Re: LDAP Requirements comments

["Kurt D. Zeilenga" <Kurt@xxxxxxxxxxxx>]

At 06:04 PM 2001-11-21, Ed Reed wrote:
>>>> "Kurt D. Zeilenga" <Kurt@xxxxxxxxxxxx> 11/21/01 04:47PM >>>
>...
>  G7. All policy and state data pertaining to replication MUST
>  be accessible via LDAP. 
>
>All?  This needs to be constrained to the subset of policy and
>state information necessary to effectively administrate LDAP
>Replication.
>
><eer>  Why?  From the perspective of the protocol we're
>designing, what policy and state data should be excluded from
>access via LDAP?

Policy and state data which is not necessary to effectively
administrate LDAP replication.

RECOMMEND'ing ALL would be okay, or MUST'ing a subset needed
to effective administrate would be okay.  But, IMO, MUST'ing
ALL is a bad idea (and counter to 2119 guidance).

>None that I can think of, and I think it is
>a desireable goal that it all be available, to the extent
>that LDAP is able to access the data elements, that is - for
>instance, authentication credentials, either derived or
>passwords that are not normally accessible via LDAP
>shouldn't be accessible via LDAP (!), so I guess I'd
>agree to some <mumble> along those lines...but are
>you thinking of something else I should be aware of?

I'm thinking the requirement should be reworded in terms
of why we desire this policy and state data to be in the
directory.