[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: LDAPv3 Replication Access Control Design Team Report

One comment below.

Chris Apple - Principal Architect

DSI Consulting, Inc.

mailto:capple@xxxxxxxxxxxxxxxxxx

http://www.dsi-consulting.com

-----Original Message-----
From: owner-ietf-ldup@xxxxxxxxxxxx [mailto:owner-ietf-ldup@xxxxxxxxxxxx]
On Behalf Of Timothy Hahn
Sent: Thursday, September 12, 2002 3:33 PM
To: ietf-ldup@xxxxxxx
Subject: Re: LDAPv3 Replication Access Control Design Team Report




Kurt,

With respect to your comment:

"Likewise, a standard framework for non-standard ACMs, by itself, is not
sufficient."

I have to ask:  Why not?

I thought LDUP was about "directory replication".  Meaning, that for the
information "replicated", the view of the information, when ANY of the
servers which are participating in replicating that information, is
intended to be the SAME.  Furthermore, it is my belief that the IESG
will
not allow a protocol to be developed which would allow the same
information
to be distributed/replicated such that "controlled access" to that
information could not be guaranteed.


CHRIS> Speaking as a Co-Chair, its safe to say that no one can really
CHRIS> predict what the IESG might approve outright, approve with
conditions,
CHRIS> or flat out reject as unsound unless they explicitly document it
as
CHRIS> "things you must/must not do in a specification." And even if we
could
CHRIS> issue a prediction based on historical data, the IESG could
change its
CHRIS> posture over time.
CHRIS>
CHRIS> So, I think its better to leave those sentiments out of the
discussion
CHRIS> for now and remain focused on technical issues and associated
merits
CHRIS> (as the rest of this posting does).

I suppose you could counter and say that by sending the information to a
"client", a "server" is already unable to guarantee "controlled access".

But it seems to me that for "replication", we're clearly talking about
LDAP
"server"s communicating with one another, with the intent that if a
"client" lands on any one of those "replicating" servers, that the
results
of their query will be the SAME (modulo the "eventual convergence"
issues
of course).  How can such a thing be provided unless the same access
control semantics are applied (with respect to the information
replicated)?
Note here that I did not specify a PARTICULAR access control semantic -
only that the replicating servers use the same access control semantic
for
the bits of information that is replicated.

In one example provided it was stated that one server would want to
allow
"global read" to the information it held as a "replica".  Would not the
OTHER replica also offer that as well?  I would assert YES, it would ...
otherwise I wouldn't consider them "replicas", I'd consider them
"synchronized".

Perhaps I'm splitting hairs at this point.

But I see the proposal laid forth as a way to 1) isolate away from LDUP
the
issues around defining a particular access control model (which is
agreed
by all to be a "rat hole"), while 2) providing a means for LDUP to show
that "replicas" (and employment of replication protocol) is still SECURE
(i.e. access to information replicated is "controlled" such that if a
client accesses either replica, they will get the same result, for the
information requested).

CHRIS> Speaking as a technologist, I believe that's the clearest
statement
CHRIS> I've seen about the intent of the report from the Design Team and
CHRIS> why the Design Team members believe their proposal to be a Good
Thing.
CHRIS> I only wish I'd thought to say it that way when posting the
report
CHRIS> to the WG...

Regards,
Tim Hahn

Internet: hahnt@xxxxxxxxxx
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2540



 

                      "Kurt D.

                      Zeilenga"                To:       Richard Huber
<rvh@xxxxxxx>                                                   
                      <Kurt@xxxxxxxxxxx        cc:
ietf-ldup@xxxxxxx

                      g>                       Subject:  Re: LDAPv3
Replication Access Control Design Team Report                      
                      Sent by:

                      owner-ietf-ldup@m

                      ail.imc.org

 

 

                      09/11/2002 10:28

                      AM

 

 





At 04:34 PM 2002-09-10, Richard Huber wrote:
>If access controls are being used in a directory, the directory
administrator has decided that it is important to
>control access to all or part of the data in the tree.  So if
replication
is used in a directory that has access
>controls, there needs to be a way to make sure that those access
controls
are not lost because of replication.

It not sufficient to just ensure access controls are not lost because
of replication.  http://www.imc.org/ietf-ldup/mail-archive/msg01261.html

>A standard access control mechanism for all LDAP directories is one way
to
do this.

A standard access control mechanism, by itself, is not sufficient.
See above article.

>But it can also be done by
>making sure that the ACM in effect for any given part of the DIT is
well
defined, and that the definition can be
>carried as part of the data being replicated.

Likewise, a standard framework for non-standard ACMs, by itself,
is not sufficient.

Kurt