[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: Regarding LDAP structure

To: Howard Chu <hyc@symas.com>
Subject: Re: Antw: Re: Regarding LDAP structure
From: Alejandro Imass <aimass@yabarana.com>
Date: Fri, 14 Mar 2014 12:49:14 -0400
Cc: Joshua Riffle <jriffle@apu.edu>, Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <5322CD84.4080903@symas.com>
References: <CACmOZFqjSpgsDiH2cpPdy8SYxhwyvL_YgsGCYaHJBwnGOS02oA@mail.gmail.com> <CAHieY7TFQne1gyGe9-fWH3oYzZy-oBOQSha=kLKWowYzv3KnVA@mail.gmail.com> <5322CCA0020000A100014CFD@gwsmtp1.uni-regensburg.de> <5322CD84.4080903@symas.com>

On Fri, Mar 14, 2014 at 5:36 AM, Howard Chu <hyc@symas.com> wrote:
> Ulrich Windl wrote:
>>
>> Hi!
>>
>> I have a question on "entryUUID": Most (comonly used) group-like
>> structures
>
> use DNs for members. Are there any examples how to use entryUUID for
> group-like structures?
>
> There are no standard schema that do this. I'd note that your question and
> Alejandro's recommendation are contrary to the design of LDAP (and the X.500
> data model) - LDAP is meant to be a read-optimized hierarchical data store.
> If you simply use entryUUIDs for all references then you might as well use a
> flat or relational database instead of a hierarchical one.
>

Just to clarify: I did not recommend to use the entryUUID as a primary
LDAP lookup but rather as a means to identify a unique entry and as a
token to correctly associate __unique__ LDAP entries to other data
sources. When you have millions of users you will most likely have
cases of entries with identical attributes yet be 2 different people.
Anyway the spirit of my comment is that most LDAP implementations
ignore some advanced features like operational attributes and aliases.


> In particular, listing memberships by DN gives you immediate knowledge of an
> entry's location in the hierarchy, and clients can use DN's for direct
> access to any entry of interest. Using entryUUID requires you to do a
> search, instead of a direct lookup.
>

Agreed.

> There's of course a maintenance cost for using DNs as references - when DNs
> are changed, you might also need to change every entry that references them,
> which makes updates more expensive. But again, that's part of the LDAP
> design: writes can be more expensive, because reads must be as fast as
> possible.

Agreed. Moreover, many tools ignore moddn and modrdn altogether and
just delete and recreate.

>
> This is also a distinguishing characteristic of M$ AD that differentiates it
> from true LDAP implementations - in AD, references are stored internally as
> GUIDs, and the GUID must be mapped to a name on every read operation. Thus
> they avoid the expense of referential integrity updates when DNs change, but
> as a consequence, read operations in AD are slower than writes. It's not a
> tradeoff that makes sense for most LDAP uses, but M$ AD is not a shining
> example of good design anyway.
>

+1

Best,

Alejandro Imass

References:
- Regarding LDAP structure
  - From: Joshua Riffle <jriffle@apu.edu>
- Re: Regarding LDAP structure
  - From: Alejandro Imass <aimass@yabarana.com>
- Antw: Re: Regarding LDAP structure
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
- Re: Antw: Re: Regarding LDAP structure
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Features been supported by LDAP
Next by Date: Re: Antw: Re: Regarding LDAP structure
Index(es):
- Chronological
- Thread