directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "George Stoianov" <gstoyan...@gmail.com>
Subject Re: Database information back end
Date Tue, 21 Nov 2006 18:49:32 GMT
On 11/21/06, Emmanuel Lecharny <elecharny@gmail.com> wrote:
> Hi Georges,
>
> On 11/21/06, George Stoianov <gstoyanoff@gmail.com> wrote:
> > Hi,
> >
> > I read a thread on the possibility of having a database back end for
> > ADS and have tried to understand all the arguements pro and con and I
> > think I am on cross roads regarding the philosophical and design
> > aspects of the whole idea :)
>
> Philosophcal? We are not that smart ! ;)

I am not either but I was thinking so much it felt philosopical :)

>
> > (leaning towards an rdbms aren't you
> > using BerkleyDB??),
>
> nope, because the BDB license prohibit it.

Really so what kind of files are the .db files in var?? Is the license
problem a problem in combination with the Apache license?? Berkley DB
is dual licensed right? Or did Oracle change all of that? Actuall
forget this question the open source license does not allow for third
party redistribution where as the Apache one does
(http://www.oracle.com/technology/software/products/berkeley-db/htdocs/licensing.html)

> > but still as a person that has/is using databases
> > for many other things I see some benefits to be had if you could
> > enable at least the presentation of database data in response to ldap
> > queries.
>
>  There is no way to do that, because LDAP is a protocol which enforce the
> response structure...

Can you eloborate on this?? To me it seems that when I ask for Jane
Smith from the HR department from the Oxford office in the UK I can do
that same thing using sql selecting the country table than the office
table with cities and then the people table and then Jane Smith. As
far as the response structure I think that is true for every protocol
and yet the end data storage for many of them is an rdbms. This is
where the middle program/ldap server provides the proper
representation of the response in my mind.

>
> > One major drawback of ldap compared to a relation storage architecture
> > is that it is not relational in database terms it is more of a network
> > type of database structure
>
> Let's say it's pretty much more like a Hierarchical database. (as of 1970,
> where you had Hierarchical, network and relationnal database - which was the
> new commer )

Agreed.

>
> > where the information for each node of data
> > is stored at the node level and the uniqueness is guaranteed by the
> > path i.e.
>
> Agreed.
>
> > if I have a person that belongs to two different
> > departements I would have to create two records for that person and
> > all the common data would be duplicated in order to have that person
> > access the different resources for the other department.
>
> You could also use aliases, to avoid such a duplication. Basically, you
> point to the unique entry by its path (DN)

I do not think so as an alias would point to the same entity, which
would not solve the problem of the same entity having different
attributes or attribute values, depending on the location in the node
structure.

What I mean is let's say there were two different schools in a
universtity and Jane was a professor delievering lectures at both
schools but was actually a member of the faculty in the first school
and not the second. Now let say she had the privilige of a university
laptop and electronic library access on campus 1 but not on campus 2.
How would you solve this with an LDAP structure... I think create two
records under the different branches of the tree (campus1 and campus2)
and have the laptop and library access attributes set accrodingly in
campus1 not the campus2. So in doing this you would possibly be
imposing a list of attributes in campus2 that may not even pertain to
that campus as they have no internet access and do not use laptops. If
you were to do this in a database you would create a table for the
campus and a table for faculty-campus-priviliges etc. campus one will
have some stuff in it and campus 2 nothing. If later you needed to add
something you can easily do so for 1 and even 2 without storing
unnecessary information. I do not know if this makes any sense :).

>
> > I know that
> > if you could possibly put all the requirements down you could get a
> > good enough structure to account for that but flexibility in the long
> > term seems a lot harder to attain that with an rdbms engine,
>
>
> Not necessarily. Basically, what you should consider is wether you would
> benefit more from a hierarchical structure or from a relationnal one. Of
> course, everything can be done with a RDBMS (and when you look at IBM
> Directory Server, which is backed by a RDBMS - DB2
> -, you can see that, yes, this is possible :), but sometime, a RDBMS is the
> best choice (may be often ;)

I think the benefits are in the way storage is supposed to work (I
have seen many database that way worse than a hierarchical structure
ldap has) and that things naturally lend themselves to relations in
real life in my mind despite the fact that people hate rules and want
eat and not pay for it :) so the requirements often make you design
yourself into a complete mess.

>
> > although
> > I like the trigger and view capabilities you are building they maybe
> > the solution. I am completely new to ldap so please correct me if I am
> > wrong.
>
> I can't say you are wrong. You pointed out some of the elements that should
> help you to make the best chocie :)
>
> > I am currently in the processes of helping with the implementaion of a
> > solution that uses ldap for user credentials, those credentials are
> > also used to form groups of people based on database records that
> > experiences frequent updates and changes so I am looking for a
> > flexible and quick in respect of updates/deletes solution and was
> > really happy to find ADS as I thought that maybe/is the answer???
>
> Ahha... Well, hum, what I can say is that ADS has a full fledged ACI
> implementation, based on X500 specification, which is one of the most
> complete(complex?) . So, I think that it can fill your needs. Just check
> some doco :
>  http://docs.safehaus.org/display/TRIPLESEC/Home (Has been
> voted to be a part of Apache Directory Server one month ago)

Yes X.500 is complex :) . Triplesec is not LDAP server right? I need
an ldap server as that is what the application using the groups and
people credentials uses natively.

>
> We also have two presentations done in ApacheCon EU last october :
> http://people.apache.org/~ersiner/apachecon-us06/ac-us-06-FR20-ErsinEr-ApacheDS_Access_Control_Administration_The_X.500_Way.pdf
>
> and
>
> http://people.apache.org/~ersiner/apachecon-us06/

So with stored procedures I can store a Java object and have it called
with a standar ldap query and it can return whatever text value I
choose??? That seems like a really good way to do what I need the
security concerns are kind of troublesome but if you can isolate the
calls to just one secured process you maybe OK doing it this way. Do
you have a step by step example of doing this?

>
> > So let me get to my question: Is there a place in the ADS API where I
> > could plug in another representation of a storage structure which I
> > then will inadvertantly tie to a rdbms back end.
>
> yep, but this will need some work ...

>From your reply I take it a lot of work ... ???

>
> > What I need is the
> > power and the standards compliance from ADS and the ability to serve
> > my own data from a different source. Can you please point me in the
> > right direction on this??
>
> I hope I did. Are you in a urge, or do you have time ?

Yes you did, thank you! I am in a urge but I would like to at least
look at that side of the problem before giving up ;) ...

TIA,
George

>
> > Thanks,
> > George
> >
>
> You are welcome !
>
> Emmanuel
>
> --
> Cordialement,
> Emmanuel L├ęcharny

Mime
View raw message