[Date Prev][Date Next] [Chronological] [Thread] [Top]

feature roadmap (2nd request)



This is the second posting since nobody responded. Here are the bullet
points:

1. When will access and schema be moved into the DIT?
2. Will ACI attributes ever be inheritable by children?
3. Can groups be nested? Are there checks for infinte loops or deadlock?
4. are there any real world benchmarks showing high usage?
5. Any problems w/ SSL support?

Thanks,
Kevin

Original post below...

Hello,

I have used OpenLDAP very happily for several years. I am finally
outgrowing it with my current assignment.

I need to design a large LDAP metadirectory to link together many
branches of many companies spread all over the world. Security is very
important, as will be on-the-fly flexibility. I think OpenLDAP has met
its match for the time being.

These are the features that are killing me. The question is when (if
ever) they will become available, and are there workarounds that allow
the current product to satisfy the requirements?

Problem 1: Access control (ACL) is outside the DIT
Why is this a problem?
	1. Access controls can not be replicated
	2. Access controls can not be made on-the-fly
	3. Changes in access controls require restart of slapd, killing
all connections
	4. Access to access lists is not configurable (needs write perms
to access.conf)

Problem 2: In-object ACI (Access control info) is not inheritable
Why is this a problem?
	1. Allowing inheritance of ACIs would eliminate Problem 1
	2. Performance and administration suffer greatly from
redundancies in ACIs.
	3. Access to ACI is configurable only through static ACL in
access.conf
		(no dynamic bootstrap mechanism)

Problem 3: Groups can not be nested? (Mark Valence seems to have a patch
to fix this,
but I don't think it has been merged into -RELEASE...)
Why is this a problem?
	1. Administration is much more difficult
	2. List expansion outside server thread is very cumbersome

Problem 4: Schema information is outside DIT
Why is this a problem?
	1. Can not be replicated
	2. Access to schema can not be delegated (root only)
	3. Access to schema is not available to clients (Isn't this a
LDAPv3 core requirement?)
	4. Changes to schema require restart of slapd, killing socket
connections

Problem 5: Performance appears to be poor.
Personally, I have had quite good results by maintaining proper indexes,
cachesm and buffers. However, this project will batter the living hell
out of the server, and I have not heard of any more than about 20-30
queries per sec in the "real world". Add this to complex access control
requirements and I start to get concerned. Any comments?

Problem 6: SSL support may be immature
I am trying to answer this question. I have seen reports of success and
failure, but the goal here is complete interoperability with no need for
special patches or considerations.

If anybody has info regarding these issues and there resolutions /
workarounds, please help me out.

Thanks,
Kevin
kevin@kogz.com