[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slapd operational attributes

To: "'Frank Hoffsummer'" <frank.hoffsummer@svt.se>, <openldap-software@OpenLDAP.org>
Subject: RE: slapd operational attributes
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 26 Feb 2004 07:51:50 -0800
Importance: Normal
In-reply-to: <OFC136B401.0DA00715-ONC1256E46.0052C7A3-C1256E46.0052DC0E@svt.se>

>>>
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Frank Hoffsummer

Hello,
we are planning to use openldap2 with back-bdb on linux as the central
userdatabase behind a webforum application.

One functional requirement is to keep track of the following attributes for
each user:
- last login time
- last IP address
- last modification time (of user attributes)

its seems that these requirements would lead to an implementation where all
authentications would also perform write operations to the database, which is
certainly not desirable.

I now read about some operational attributes (such as createTimeStamp and
modifiersName) that slapd seems to keep track of. I checked the
documentation, the FAQ and the general Web, but found no satisfying answers
to the following questions

- what operational attributes does slapd keeps track of automatically?
- can these be configured (i.e. new attributes added)?
- is it common practice to use these to fullfill requirements like the ones i
described above?
- if not, what is common (best) practice? (not to use LDAP? or go for a
hybrid setup?)
<<<
The set of operational attributes is defined in the source code.

Since operational attributes are, by definition, associated with internal
server behavior, you cannot simply add attributes in a config file. You must
add the code that implements their behavior as well.

No, it is not common practice to use operational attributes to address your
situation.

Again, operational attributes are used to represent the internal workings of
the LDAP server. You've described a situation that tracks usage of a Web
application. The information you're tracking is thus application-specific
data - you're tracking logins to the Web app, not logins to the LDAP server.
The client IP addresses that you're interested in are the IP addresses of
your web clients. If you were using an operational attribute to track IP
addresses, it would reflect the IP addresses of the LDAP clients. In your
case, since your Web server is the LDAP client, the only addresses you would
see would be those of your web servers, which probably isn't very
interesting.

Your Web application should use regular user attributes to store this
information.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Prev by Date: Re: blank attribute value.
Next by Date: Re: Slave/Replica server authentication/authorization question
Index(es):
- Chronological
- Thread