[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is existing documentation kind of vague?

To: Howard Chu <hyc@symas.com>
Subject: Re: Is existing documentation kind of vague?
From: MJ J <mikedotjackson@gmail.com>
Date: Sun, 19 Nov 2017 20:44:06 +0200
Cc: William Brown <wibrown@redhat.com>, Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=WGvHv6/cSm+TO7cYg8B/r2IKcPzbJJnaTG2H0xKuG4A=; b=s0xcAfxwKw6IVdZeS/PqEmKPtFAZ5BmOVZg8S22RmBCvsn4oTHIzCuqZn26hoEHXmC XgKBOKMA4d4KXZB7NcS+ylcFkitBoN7s7YeJOaLndAY8+Ouu0qX6x3SayRM27Qv5ZRb7 o/KLIKTP5+FSMlhgruMbzwLfb2owzoK7PECwmVWw82YgekjFTFTKLnnYNp193DE4zI/T f9oHvnckXQuBD1A8HNZWnZKOwbPhjCg1t9TOdrJU256SogYEDW9e98HBv8VkrB2NaXJd hfpwoWPE3BzPLzSoPlHU0iDMzJJ4uNrDdQC7iER2NhvC6u0FSaFw/RJEa6zbQQcLA37q fh/g==
In-reply-to: <3e375d00-25ef-8a24-1936-dd4eb8853e2e@symas.com>
References: <1510686800.27244.1.camel@hyperbolicinnovation.com> <CANCEyfNNs0CC-KxBV4kS3v3QRLFROKsp4BueMQrhOzxgZ1drwQ@mail.gmail.com> <5A0BE80D020000A100028E33@gwsmtp1.uni-regensburg.de> <CANCEyfNd81gj=wwaRZ1L7J_J3FEKb7Ccu=zA=OQqGbVkYayYxg@mail.gmail.com> <ffa3c75a-a847-ac3b-2a51-58dbd26dbb30@stroeder.com> <CANCEyfNy4WUrfvFQJOkSf454nOPH8q55mQ1t0my+7_Yi2KE5Aw@mail.gmail.com> <1510886955.4395.122.camel@redhat.com> <CANCEyfOz4m9fLe=2MFrwvbARrfnB525QiUZc1ePc6xKYV9wdxw@mail.gmail.com> <1510900475.4395.142.camel@redhat.com> <CANCEyfP2-2HjjFXfN1ZZ+2khxLO=Sf+XfgMzp8wkwkAASo5mbw@mail.gmail.com> <WM!1db104ead5c518cf19ad9a9a20ef9abc1903b682001a2c29ca8a7e144fdd6eafd190fb84cabaeaddecae6cd34c0d0472!@mailstronghold-1.zmailcloud.com> <3e375d00-25ef-8a24-1936-dd4eb8853e2e@symas.com>

Certainly, I will make a better list tomorrow or so and send them to
you. Generally, it relates to the areas of cn=config which are not
runtime configurable and the lack of inline ACLs being first-class
citizens.

Basically, I feel that anything which is exposed via cn=config should
not require an offline slapadd in order to take effect. These are not
really huge problems for LDAP experts, but quite challenging when
trying to train a bit less skilled people to handle operations. A
detailed list of cn=config params which can and cannot be modified
during runtime would help matters greatly, instead of the current
situation of knowledge via trial and error ;-)

On Sun, Nov 19, 2017 at 8:28 PM, Howard Chu <hyc@symas.com> wrote:
> MJ J wrote:
>>
>> I actually like 389 a lot and I have used Netscape DS extensively in
>> managing international telecom networks about 15 years ago. There are
>> quite many management features that are superior to OpenLDAP still to
>> this day, but I simply cannot use it anymore because of the lack of
>> scalability. I know the original Netscape DS devs quite extensively...
>
>
> There are certainly some obvious deficiences remaining in cn=config, and
> we're working on addressing as many as possible for 2.5. But I'd be curious
> to see your list of issues.
>
>
>>
>> -mike
>>
>> On Fri, Nov 17, 2017 at 8:34 AM, William Brown <wibrown@redhat.com> wrote:
>>>
>>> On Fri, 2017-11-17 at 08:27 +0200, MJ J wrote:
>>>>
>>>> No matter how you wrap poll() and select(), they will always be
>>>> poll()
>>>> and select() - you will always run loops around an ever increasing
>>>> stack of file descriptors while doing I/O. BDB is always going to
>>>> have
>>>> the same old problems... That's what I'm talking about - sacrificing
>>>> performance for platform portability (NSPR).
>>>>
>>>> FreeIPA could be multi-tenant i.e.support top-level and subordinate
>>>> kerberos realms if it supported a more sensible DIT layout. I know
>>>> because I have built such a system (based on OpenLDAP) and deployed
>>>> it
>>>> internationally. Probably the best piece of code to come out of the
>>>> project is bind-dyndb-ldap.
>>>
>>>
>>> Whoa mate - I'm not here to claim that 389 is a better ldap server - we
>>> just do some different things. We acknowledge our limitations and are
>>> really working on them and paying down our tech debt. We want to remove
>>> parts of nspr, replace bdb and more. :)
>>>
>>> I'm here to follow the progress of the openldap project, who have a
>>> team of people I respect greatly and want to learn from, and here to
>>> help discussions and provide input from a different perspective.
>>>
>>> There are things that today openldap does much better than us for
>>> certain - and there are also some things that we do differently too
>>> like DNA plugin uid allocation, replication etc,
>>>
>>> There are also project focusses and decisions made to improve
>>> supportability in systems like FreeIPA - we can discuss them forever,
>>> but reality is today, FreeIPA is not targeting multi-tennant
>>> environments because the majority of our consumers don't want that
>>> functionality. We made a design decision and have to live with it. I'm
>>> providing this information to help give the ability for people to
>>> construct an informed opinion.
>>>
>>>
>>> As mentioned, I'm not here to throw insults and criticisms, I'm here to
>>> have positive, respectful discussions about technology, to provide
>>> different ideas, and to learn from others :)
>>>
>>> Thanks,
>>>
>>>>
>>>> On Fri, Nov 17, 2017 at 4:49 AM, William Brown <wibrown@redhat.com>
>>>> wrote:
>>>>>
>>>>> On Thu, 2017-11-16 at 05:54 +0200, MJ J wrote:
>>>>>>
>>>>>> Sure, it can be improved to become invulnerable to the
>>>>>> academically
>>>>>> imaginative race conditions that are not going to happen in real
>>>>>> life.
>>>>>> That will go to the very bottom of my list of things to do now,
>>>>>> thanks.
>>>>>>
>>>>>> FreeIPA is a cool concept, too bad it's not scalable or multi-
>>>>>> tenant
>>>>>> capable.
>>>>>
>>>>>
>>>>> It's a lot more scalable depending on which features you
>>>>> enable/disable. It won't even be multi-tenant due to the design
>>>>> with
>>>>> gssapi/krb.
>>>>>
>>>>> At the end of the day, the atomic UID/GID alloc in FreeIPA is from
>>>>> the
>>>>> DNA plugin from 389-ds-base (which you can multi-instance on a
>>>>> server
>>>>> or multi-tentant with many backends). We use a similar method to AD
>>>>> in
>>>>> that each master has a pool of ids to alloc from, and they can
>>>>> atomically request pools. This prevents the race issues you are
>>>>> describing here with openldap.
>>>>>
>>>>> So that's an option for you, because those race conditions *do* and
>>>>> *will* happen, and it will be a bad day for you when they do.
>>>>>
>>>>>
>>>>> Another option is an external IDM system that allocs the uid's and
>>>>> feeds them to your LDAP environment instead,
>>>>>
>>>>> Full disclosure: I'm a core dev of 389 directory server, so that's
>>>>> why
>>>>> I'm speaking in this context. Not here to say bad about openldap or
>>>>> try
>>>>> to poach you, they are a great project, just want to offer
>>>>> objective
>>>>> insight from "the other (dark?) side". :)
>>>>>
>>>>>>
>>>>>> On Wed, Nov 15, 2017 at 11:09 PM, Michael Ströder <michael@stroed
>>>>>> er.c
>>>>>> om> wrote:
>>>>>>>
>>>>>>> MJ J wrote:
>>>>>>>>
>>>>>>>> TLDR; in a split-brain situation, you could run into trouble.
>>>>>>>> But
>>>>>>>> this
>>>>>>>> isn't the only place. Efffective systems monitoring is the
>>>>>>>> key
>>>>>>>> here.
>>>>>>>>
>>>>>>>> Long answer;
>>>>>>>> [..]
>>>>>>>> The solution I posted has been in production in a large,
>>>>>>>> dynamic
>>>>>>>> company for several years and never encountered a problem.
>>>>>>>
>>>>>>>
>>>>>>> Maybe it works for you. But I still don't understand why you
>>>>>>> post
>>>>>>> such a
>>>>>>> lengthy justification insisting on your MOD_INCREMENT / read-
>>>>>>> after-
>>>>>>> write
>>>>>>> approach with possible race condition even in a single master
>>>>>>> deployment
>>>>>>> while there are two proper solutions with just a few lines code
>>>>>>> more:
>>>>>>>
>>>>>>> 1. delete-by-value to provoke a conflict like the original
>>>>>>> poster
>>>>>>> mentioned by pointing to
>>>>>>> http://www.rexconsulting.net/ldap-protocol-uidNumber.html
>>>>>>>
>>>>>>> 2. MOD_INCREMENT with pre-read control
>>>>>>>
>>>>>>> Of course none of the solutions work when hitting multiple
>>>>>>> providers
>>>>>>> hard in a MMR setup or in a split-brain situation. One has to
>>>>>>> choose a
>>>>>>> "primary" provider then.
>>>>>>> BTW: AFAIK with FreeIPA each provider has its own ID range to
>>>>>>> prevent that.
>>>>>>>
>>>>>>> Ciao, Michael.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Sincerely,
>>>>>
>>>>> William Brown
>>>>> Software Engineer
>>>>> Red Hat, Australia/Brisbane
>>>>>
>>>>
>>>>
>>> --
>>> Sincerely,
>>>
>>> William Brown
>>> Software Engineer
>>> Red Hat, Australia/Brisbane
>>>
>>
>>
>
>
> --
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Is existing documentation kind of vague?
  - From: John Lewis <jl@hyperbolicinnovation.com>
- Re: Is existing documentation kind of vague?
  - From: MJ J <mikedotjackson@gmail.com>
- Antw: Re: Is existing documentation kind of vague?
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
- Re: Re: Is existing documentation kind of vague?
  - From: MJ J <mikedotjackson@gmail.com>
- Re: Is existing documentation kind of vague?
  - From: Michael Ströder <michael@stroeder.com>
- Re: Is existing documentation kind of vague?
  - From: MJ J <mikedotjackson@gmail.com>
- Re: Is existing documentation kind of vague?
  - From: William Brown <wibrown@redhat.com>
- Re: Is existing documentation kind of vague?
  - From: MJ J <mikedotjackson@gmail.com>
- Re: Is existing documentation kind of vague?
  - From: William Brown <wibrown@redhat.com>
- Re: Is existing documentation kind of vague?
  - From: MJ J <mikedotjackson@gmail.com>
- Re: Is existing documentation kind of vague?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Is existing documentation kind of vague?
Next by Date: Re: Is existing documentation kind of vague?
Index(es):
- Chronological
- Thread