[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: draft-ietf-ldapext-locate-01.txt - Discovering LDAP Services with DNS
-----Original Message-----
From: James Benedict [mailto:grunt@nortelnetworks.com]
Sent: Tuesday, January 18, 2000 6:58 PM
To: Paul Leach; RL 'Bob' Morgan; Bruce Greenblatt
Cc: ietf-ldapext@netscape.com
Subject: RE: draft-ietf-ldapext-locate-01.txt - Discovering LDAP Services
with DNS
> Agreed, but the value in making this computation is in having a high
degree
> of confidence that it will be correct. What I am saying is that there is
no
> real way of gaining a high degree of confidence without having prior
knowledge
> of the directory service.
It does not require prior knowledge about any one server -- just that enough
servers use the scheme to make it worthwhile to try -- since the alternative
is a _hard_ requirement for prior knowledge -- of the DNS name of the
server.
>> Since, as Bob points out, one is currently hosed if this
>> guess is wrong, the
>> incentive to make it be correct will be high. I think this is "a good
>> thing".
>
> Agreed, to a point. I think that having a domain-based directory tree can
be a good thing, in some cases, an OSI-based tree in others.
I wasn't making any statement at all in that regard. I was saying that the
fact there was incentive to register the SRV records is a good thing.
> What this solution requires is some sort of agreement around two
assumptions:
> 1) That "Internet" LDAP DNs are arranged by domain component, and
No, it does not depend on any such agreement. It _allows_ _some_ people to
so arrange their DNs. In exchange, it lets them get resolved, without
requiring prior knowledge of the DNS name of the server holding the DN. I
think that that's a powerful incentive, enough to cause its use to be
widespread.
> 2) The aforementioned domain components can, eventually, be resolved on
the internet.
> (a third, and obvious assumption: that this form of discovery is
supported)
> I just don't think these are all that practical.
Seems easy, to me.
> What I would suggest is to
> embed the DNS name of the Internet LDAP server in the DN, maybe as the
root.
> Something like:
> cn=James Benedict, ou=sales, ou=employees, o=nortelnetworks,
ldap=ldap.nortelnetworks.com
Unfortunately, "ldap=" is not a legal DN component. It took RFC 2247 to make
"dc=" a legal DN component.
We went through these kinds of alternatives in the process of coming up with
the current proposal.
Paul