directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: [ApacheDS 2.0] Should we remove the 'System' partition?
Date Fri, 15 Oct 2010 20:22:12 GMT
On Fri, Oct 15, 2010 at 3:42 PM, Stefan Seelmann <seelmann@apache.org>wrote:

> Hi Pierre-Arnaud,
>
> On Fri, Oct 15, 2010 at 2:12 PM, Pierre-Arnaud Marcelot <pa@marcelot.net>
> wrote:
> > Hi Dev,
> >
> > I'm really wondering if we should not remove the 'System' partition.
> >
> > The only interesting piece of information we're taking from it is the
> admin user, especially the its password.
> > Wouldn't be more interesting to store this information in the config
> partition?
>
> The admin entry also contains the X.509 certificate and private/public
> keys for LDAPS and StartTLS extended operation. But I think the config
> partiton is a better place for that information. And it should also be
> possible to reference the certificate and keys to a file in
> filesystem.
>
>
We should also probably disassociate the server certificate from the admin
user.


> > Except the Admin user the other entries of that partition look like crap
> and legacy from old versions.
> >
> > The following configuration entries are no longer used:
> > - ou=configuration,ou=system
> >  | - ou=interceptors,ou=configuration,ou=system
> >  | - ou=partitions,ou=configuration,ou=system
> >  | - ou=services,ou=configuration,ou=system
>

Yeah this never really got used. With the new configuration partition we no
longer need this.


> > I don't know the role of this entry 'prefNodeName=sysPrefRoot,ou=system',
> if it still has any role?
>
>
It was to provide a Preferences API implementation with storage in the
server. Was at some point considering using it with user specific settings
to store on the server when they log in and/or for various OSGi related
matters.

This is also dead wood.


> > The following entries are not very useful too:
> > - ou=groups,ou=system
> >  | - cn=Administrators,ou=groups,ou=system
> > - ou=users,ou=system
>
> AFAIK they are still used from the "simplified" access control system,
> has to be checked.
>

Yes this actually is important. I think we can elevate someone to admin
level status by putting them into the Administrator group regardless of
which (ACI) access control system is being used. The idea is the admin user
should not be used after the first configuration and if people need
superpowers they should be doing it under their own DN once put into this
group.

So this needs to stay.


> > Isn't is better that the user creates its users in its own partition?
> > Even our admin user is not in the 'ou=users' organizational unit...
>
>
Yeah this might be advantageous.  Admin user does not need to be in users
that was just an empty container put in there to add users if you like
without creating extra partitions.

Now we have the schema + config partition in addition to system by default.
It's getting expensive memory wise as well.

In fact what I wanted to do is create a default (where DN="") centrally
rooted partition as soon as we get nestable partitions working. However
never got there. So this would allow us to have a AP at the root DN to
govern the entire did and also allow us to manage the RootDSE better.

If we did away with the system partition we might have an issue with
initialization. Have to check this out. There might be some chicken and egg
problem to deal with but it might have gone away. Only way to see is to
reread the code or just try the change :-).



> > As you can see, the only valid information in the whole partition is the
> credentials of the admin (should we say default) user.
>
>
That and the Administrators group.


> > I really think this information should be placed in the configuration (we
> could also allow the redefinition of the admin user DN).
> > It would allow the user to edit these settings without having to start
> the server (at least) once.
>
> I'm +1, but keep in mind that we use "ou=system" in many places,
> especially in tests.
>
>
Yeah that will be ugly. I wish we made this into a constant somewhere :-).
That might be the first step.


-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu

Mime
View raw message