Minutes for LDAPEXT @ IETF-49 (2000-12-11) Reported by Leif Johansson Chairs: Mark Wahl, Roland Hedberg 1. Introduction and Agenda Bashing MarkW: lots of work items. We expect that ldapext2 would be created to handle at least some of these item unless we add them to ldapext charter. - Question about C-api for extensions. Status of this? C-api not on agenda since Mark Smith not at the meeting. Defered to charter review point. 2. Working Group Status (Mark Wahl and Roland Hedberg) - LDAPBIS Monday 19:30 - LDUP Tuesday 09:00 - Next Meeting in MN (IETF-50) Completed: - server side sorting, language tags, dyn entries signed info Nearly - server discovery, taxonomy, java api In progress - ACL , referrals, C API, CLDAP Strong signals from IESG to update charter! Document target dates have past, some documents are moving (eg to LDAPBIS) and there are additional work items of interest. Webpage soon up on www.ldap.com or something like that. Comment: Taxonomy document done but is in limbo due to dependency on other documents. 3. Scrolling List View (Michael Armijo) draft-ietf-ldapext-ldapv3-vlv-04.txt - some problems with which error to return in certain circumstances. 4. Server Discovery through DNS (RL 'Bob' Morgan) draft-ietf-ldapext-locate-04.txt - Bobs screen resolution out of range! BobM: Stable document with some nits. Question of weather server discovery of CLDAP servers should be supported in this document. Probably exclude CLDAP from document. LeifJ: CLDAP might have different semantics from LDAP which may be a reason for excluding it. BobM: does dc components have to be the most significant part? the algorithm for getting domain name from X.500 name could simply take _any_ dc-components in the DN in order regardless of where they are found in the DN. KurtZ: this has already been discussed on the list in the context of multivalued rdns etc. Review that! Is this an X.509 issue or a server location issue? MarkW: Don't change the document since it would require changes in core documents! Someone may use dc-components with completely different semantics further down in the DN. (References were made to 2247). Ed Reed: Larger issue of foreign name resolution in relation with DNs. BobM: Lets not defer this document until such a large problem has been solved. - some discussion followed about mappings and not precluding further work down the road. John: The scope of locate can be defined to be trees rooted in DNS... MarkW: Is the current document the right approach? (rough consensus) Comment: Scoping the document and going forward is a good plan! Don't go down the slope of handling all possible namespaces. 5. Java API (Rob Weltman) draft-ietf-ldapext-ldap-java-api-12.txt (*UPDATED*) JimS: Summary of changes. Rob believes the current changes can be made during a last call period and is requesting last call. MarkW: Do api changes before last call! 6. Referrals and knowledge maintenance (Roland Hedberg and Kurt Zeilenga) draft-ietf-ldapext-refer-00.txt draft-zeilenga-ldap-namedref-01.txt (*UPDATED*) RolandH: Several types of references in two drafts. Subordinate refs go into a small draft and goes quickly to last call. All other types go into another draft to be issued some time early next year. 7. Duplicate Entries (Jim Sermersheim) draft-ietf-ldapext-ldapv3-dupent-06.txt (*UPDATED*) JimS: gone through a last call (version 5) which resulted in a few minor edits. Ready for last call again. Comment: Can entries get returned that do not match filters? JimS: Yes and other cool effects too! 8. Access Control Model (Ellen Stokes) draft-ietf-ldapext-acl-model-06.txt EllenS: Long list of resolved comments which are scheduled for addition to the draft. Some comments still need to be resolved. Target for new draft for end of January with last call by early March. Comment: Auditing as a special permission? EllenS: Add to list of comments.... 9. CLDAP (Leif Johansson) draft-ietf-ldapext-cldap-00.txt LeifJ: CLDAPv3 has very little to do with CLDAPv2. The draft will probably only deal with read-only operations but we will try to do it in such a way that it wan't preclude someone else from doing modify and the likes later on. A new version will appear before the end of the year. KurtZ: move to experimental? MarkW: No, if there is sufficient interest in the group of doing CLDAP then we should aim for Proposed Standard if not then the work item should be dropped from the charter. 10. Subentries (Ed Reed) draft-ietf-ldup-subentry-05.txt (*UPDATED*) EdR: significant revisions. X509 subtree specification could be added by inheritance. Inheritance: eg ACLs and various other policies want policy to inherit down the tree. New subclass of subentry for inheritance. Possible to define other inheritance mechanisms by subclassing. DavidC: Question about scoping. (discussion ensues). KurtZ: blockInheritance should be defaulted to TRUE?? EdR: Arguments can be made for many positions... Comment: Why is blockInheritance MAY and default FALSE instead of MUST and default TRUE. (nits nits). EllenS: Can you handle policies different per subentry? EdR: No. Inheritance does not care which policy is inhereted. You either inherent all or not at all. However you could subclass specifically (say) for ACLs. MarkW: Are there examples? EdR: High-level examples only. EdR: The mix-in rule is "replace" as opposed to any other method of combining policy. Policies all have different requirements and I don't know how to write a combination- rule for a general situation. Comment: Few situations where subentries are used but the discussion used examples from ACLs. Where are subentries actually used and used with inheritance? EdR: Replication does not use inheritance but ACLs would need to replicate inheritance! Comment: If all you need is replace then blockInheritance can be implemented as an empty policy! MarkW: Authors who use subentries should work with Ed! EdR: Administrative area discussion. LDUP has certain expectations (see slide 10). What then is an administative area: - Anything with a subentry below - Anything marked with an administrative point in some way. - Up to the application MarkW: The second is the X500-way. LDAPBIS may reintroduce the DSE-type. KurtZ: Careful! This may cause recycle of the standard! EdR: More and more X.500-isms hacked into LDAP implementations. KurtZ: Important to have a consistent approach to this. EdR: Visibility Mechanisms. Define a control which makes subentries visible. baseEntry scope is handled differently (i.e an X.500 read). DavidC: In this case the control has no meaning! EdR: Searchfilters can be used to pick out subentries in some implementations (Netscape) but it is deprecated. MarkW: Suggest delete this. KurtZ: Suggestion: If the base of the search is a subentry pretend the control is present and TRUE. DavidC: X.500 does not have subentries below subentries. Would you then not miss the entry itself if you do a subtree search withouth the control? KurtZ: No the suggested semantics is that the control is treated as present and true whenever the base of the search is a subentry (regardless of scope). EdR: Summary. MarkZ: Summarize comments to the mailinglist. 11. Charter Review (Mark Wahl and Roland Hedberg) Proposed new timelines: - Server discovery: 3/2001 - Java API: 3/2001 - C API: 6/2001 - Referral * 3/2001 (for named subordinates) * 6/2001 (for other referral types) - Access Control model: 6/2001 - CLDAP: 9/2001 MarkW: Result of armtwisting and threats. Goal is to clear the current agenda by fall next year. Moving Documents: * Subentry: needed by LDUP * draft-just-ldapv3-rescodes-02.txt and draft-armijo-ldap-control-error-00.txt: LDAPBIS Other topics: * 2247/2255 update for i18n URL/domains Comment: How can you update 2255 while LDAPBIS is working on it? KurtZ: IDN will not affect 2255 since this document inherits from URI documents. PatrikF: The reference goes to old version of document so you should/must revise in the face of IDN. KurtZ: (various nits about schema) Comment: Should not LDIF go to proposed standard?? MarkW: Not in LDAPBIS since this has a very tight focus. This may not need to be a charter item! KurtZ: Rescodes will (probably) go to LDAPBIS. The control error doc needs discussion before moving it. MarkW: Additional work items (see slide) presented. Grouped into Subentry Value Control Chaining and proxying Request/Response Grouping Multiple Entry Updates Password Policy Management MarkW: Present sample charter text for some of these groups. Comment: The texts should mention possible impact on other groups by these items. MarkW: This is not complete charter texts but rather one-sentence descriptions. Also all these documents are intended standards-track. Other documents in the ldap sphere (see slides) are either informational or have expired. MarkW: This should go into charter: Subentries Value Control Request/Response Grouping Chaning and Proxying KurtZ: Wait until things fall/get axed off the charter until adding new stuff ?! MarkW: Charter review is very tedious and don't like to do it very often so let's have this discussion now and not at the next meeting. Comment: Why not password? MarkW: Few organizations/individuals work on it. The other groups affect large parts of LDAP. This is not true for password mgmt which is mostly of interest if you have user information in LDAP. KurtZ: Prioritize? MarkW: Yes. DavidC: Why not do multiple entry modification as part of grouping? MarkW: You could but the intended usages are different... KurtZ: Suggest that this group make one application as part of the grouping work. MarkW: Agree. Comment: Why lump chaining and proxying together? MarkW: (argument that these are sufficiently similar) Question to Kurt about authPassword, why he just wanted the ID to timeout. Kurt argured that they had found that they would have to store several hashversion of the password in order to support different application. This made it easier to just store the password in the clear and then contruct the hashes when needed. He will write down the experiences they had with implementing the draft and send it to the list. 12. ITU-T alignment with LDAP (Peter Yee) Presentation: See slides. 13. Evolving LDAP Schema Entries (Ellen Stokes) Presentation: See slides. EllenS: How to work on this. (A small group of people volounteer to do work by raising their hands -- a bar-bof ensues later in the week). 14. Storing Whois in LDAP (Andrew Newton) Presentation: See slides. (idea is to place domain registration data in LDAP and use referrals to address the distribution of data between the registry and registrars). http://www.ldap.research.netsol.com 15. Non Work Items (those discussed to be determined at meeting) draft-armijo-ldap-control-error-00.txt (Michael Armijo) draft-behera-ldap-password-policy-03.txt (Prasanta Behera) draft-ietf-ldapext-matchedval-04.txt (David Chadwick) draft-elliott-ldapext-spdna-recrecs-00.txt (Dave Elliott) draft-greenblatt-ldapext* (Bruce Greenblatt) draft-haripriya-ldapext-entryselect-01.txt (Haripriya S.) draft-rharrison-ldap-extpartresp-02.txt (R. Harrison) draft-knvijay-ldapext-clientcachingproxy-00.txt (K. N. Vijay) draft-salzr-ldap-repsig-00.txt (Rick Salz) draft-legg-ldapext-component-matching-00.txt (Stephen Legg) draft-sermersheim-ldap-chaining-00.txt (Jim Sermersheim) draft-weltman-ldapv3-proxy-06.txt (Rob Weltman) draft-zeilenga-ldap* (Kurt Zeilenga) Operation Grouping The time was used up when the meeting came to this point so it was dropped.