[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] groupOfEntries object class proposal

To: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Subject: Re: [ldapext] groupOfEntries object class proposal
From: Howard Chu <hyc@highlandsun.com>
Date: Mon, 17 Sep 2007 20:28:51 -0700
Cc: ldapext@ietf.org
In-reply-to: <52681ACFF63C114F8A3C3651FC9D301F825316@AUSYMS11.ca.com>
References: <22F5E36297524347B40AFAA7CDD4CB4D01F08F0B@G3W0067.americas.hpqcorp.net> <46EF14CA.8090102@highlandsun.com> <52681ACFF63C114F8A3C3651FC9D301F825316@AUSYMS11.ca.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a8pre) Gecko/2007091708 SeaMonkey/2.0a1pre

Ramsay, Ron wrote:

1) The ambiguity is a result of converting the concept to LDAP.


Granted, but the fact remains that it is unusable in LDAP.

2) I don't think you can use nameAndOptionalUID for naming, certainly
not in the 93 standard. So your comments about children are not really
appropriate. It's sole use may be in the groupOfUniqueNames object where
the UID is acting as a generational qualifier. To fully support it,
though, I think would require a UID attribute in the entry having that
DN. Oh yes, access control is supposed to use it, too. But the qualifier
applies to the DN itself and is making a statement about when THIS DN
was relevant.

It would require the entry to have an x500UniqueIdentifier attribute, yes. So far the only standards track schema that uses it is inetOrgPerson.

But you're pointing out a distinction without a difference. If the generational qualifier is significant, then it is significant in every context where that DN is referenced. E.g. cn=bob,o=foo#1 exists create cn=my stuff,cn=bob,o=foo

references to "cn=my stuff,cn=bob,o=foo" (and all children of cn=bob,o=foo) now depend on that qualifier. If we remove cn=bob,o=foo and come back at a later time and create him again, with his child entry cn=bob,o=foo#10 cn=my stuff,cn=bob,o=foo

then there is no way to uniquely reference the "cn=my stuff" child object or distinguish it from the previous generation. You cannot separate the relevance of "THIS DN" from the uniqueness of its children. If the parent is unique then necessarily all of its children are also, but using the nameAndOptionalUID syntax doesn't allow this uniqueness to be expressed. The core concept here is flawed (yes, in the original X.500 usage as well).

The correct way to handle this is by including the generational qualifier in the entry's RDN (making it multivalued), and then you can reference it consistently no matter where you need to use it. There is no legitimate use for the nameAndOptionalUID syntax at all, in LDAP or X.500.

It's sad, really. They go to the trouble of designing a nice data model with consistent naming, then they go and intentionally break it...

-----Original Message----- From: Howard Chu [mailto:hyc@highlandsun.com] Sent: Tuesday, 18 September 2007 9:59 AM To: Neal-Joslin, Robert (HP-UX Lab R&D) Cc: ldapext@ietf.org; Luke Howard; Andrew Findlay Subject: Re: [ldapext] groupOfEntries object class proposal

Neal-Joslin, Robert (HP-UX Lab R&D) wrote:
Hi,
I'm almost always in favor of new and better ways to do things.  And I
agree with the statements submitted.  But I can see a need to play
devil's advocate for this one.  Is there really enough justification
to
warrant this proposal? What is the likelihood of its success, given
how
entrenched groupOfNames and groupOfUniqueNames is embedded in the existing LDAP application/server security space?
Ah, you've just hit another hot-button - groupOfUniqueNames is utterly pointless. I'm all for eradicating the old stuff and pushing groupOfEntries as a standard.

nameAndOptionalUID syntax is inherently broken, it cannot be parsed reliably. e.g. - "cn=foo#101" could legitimately be a cn with value "foo#101", there's no way to disambiguate it from "cn=foo" with UID "101".

The entire concept behind this syntax is flawed. What do you do if you have a "unique" named object with children? What if the children have unique names too? There's only provision for one unique ID in the DN, but fundamentally there should be the possibility of a unique ID for every RDN in the DN. I.e., if this is really what you want, you should have been using multivalued RDNs from the get-go.

Probably 99% of LDAP applications never even use the UID portion of a nameAndOptionalUID attribute, and the other 1% that use it are broken since the syntax is inherently broken.

I'll happily write up a standards track document to deprecate groupOfUniqueNames and nameAndOptionalUID syntax.


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- RE: [ldapext] groupOfEntries object class proposal
  - From: "Neal-Joslin, Robert (HP-UX Lab R&D)" <bob.joslin@hp.com>
- Re: [ldapext] groupOfEntries object class proposal
  - From: Howard Chu <hyc@highlandsun.com>
- RE: [ldapext] groupOfEntries object class proposal
  - From: "Ramsay, Ron" <Ron.Ramsay@ca.com>

Prev by Date: RE: [ldapext] groupOfEntries object class proposal
Next by Date: Re: [ldapext] groupOfEntries object class proposal
Index(es):
- Chronological
- Thread