[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LDAPv3 Replication Access Control Design Team Report
Kurt,
With respect to your comment:
"Likewise, a standard framework for non-standard ACMs, by itself, is not
sufficient."
I have to ask: Why not?
I thought LDUP was about "directory replication". Meaning, that for the
information "replicated", the view of the information, when ANY of the
servers which are participating in replicating that information, is
intended to be the SAME. Furthermore, it is my belief that the IESG will
not allow a protocol to be developed which would allow the same information
to be distributed/replicated such that "controlled access" to that
information could not be guaranteed.
I suppose you could counter and say that by sending the information to a
"client", a "server" is already unable to guarantee "controlled access".
But it seems to me that for "replication", we're clearly talking about LDAP
"server"s communicating with one another, with the intent that if a
"client" lands on any one of those "replicating" servers, that the results
of their query will be the SAME (modulo the "eventual convergence" issues
of course). How can such a thing be provided unless the same access
control semantics are applied (with respect to the information replicated)?
Note here that I did not specify a PARTICULAR access control semantic -
only that the replicating servers use the same access control semantic for
the bits of information that is replicated.
In one example provided it was stated that one server would want to allow
"global read" to the information it held as a "replica". Would not the
OTHER replica also offer that as well? I would assert YES, it would ...
otherwise I wouldn't consider them "replicas", I'd consider them
"synchronized".
Perhaps I'm splitting hairs at this point.
But I see the proposal laid forth as a way to 1) isolate away from LDUP the
issues around defining a particular access control model (which is agreed
by all to be a "rat hole"), while 2) providing a means for LDUP to show
that "replicas" (and employment of replication protocol) is still SECURE
(i.e. access to information replicated is "controlled" such that if a
client accesses either replica, they will get the same result, for the
information requested).
Regards,
Tim Hahn
Internet: hahnt@xxxxxxxxxx
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565 tie-line: 8/687.1565
fax: 919.224.2540
"Kurt D.
Zeilenga" To: Richard Huber <rvh@xxxxxxx>
<Kurt@xxxxxxxxxxx cc: ietf-ldup@xxxxxxx
g> Subject: Re: LDAPv3 Replication Access Control Design Team Report
Sent by:
owner-ietf-ldup@m
ail.imc.org
09/11/2002 10:28
AM
At 04:34 PM 2002-09-10, Richard Huber wrote:
>If access controls are being used in a directory, the directory
administrator has decided that it is important to
>control access to all or part of the data in the tree. So if replication
is used in a directory that has access
>controls, there needs to be a way to make sure that those access controls
are not lost because of replication.
It not sufficient to just ensure access controls are not lost because
of replication. http://www.imc.org/ietf-ldup/mail-archive/msg01261.html
>A standard access control mechanism for all LDAP directories is one way to
do this.
A standard access control mechanism, by itself, is not sufficient.
See above article.
>But it can also be done by
>making sure that the ACM in effect for any given part of the DIT is well
defined, and that the definition can be
>carried as part of the data being replicated.
Likewise, a standard framework for non-standard ACMs, by itself,
is not sufficient.
Kurt