". But this I'm less concerned about, as there are two steps, and
>only the second step is SRV records.
>
>E.g., maybe change:
>
>            Discovering LDAP Services with DNS
>
>To something like:
>
>            Discovering LDAP Services with DNS SRV Resource Records
>
>However, the rfc editor probably won't like the abbreviation
>"SRV". Unfortunately, I don't think the acronym expands into anything
>useful.

SRV is not an abbreviation, but IANA-registered DNS RR Type.
http://www.iana.org/assignments/dns-parameters


>-------
>I have three concerns here:

see above.

Kurt


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext
Follow-Ups:
- Re: [ldapext] draft-ietf-ldapext-locate
  - From: ned.freed@mrochek.com
References:
- [ldapext] draft-ietf-ldapext-locate
  - From: Patrik Fältström <paf@cisco.com>
Prev by Date: [ldapext] RE: draft-ietf-ldapext-locate
Next by Date: RE: [ldapext] draft-ietf-ldapext-locate
Index(es):
- Chronological
- Thread