[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rename across trees: manageDIT?

At 09:52 AM 8/17/2005, Pierangelo Masarati wrote:
>I'm designing a procedure to allow transparent renaming across trees by
>means of a proxy; I'm at the point where I'd like to be able to preserve
>things like the entryUUID, the creatorsName and the createTimestamp.  In
>fact, the client must not be aware of the fact that the database is
>actually located in multiple servers - the DSA is distributed for
>architectural reasons but it has to be seen as a unique system, hence the
>need to allow transparent renames.  I'm currently up to the point where a
>client with a superadministration identity must be able to do this rename,
>but the proxy tools don't let it occur because they strip operational
>attributes from writes that do not occur with a shadow update identity,
>and I don't want to add code to fool them like that.
>So I'm looking at the manageDIT control.  I sounds reasonable that the
>proxy tools (back-ldap, back-meta, slapo-rwm) let (some) noUserMod
>attributes be passed along with a write operation if it happens under the
>umbrella of the manageDIT control, wouldn't it?  Comments?

In absence of a chaining operation (which would allow cooperating
DSAs to, if they were willing and able, subtree renames), I see
no problem with proxy backends making things work using manageDIT,
manageDSAit, proxyAuthz, and other controls.   The problem, of
course, is that the client itself might have provided those controls
and it might be difficult (if not impossible), especially in the
remote server, to distinguish the cases.  Hence, why a chaining
operation is badly needed.

>Pierangelo Masarati
>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497