[Date Prev][Date Next] [Chronological] [Thread] [Top]

Draft Minutes from LDAPEXT working group



Minutes of LDAPEXT 
Taken by Mark Wahl <M.Wahl@innosoft.com>
November 10, 1999

1. Status of Completed Items

LDAP Extension for TLS, Recommended Authentication Methods, DIGEST-MD5 have 
completed Working Group last call and are in the hands of the IESG.

Server-Side Sorting Control, which was waiting on Simple Paged, is now in 
IETF-wide last call and is expected to become a Proposed Standard RFC.

Jeff Hodges has unresolved comments on Access Control requirements which he
will send to the document authors and WG chairs.

2. Items soon to enter WG last call

The virtual list view and Duplicate Entries drafts have been waiting on 
Sorting.  Now that sorting is gone into IETF-wide last call, the WG chairs
will issue WG last call on these drafts soon after the meeting.  They are
expected to become Proposed Standard RFCs.

3. C API

The latest draft -04 which is in last call has small editorial changes and 
bug fixes.  

There has been some discussion on the list about the security considerations 
section, for handling credentials and identities with server referrals, that
will be addressed during last call.

There is agreement to improve error reporting for functions which do not take
an LDAP* as an argument.  The authors of the C API and Kurt Zeilenga will 
have an engineering discussion to arrive at a suitable approach.  

Behavior in multithreaded environments is covered by a separate draft which
is not part of this last call.

4. Java API

There were no comments on the Java API.

5. ACL model

As Ellen Stokes was not present, discussion was deferred to the list. 

Paul Leach and Jeff Hodges have comments which they will provide to the 
authors.

Since there has been significant discussion on the list, a new draft is 
expected soon from the authors.

6. Server Location

The draft-ietf-ldapext-locate-00.txt describes how SRV records are to be 
used to discover LDAP servers.  Paul Leach to investigate whether there are
any IANA considerations.  Mark Smith requested a reference added to RFC 
2052 or its successor for the algorithm clients should use to choose the 
correct server.

There were no other significant issues raised on the taxonomy or discovering
servers through DNS.

We will plan to issue last calls on these drafts soon, with the intention 
that draft-ietf-ldapext-ldap-taxonomy-00.txt will become Informational and
draft-ietf-ldapext-locate-00.txt will become a Proposed Standard RFC.

7. Referrals

A work item is the definition of how to manage references between LDAP 
servers.  An earlier draft had specified both the 'simple' behavior, where
there is both hierarchical name subordination and knowledge of all the 
subordinates, names, as well as a more complex behavior to handle potentially
overlapping or unknown naming contexts.  The former was broken out into 
draft-ietf-ldapext-namedref-00.txt, the latter does not exist in an IETF
draft at present.  There is a competing proposal for the former which also 
covers several inter-X.500-server knowledge cases.  David Chadwick was not 
present and so the technical issues were not discussed.  The authors are 
requested to ensure that by the next meeting we have a single base document
on the simple referral behavior that is suitable for last call to become a 
Proposed Standard.

8. CLDAP 

There is not yet a draft on CLDAP, although there are several people interested
in writing and implementing it.  The authors are requested to discuss and 
have a draft before the next meeting.  If not, this item might be dropped 
from the charter.

9. Persistent / triggered search

No change in their text since last meeting, so not discussed.

10. LDAP error codes

draft-just-ldapv3-rescodes-00.txt  gathers information from X.511 and presents
a glossary, table and operational guidance for handling of the error codes in 
2251.  It does not cover error codes defined by extensions. The authors 
consider adding flow charts to a subsequent revision.  There were several 
requests however to ensure that flow charts were illustrative examples and not 
prescriptive, so as to not over-constrain server impementation.

The editor of the core LDAPv3 protocol intends to add this text to the next 
revision of 2251.  A discussion of what status this document as an RFC would 
have if until that time: If the information changes or updates X.511 or RFC 
2251, or if 2251 is underspecified such that this is necessary to implement
it, it should be a Proposed Standard which updates 2251, otherwise it should
be Informational.  The WG chairs, ADs and document authors will discuss this
when the draft is ready for last call.

   LDAPv3 Result Codes: Definitions and Appropriate Use
   LDAPExt Working Group
   IETF - November 1999

   New draft
   edited by Kristianne Leclair (Entrust), Jim Sermersheim (Novell), Mark 
   Smith (Netscape), Mike Just (Entrust)
   Available at IETF web site
   draft-just-ldapv3-rescodes-00.txt
   Posted to LDAPExt mailing list on Oct 27

   Draft purpose
   RFC 2251 unclear
   refers to X.511, but who does?
   Gather information into a single source
   Intent is to aid 
   directory developers as to what error to return
   application developers as to what error to expect

   Draft contents
   Glossary
   classification of result codes
   definition for each result code
   Operational guidance
   what result to return in case of error
   Table
   matching each operation and their applicable errors

   Next version
   Add a Table of Contents
   Incorporate comments from group
   Add flow charts
   possibly replacing or complementing Section 4

   How to progress?
   Obtain comments
   Does draft accomplish what it intended to accomplish?
   Long-term?
   Incorporate in next version of RFC 2251
   Short-term
   Standards track in LDAPExt
   Last call after March meeting

11. Dereferencing Match

draft-moats-ldap-dereference-match-01.txt is an extensible matching rule which 
allows indirection through DN-valued attributes during filter evaluation.  
Its side effects are that the internal state of a filter tree changes from 
being a tri-state value to entries, and that it is not known whether it could 
be efficently implemented in a distributed directory.  There are several 
other issues, including whether the service could be provided with a 
combination of families of entries feature and alias objects, whether it 
should be specified as a matching rule, search control or extended operation, 
and how it interacts with weakly consistent replication.  

There appeared to be consensus that this work was interesting but not yet ready
to be a work item or Proposed Standard.  The authors and implementors will
prepare an Experiment and produce an Experimental RFC, so that experience
may be gained with its use.

   Slide 1:
   draft-moats-ldap-dereference-match-01.txt
   
   Ryan Moats (AT&T), Jerry Maziarski (AT&T), John Strassner (Cisco)
   
   Slide 2:
   Extended Matching Rule that allows dereferencing of DN pointers in server
   Simplifies client complexity and round trip time
   Standards Track
   
   Slide 3: Dereferencing Match - Example 1
   find phone number and building of all managers of any building
   (sub, manager:<oid>:=(objectClass=person), (phoneNumber, building))
   filter to find phone number of managers of building 12
   (base, manager:<oid>:=(building=12), phoneNumber)
   
   Slide 4: Dereferencing Match - Example 2
   Find policy rules for outbound traffic for routers with IP Address
   192.128.170.x:
   (sub, (policyRulesAuxContainedSet:<oid>:=&(ipAddress=
   ?192.128.170.*?)(qosPolicyRules:<oid>:(QosPolicyDirection=2))), ??)
   
   Slide 5: Dereferencing Match - Side Effects
   Filter generates separate objects rather than boolean that applies to
   current object of search
   Filter rules complex: what is legal?
   Legal combination
   &(objectclass=fancyconnectiontype)((targetDN:<oid>:=(&(objectClass=dmtfActiv
   eConnection)(trafficType=2))))
   Illegal combination
   |(foo=bar)(foo=barshelf)(&(objectclass=fancyconnectiontype)((targetDN:<oid>:
   =(&(objectClass=dmtfActiveConnection)(trafficType=2)))))
   
   Slide 6: Implementation?
   Chadwick: use aliases in families of entries in place of multi-valued
   pointer attributes
   Pro: Servers already have alias dereferencing
   Con: Acceptance of families of entries (that include aliases)
   
   Slide 7: Net Steps?
   >From mailing-list:
   - Need correct syntax OID for matching rule
   - Need more discussion (and an example) of how referrals are handled
   	query rewriting using LDAP URLs
   -Clarify impact of server side limits
   -Add more clarity in the security considerations
   
   Is extended matching the correct approach?
   	Would a control be better?
   
   Add to WG charter?


12. Extended Partial Response

draft-rharrison-ldap-extpartresp-00.txt specifies an approach of how an 
extended request can return multiple response PDUs, similar to how a search 
request returns multiple entries and references followed by a final result.

There are several potential applications of this concept.  One would be 
operation status notification, although this could be done with SNMP, 
unsoliticed notifications or server-specific operation status subentries.

The editor of the core LDAPv3 protocol will take this concept into account
for the reissue of 2251.

13. Password Policy

Jim Sermersheim presented draft-behera-ldap-password-policy-00.txt, which 
describes a password policy object and password information.  A planned 
revision will remove the modify and compare mechanisms, and remove references
to the 'userpassword' attribute.  (A separate draft is in preparation for 
the password hash encoding indications.)  Issues under consideration include
how to specify  the linkage between policy entries and the entries governed
by this policy, how to operate under weakly consistent replication, and how
to support multi-valued password attributes.

   LDAP Password Policy
   draft-behera-ldap-password-policy-00.txt
   
   Password Policy Overview
   Used to administer password related policy
   	pwdPolicy object class
   		Used to create policy for users. Hold info like:
   			Intruder detection policy
   			Password expiration policy
   			Password modification policy
   
   Overview (cont.)
   pwdInfoObject object class
   	Holds password information about a specific entry:
   		Intruder detect resets
   		expiration info
   		modification info
   
   Changes being made to the draft
   Remove modify/compare mechanisms and references to userPassword
   Incorporate other feedback from the WG list
   	fix return codes
   	address V2 concerns
   	provide clarifications
   	...
   
   Issues being resolved
   Define the association between pwdPolicy and pwdPolicyObject
   	A one to many relationship between policy and entries
   	Grouping could be done by:
   		structural relationship (subentry - subtree)
   		group inclusion
   		reverse group inclusion
   Work out algorithm/efficiency problems
   
   Placement and Category
   Is this an LDAP-EXT WG item?
   Should this be a standards track document?

14. LDAP subentries

draft-ietf-ldup-subentry-01.txt describes a subset of X.500 subentries which
could be useful for holding DIT policy information, such as subschema or 
password rules.  This is in the LDUP working group as it is being used
for replication agreement modelling.  When LDUP is ready with this draft, a
coordinated last call will be done between LDUP and LDAPEXT for it to become
a Proposed Standard.


Mark Wahl, Directory Product Architect
Innosoft International, Inc.