Ludovic Poitou | 25 Jan 21:36 2015
Picon

LDAP work at IETF...

 
Hi Everyone,

Over the years, there has been a number of documents related to the Lightweight Directory Access Protocol
(LDAP) that have been left unfinished or are slowly progressing.  

There are a number of individuals that have interest in re-forming an IETF Working Group around LDAP to
finish some of the work and make them on the Standard Track. Howard Chu and I are ready to lead that effort.  

I’d like to poll the audience of this mailing list on the interest of seeing this progressing. I would also
like to hear about volunteers to work on those documents, either contributing text or reviewing them
carefully.  

Please find below the list of documents that have been considered for the working group to finalise and get
published (in no specific order):  

draft-findlay-ldap-groupofentries  
draft-stroeder-namedobject  
draft-stroeder-hashed-userpassword-values (informational
draft-stroeder-mailboxrelatedobject  
RFC2307bis  
draft-behera-ldap-password-policy  
inetOrgPerson 2.0  

Ludovic  

--  
Ludovic Poitou
http://ludopoitou.wordpress.com

(Continue reading)

Michael Ströder | 23 Jan 17:22 2015

Re: LDAP work at IETF...

Ludovic Poitou wrote:
> Please find below the list of documents that have been considered for the
> working group to finalise and get published (in no specific order):

For a WG we probably have to write a charter.
Who's willing to draft one?

> draft-stroeder-namedobject 
> draft-stroeder-hashed-userpassword-values (informational
> draft-stroeder-mailboxrelatedobject 

Obviously I'm interested to proceed with these drafts under the umbrella of a
new/revived LDAP WG within IETF.

> RFC2307bis 

Recent work also raised my interested to get this in a really good shape as a
possible base line for more sophisticated approaches like DBIS or Æ-DIR (TBR).
So I'd be willing to act as an editor if Howard does not have the time for it.
Kurt recently raised the bar regarding IANA considerations though.

> draft-behera-ldap-password-policy

We already shortly discussed this at LDAPcon 2013. Anyone here?

> inetOrgPerson 2.0

This will be surely a larger work item with a lot of different opinions
(although most people are missing the same things).

(Continue reading)

Michael Ströder | 14 Dec 17:10 2014

why posixAccount MUST contain 'cn'?

HI!

Is there any strong reason why auxiliary object class 'posixAccount' has
defined 'cn' as being a mandatory attribute?

I'd be in favour of relaxing this to MAY cn in RFC2307bis.

Also what's the distinction of 'cn' and 'gecos' in 'posixAccount'. It seems
most NSS LDAP clients use attribute 'cn' as gecos field today.

Ciao, Michael.

Attachment (smime.p7s): application/pkcs7-signature, 5750 bytes
_______________________________________________
Ldapext mailing list
Ldapext <at> ietf.org
https://www.ietf.org/mailman/listinfo/ldapext
Sean Leonard | 13 Nov 02:51 2014

New Version Notification for draft-seantek-ldap-pkcs9-02.txt

I added a discussion of privacy issues. That’s about it.

Begin forwarded message:

> From: internet-drafts <at> ietf.org
> Subject: New Version Notification for draft-seantek-ldap-pkcs9-02.txt
> Date: November 12, 2014 at 3:38:40 PM HST

A new version of I-D, draft-seantek-ldap-pkcs9-02.txt
has been successfully submitted by Sean Leonard and posted to the
IETF repository.

Name:		draft-seantek-ldap-pkcs9
Revision:	02
Title:		Lightweight Directory Access Protocol (LDAP) Registrations for PKCS #9
Document date:	2014-11-12
Group:		Individual Submission
Pages:		7
URL:            http://www.ietf.org/internet-drafts/draft-seantek-ldap-pkcs9-02.txt
Status:         https://datatracker.ietf.org/doc/draft-seantek-ldap-pkcs9/
Htmlized:       http://tools.ietf.org/html/draft-seantek-ldap-pkcs9-02
Diff:           http://www.ietf.org/rfcdiff?url2=draft-seantek-ldap-pkcs9-02

Abstract:
  PKCS #9 includes several useful definitions that are not yet
  reflected in the LDAP IANA registry. This document adds those
  definitions to the IANA registry.

The IETF Secretariat
(Continue reading)

Sean Leonard | 26 Oct 23:59 2014

Fwd: New Version Notification for draft-seantek-ldap-pkcs9-01.txt

Hello ldapext:

draft-seantek-ldap-pkcs9 has been updated per the e-mail thread on the topic of “dateOfBirth”, among other things.

Some may disagree with the resolution presented in the new Section 4.1. I am happy write in whatever is the IETF Consensus on the matter.

Sean

Begin forwarded message:

Subject: New Version Notification for draft-seantek-ldap-pkcs9-01.txt
Date: October 26, 2014 at 3:56:06 PM PDT
To: Sean Leonard <dev+ietf <at> seantek.com>, "Sean Leonard" <dev+ietf <at> seantek.com>


A new version of I-D, draft-seantek-ldap-pkcs9-01.txt
has been successfully submitted by Sean Leonard and posted to the
IETF repository.

Name: draft-seantek-ldap-pkcs9
Revision: 01
Title: Lightweight Directory Access Protocol (LDAP) Registrations for PKCS #9
Document date: 2014-10-26
Group: Individual Submission
Pages: 7
URL:            http://www.ietf.org/internet-drafts/draft-seantek-ldap-pkcs9-01.txt
Status:         https://datatracker.ietf.org/doc/draft-seantek-ldap-pkcs9/
Htmlized:       http://tools.ietf.org/html/draft-seantek-ldap-pkcs9-01
Diff:           http://www.ietf.org/rfcdiff?url2=draft-seantek-ldap-pkcs9-01

Abstract:
  PKCS #9 includes several useful definitions that are not yet
  reflected in the LDAP IANA registry. This document adds those
  definitions to the IANA registry.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


Attachment (smime.p7s): application/pkcs7-signature, 6521 bytes
_______________________________________________
Ldapext mailing list
Ldapext <at> ietf.org
https://www.ietf.org/mailman/listinfo/ldapext
Michael Ströder | 26 Sep 14:23 2014

Revive ldapext WG?

HI!

AFAICS independent draft submissions can only reach informational or
experimental status.

But I think it should be possible to reach standard status for some important
drafts (like ppolicy draft as discussed at LDAPcon 2013).

What do you think about it?
Should IETF WG ldapext should be revived?

Ciao, Michael.

Attachment (smime.p7s): application/pkcs7-signature, 5750 bytes
_______________________________________________
Ldapext mailing list
Ldapext <at> ietf.org
https://www.ietf.org/mailman/listinfo/ldapext
Michael Ströder | 26 Sep 14:15 2014

Fwd: New Version Notification for draft-stroeder-mailboxrelatedobject-06.txt

HI!

I've sent this draft to the RFC editor for review.
Anyone here willing to act as reviewer?

Still sorting out some idnits issues for next version but those are only minor
details.

Ciao, Michael.

-------- Forwarded Message --------
Subject: New Version Notification for draft-stroeder-mailboxrelatedobject-06.txt
Date: Fri, 26 Sep 2014 04:59:34 -0700
From: internet-drafts <at> ietf.org
To: Michael Stroeder <michael <at> stroeder.com>, Michael Stroeder
<michael <at> stroeder.com>

A new version of I-D, draft-stroeder-mailboxrelatedobject-06.txt
has been successfully submitted by Michael Stroeder and posted to the
IETF repository.

Name:		draft-stroeder-mailboxrelatedobject
Revision:	06
Title:		Lightweight Directory Access Protocol (LDAP): Auxiliary Object Class
'mailboxRelatedObject'
Document date:	2014-09-26
Group:		Individual Submission
Pages:		5
URL:
http://www.ietf.org/internet-drafts/draft-stroeder-mailboxrelatedobject-06.txt
Status:
https://datatracker.ietf.org/doc/draft-stroeder-mailboxrelatedobject/
Htmlized:       http://tools.ietf.org/html/draft-stroeder-mailboxrelatedobject-06
Diff:
http://www.ietf.org/rfcdiff?url2=draft-stroeder-mailboxrelatedobject-06

Abstract:
   This document defines the auxiliary object class
   'mailboxRelatedObject' that can be used to associate an arbitrary
   object with an Internet mail address.  Furthermore an attribute
   'intlMailAdr' is defined for storing fully internationalized Internet
   mail addresses.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

Attachment (smime.p7s): application/pkcs7-signature, 5750 bytes
_______________________________________________
Ldapext mailing list
Ldapext <at> ietf.org
https://www.ietf.org/mailman/listinfo/ldapext
Michael Ströder | 22 Sep 09:24 2014

Server implementations of Don't Use Copy control?

HI!

Which LDAP server implement Don't Use Copy control as defined in RFC 6171?
For which use-cases?

Ciao, Michael.

Attachment (smime.p7s): application/pkcs7-signature, 3244 bytes
_______________________________________________
Ldapext mailing list
Ldapext <at> ietf.org
https://www.ietf.org/mailman/listinfo/ldapext
Michael Ströder | 22 Sep 09:26 2014

Server implementations of LDAP transactions?

HI!

Which LDAP servers have support LDAP transactions as defined in RFC 5805?
Is it used with any particular use-cases?

Ciao, Michael.

Attachment (smime.p7s): application/pkcs7-signature, 3244 bytes
_______________________________________________
Ldapext mailing list
Ldapext <at> ietf.org
https://www.ietf.org/mailman/listinfo/ldapext
Sean Leonard | 11 Sep 21:49 2014

New Version Notification for draft-seantek-ldap-pkcs9-00.txt

Hello ldapext list:

I posted this proposal to add definitions to the IANA registry. These 
definitions are from PKCS #9, which predates ldapext. However, the 
definitions in PKCS #9 never got added. This document adds them.

Feedback is requested, as well as suggestions on how best to proceed 
with this to get IETF consensus.

Thanks,

Sean

******
A new version of I-D, draft-seantek-ldap-pkcs9-00.txt
has been successfully submitted by Sean Leonard and posted to the
IETF repository.

Name:		draft-seantek-ldap-pkcs9
Revision:	00
Title:		Lightweight Directory Access Protocol (LDAP) Registrations for 
PKCS #9
Document date:	2014-09-10
Group:		Individual Submission
Pages:		6
URL: 
http://www.ietf.org/internet-drafts/draft-seantek-ldap-pkcs9-00.txt
Status:         https://datatracker.ietf.org/doc/draft-seantek-ldap-pkcs9/
Htmlized:       http://tools.ietf.org/html/draft-seantek-ldap-pkcs9-00

Abstract:
    PKCS #9 includes several useful definitions that are not yet
    reflected in the LDAP IANA registry. This document adds those
    definitions to the IANA registry.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat
Michael Ströder | 10 Jan 20:32 2014

Re: DBIS - new IETF drafts

Simo wrote:
> On Thu, 2014-01-09 at 21:45 +0100, Michael Ströder wrote:
>> Simo wrote:
>>> On Thu, 2014-01-09 at 19:08 +0100, Michael Ströder wrote:
>>>> Simo wrote:
>>>>> The full schema definitions can be found here:
>>>>> https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/60basev2.ldif
>>>>
>>>> Looked at the schema:
>>>>
>>>> I'm a bit confused by some object classes directly referencing MAY memberOf.
>>>> 'memberOf' is normally an operational attribute also in 389 DS isn't it?
>>>
>>> It is a generated by the memberof plugin, it's semantics are different
>>> from other solutions (like AD), all descendants are resolved at modify
>>> time.
>>
>> Really different semantics?
>>
>> AFAIK memberOf should be a simple back-link from the member's entry to the
>> group entry. When the attribute value is actually created (on modify or on
>> read) is not relevant for memberOf semantics. Or did I get you wrong?
> 
> It is not a backlink in FreeIPA.
> 
> If you have:
> groupA:
>    member: GroupB
> 
> groupB:
>    member: userC
> 
> then userC's memberof is:
> 
> userC:
>   memberOf: groupA
>   memberOf: groupB
> 
> This makes initgroups a lot more efficient as it is a single dereference
> search to get all groups a user directly or indirectly belongs to.

(Sigh!) You took the attribute type NAME and OID from MS AD:

( 1.2.840.113556.1.2.102
  NAME 'memberOf'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
  NO-USER-MODIFICATION )

But you've changed the semantics. In AD 'memberOf' does not(!) include nested
group membership.

That's really bad practice and makes client developers live really miserable!

Ciao, Michael.

Attachment (smime.p7s): application/pkcs7-signature, 3244 bytes
_______________________________________________
Ldapext mailing list
Ldapext <at> ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Gmane