On Fri, Oct 15, 2010 at 3:42 PM, Stefan Seelmann <seelmann@apache.org> wrote:
Hi Pierre-Arnaud,

On Fri, Oct 15, 2010 at 2:12 PM, Pierre-Arnaud Marcelot <pa@marcelot.net> wrote:
> Hi Dev,
> I'm really wondering if we should not remove the 'System' partition.
> The only interesting piece of information we're taking from it is the admin user, especially the its password.
> Wouldn't be more interesting to store this information in the config partition?

The admin entry also contains the X.509 certificate and private/public
keys for LDAPS and StartTLS extended operation. But I think the config
partiton is a better place for that information. And it should also be
possible to reference the certificate and keys to a file in

We should also probably disassociate the server certificate from the admin user.
> Except the Admin user the other entries of that partition look like crap and legacy from old versions.
> The following configuration entries are no longer used:
> - ou=configuration,ou=system
>  | - ou=interceptors,ou=configuration,ou=system
>  | - ou=partitions,ou=configuration,ou=system
>  | - ou=services,ou=configuration,ou=system

Yeah this never really got used. With the new configuration partition we no longer need this.
> I don't know the role of this entry 'prefNodeName=sysPrefRoot,ou=system', if it still has any role?

It was to provide a Preferences API implementation with storage in the server. Was at some point considering using it with user specific settings to store on the server when they log in and/or for various OSGi related matters. 

This is also dead wood.
> The following entries are not very useful too:
> - ou=groups,ou=system
>  | - cn=Administrators,ou=groups,ou=system
> - ou=users,ou=system

AFAIK they are still used from the "simplified" access control system,
has to be checked.

Yes this actually is important. I think we can elevate someone to admin level status by putting them into the Administrator group regardless of which (ACI) access control system is being used. The idea is the admin user should not be used after the first configuration and if people need superpowers they should be doing it under their own DN once put into this group.

So this needs to stay.

> Isn't is better that the user creates its users in its own partition?
> Even our admin user is not in the 'ou=users' organizational unit...

Yeah this might be advantageous.  Admin user does not need to be in users that was just an empty container put in there to add users if you like without creating extra partitions.

Now we have the schema + config partition in addition to system by default. It's getting expensive memory wise as well.

In fact what I wanted to do is create a default (where DN="") centrally rooted partition as soon as we get nestable partitions working. However never got there. So this would allow us to have a AP at the root DN to govern the entire did and also allow us to manage the RootDSE better. 

If we did away with the system partition we might have an issue with initialization. Have to check this out. There might be some chicken and egg problem to deal with but it might have gone away. Only way to see is to reread the code or just try the change :-).

> As you can see, the only valid information in the whole partition is the credentials of the admin (should we say default) user.

That and the Administrators group.
> I really think this information should be placed in the configuration (we could also allow the redefinition of the admin user DN).
> It would allow the user to edit these settings without having to start the server (at least) once.

I'm +1, but keep in mind that we use "ou=system" in many places,
especially in tests.

Yeah that will be ugly. I wish we made this into a constant somewhere :-). That might be the first step.  

Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu