[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy

To: openldap-technical@openldap.org
Subject: Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Thu, 26 Dec 2013 12:16:03 +0100
In-reply-to: <52BAEB36.7090100@stroeder.com>
References: <02B24DE5CB6DFD4497226B2F508790E2E9A4@MATSVEMBX01.mclane.local> <20131223225228.3281a32b@pink.avci.de> <1387975788.4767.6.camel@sorbet.thuis.net> <52BAEB36.7090100@stroeder.com>

On Wed, 2013-12-25 at 15:27 +0100, Michael StrÃder wrote:
> Arthur de Jong wrote:
> > Additionally, if you plan to use the contents of the tree
> > as Unix users and want to have reasonable performance for
> > large trees, you should either:
> > 
> > - use memberUid attributes
> > - user member or uniqueMember with user with uid in the DN
> 
> I strongly disagree here.
> 
> 1. memberUid does not allow to use the same group in OpenLDAP ACLs
> Also it's not possible to use slapo-refint to check/update the
> reference. Furthermore slapo-memberOf only works with DN-based
> attributes. This old group scheme should die, die, die.

I know using DNs in groups can have some benefits in some ACLs and
internal LDAP state. Also, these methods allow for group nesting which
can be very convenient in some scenario's. But for external uses of LDAP
data such as Unix groups (posixGroup) the memberUid attribute is much
simpler to handle.

> 2. As explained many times on this list the LDAP syntax
> 1.3.6.1.4.1.1466.115.121.1.34 (Name And Optional UID) is seriously
> broken - especially when adding the arbitrary UID part behind a DN
> with DirectoryString syntax in top-level DN part.

I haven't seen "Name And Optional UID" before. I was talking about
having a DN with the uid attribute in it such as
  uid=joe,ou=people,dc=example,dc=com
instead of
  cn=Joe Black,ou=people,dc=example,dc=com

With the first DN style for users you can extract the uid attribute from
the DN. This has some problems, when e.g. a posixAccount has multiple
uid attributes but that causes so many other nasty side-effects that you
don't want that anyway.

With the second form, you always have to do an extra lookup.

You can cache things, put them in a local database and use something
other than LDAP search queries to search the data but that comes at a
price. Cache lookups have to take into account the lifetime of cached
entries and handle changes in LDAP gracefully (e.g. change uid of an
attribute of a cached entry). In general, caching is difficult to get
right and takes extra resources.

Thanks for your comments,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Michael StrÃder <michael@stroeder.com>
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Howard Chu <hyc@symas.com>

References:
- Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: David Barr <David.Barr2@mclaneat.com>
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Arthur de Jong <arthur@arthurdejong.org>
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Michael StrÃder <michael@stroeder.com>

Prev by Date: Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
Next by Date: Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
Index(es):
- Chronological
- Thread