Full_Name: Andrew Bartlett Version: CVS HEAD OS: Fedora 9 URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.html Submission from: (NULL) (59.167.251.137) For Samba4, I need a few things, detailed in the attached URL. This ITS is for internal transactions and validation - the ability to have a openldap overlay roll back all the changes so far, because a precondition is not met. I need the memberOf and refint modules to ensure that no dangling links ever exist, even over subtree renames and invalid modifies, and that a transaction ensures this is always the case. This needs to occur even between databases on the server, but I won't ask that it occur outside the known trees.
abartlet@samba.org wrote: > Full_Name: Andrew Bartlett > Version: CVS HEAD > OS: Fedora 9 > URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.html > Submission from: (NULL) (59.167.251.137) > > > For Samba4, I need a few things, detailed in the attached URL. The above message thread had some unanswered questions. We may need to have each point listed out again. > This ITS is for internal transactions and validation - the ability to have a > openldap overlay roll back all the changes so far, because a precondition is not > met. I think this one is understood, OK. Just a matter of getting the time to do it. > I need the memberOf and refint modules to ensure that no dangling links ever > exist, even over subtree renames and invalid modifies, and that a transaction > ensures this is always the case. I think the proper use of memberOf still needs to be addressed. E.g., it's generally a bad idea to search for (memberOf=foo) when you can simply enumerate the members inside the "foo" entry. If you give us precise examples of the searches and modifications that you'll be using, we may be able to narrow the scope of this work. > This needs to occur even between databases on the server, but I won't ask that > it occur outside the known trees. It's already possible for operations in one database to reference entries in a different database, so that aspect of validation should be fine. However, as noted before, "validation" is generally bogus to begin with. In particular, how do you create entries with circular references? If you disallow references to nonexistent entries, you can't set the references until after all of the entries have been created. This means that you cannot backup a database that has these references and then later reload it in a single pass. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: > abartlet@samba.org wrote: > > Full_Name: Andrew Bartlett > > Version: CVS HEAD > > OS: Fedora 9 > > URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.html > > Submission from: (NULL) (59.167.251.137) > > > > > > For Samba4, I need a few things, detailed in the attached URL. > > The above message thread had some unanswered questions. We may need to have > each point listed out again. > > > This ITS is for internal transactions and validation - the ability to have a > > openldap overlay roll back all the changes so far, because a precondition is not > > met. > > I think this one is understood, OK. Just a matter of getting the time to do it. > > > I need the memberOf and refint modules to ensure that no dangling links ever > > exist, even over subtree renames and invalid modifies, and that a transaction > > ensures this is always the case. > > I think the proper use of memberOf still needs to be addressed. E.g., it's > generally a bad idea to search for (memberOf=foo) when you can simply > enumerate the members inside the "foo" entry. If you give us precise examples > of the searches and modifications that you'll be using, we may be able to > narrow the scope of this work. I'll be passing on any search that a windows client makes, and trying to return the same result a windows server would return. Bad ideas still have to be implemented in my world :-( > > This needs to occur even between databases on the server, but I won't ask that > > it occur outside the known trees. > > It's already possible for operations in one database to reference entries in a > different database, so that aspect of validation should be fine. However, as > noted before, "validation" is generally bogus to begin with. In particular, > how do you create entries with circular references? If you disallow references > to nonexistent entries, you can't set the references until after all of the > entries have been created. This means that you cannot backup a database that > has these references and then later reload it in a single pass. An interesting point, but I need to match the windows runtime behaviour. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
Andrew Bartlett wrote: > On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: >>> This needs to occur even between databases on the server, but I won't ask that >>> it occur outside the known trees. >> It's already possible for operations in one database to reference entries in a >> different database, so that aspect of validation should be fine. However, as >> noted before, "validation" is generally bogus to begin with. In particular, >> how do you create entries with circular references? If you disallow references >> to nonexistent entries, you can't set the references until after all of the >> entries have been created. This means that you cannot backup a database that >> has these references and then later reload it in a single pass. > > An interesting point, but I need to match the windows runtime > behaviour. Only when it has a visible impact on other clients. What software will break if the directory allows you to add new entries that contain dangling references? What will break if the directory allows you to modify a reference attribute to point to a nonexistent entry? There's a lot of Windows behavior that is clearly wrong, by any number of metrics. You need to be a bit more selective in prioritizing the list of things to chase down. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Tue, 2008-05-27 at 18:43 -0700, Howard Chu wrote: > Andrew Bartlett wrote: > > On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: > > >>> This needs to occur even between databases on the server, but I won't ask that > >>> it occur outside the known trees. > >> It's already possible for operations in one database to reference entries in a > >> different database, so that aspect of validation should be fine. However, as > >> noted before, "validation" is generally bogus to begin with. In particular, > >> how do you create entries with circular references? If you disallow references > >> to nonexistent entries, you can't set the references until after all of the > >> entries have been created. This means that you cannot backup a database that > >> has these references and then later reload it in a single pass. > > > > An interesting point, but I need to match the windows runtime > > behaviour. > > Only when it has a visible impact on other clients. What software will break > if the directory allows you to add new entries that contain dangling > references? What will break if the directory allows you to modify a reference > attribute to point to a nonexistent entry? Sure, I'm not asking for a change to default behaviours. I'm listing the things that our testsuite finds are differences, and looking for solutions. > There's a lot of Windows behavior that is clearly wrong, by any number of > metrics. You need to be a bit more selective in prioritizing the list of > things to chase down. This is the currently the top priority for an LDAP Backend for Samba4. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
Andrew Bartlett wrote: > On Tue, 2008-05-27 at 18:43 -0700, Howard Chu wrote: >> Andrew Bartlett wrote: >>> On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: >>>>> This needs to occur even between databases on the server, but I won't ask that >>>>> it occur outside the known trees. >>>> It's already possible for operations in one database to reference entries in a >>>> different database, so that aspect of validation should be fine. However, as >>>> noted before, "validation" is generally bogus to begin with. In particular, >>>> how do you create entries with circular references? If you disallow references >>>> to nonexistent entries, you can't set the references until after all of the >>>> entries have been created. This means that you cannot backup a database that >>>> has these references and then later reload it in a single pass. >>> An interesting point, but I need to match the windows runtime >>> behaviour. >> Only when it has a visible impact on other clients. What software will break >> if the directory allows you to add new entries that contain dangling >> references? What will break if the directory allows you to modify a reference >> attribute to point to a nonexistent entry? > > Sure, I'm not asking for a change to default behaviours. I'm listing > the things that our testsuite finds are differences, and looking for > solutions. I don't believe your proposed solution will ever be satisfactory. Entries with circular references will also break syncrepl Refresh if the constraint you're asking for is enforced. That will clearly have visible impact in many deployments. If the only thing that complains with the current behavior is your testsuite and not any real world clients, I suggest you just note the difference and move on. >> There's a lot of Windows behavior that is clearly wrong, by any number of >> metrics. You need to be a bit more selective in prioritizing the list of >> things to chase down. > > This is the currently the top priority for an LDAP Backend for Samba4. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Wed, 2008-05-28 at 08:14 -0700, Howard Chu wrote: > Andrew Bartlett wrote: > > On Tue, 2008-05-27 at 18:43 -0700, Howard Chu wrote: > >> Andrew Bartlett wrote: > >>> On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: > >>>>> This needs to occur even between databases on the server, but I won't ask that > >>>>> it occur outside the known trees. > >>>> It's already possible for operations in one database to reference entries in a > >>>> different database, so that aspect of validation should be fine. However, as > >>>> noted before, "validation" is generally bogus to begin with. In particular, > >>>> how do you create entries with circular references? If you disallow references > >>>> to nonexistent entries, you can't set the references until after all of the > >>>> entries have been created. This means that you cannot backup a database that > >>>> has these references and then later reload it in a single pass. > >>> An interesting point, but I need to match the windows runtime > >>> behaviour. > >> Only when it has a visible impact on other clients. What software will break > >> if the directory allows you to add new entries that contain dangling > >> references? What will break if the directory allows you to modify a reference > >> attribute to point to a nonexistent entry? > > > > Sure, I'm not asking for a change to default behaviours. I'm listing > > the things that our testsuite finds are differences, and looking for > > solutions. > > I don't believe your proposed solution will ever be satisfactory. Entries with > circular references will also break syncrepl Refresh if the constraint you're > asking for is enforced. Only if you don't consider them in replication. If the backlinks are added on each node, and not replicated, then surely you just need to import a set of replicated data, and then in the same transaction update the links. Is there perhaps another way to implement this - say using a search-based virtual attribute for one half of the problem? I'm in no position to set your priorities, and my wishlist remains only that I hope to someday be able to make this work with OpenLDAP, but these issues remain. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
moved from Incoming to Development
Hi Andrew, Is this still necessary for Samba? Thanks, Quanah
(In reply to Quanah Gibson-Mount from comment #8) > Hi Andrew, > > Is this still necessary for Samba? > > Thanks, > Quanah Samba Removed the LDAP backend support. https://wiki.samba.org/index.php/Samba4/LDAP_Backend The last person to express an interest in this area was Nadezhda Ivanova. The last plan was to rebuild OpenLDAP on top of Samba's stack, rather than the other way around, as a way of making forward progress.
Transaction support was added to OpenLDAP in 2014 (for the 2.5 release series): commit 32f05e96f7520bc5b99b7e5302ff08d33e550199 Author: Howard Chu <hyc@openldap.org> Date: Mon Sep 15 21:44:20 2014 +0100 Flesh out txn support Only in back-mdb; back-bdb needs work but it's deprecated; not worth the effort. In particular txn, retry after deadlocks makes the whole thing too messy.