directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-Arnaud Marcelot ...@marcelot.net>
Subject Re: System partition removal was Re: [ApacheDS] adding a global trust manager
Date Tue, 23 Oct 2012 11:06:16 GMT

On 23 oct. 2012, at 11:50, Emmanuel Lécharny <elecharny@gmail.com> wrote:

> I renamed the thread to avoid any confusion.
> 
> Le 10/23/12 11:26 AM, Kiran Ayyagari a écrit :
>> On Tue, Oct 23, 2012 at 1:44 PM, Pierre-Arnaud Marcelot <pa@marcelot.net> wrote:
>>> Hi Kiran,
>>> 
>>> On 23 oct. 2012, at 08:09, Kiran Ayyagari <kayyagari@apache.org> wrote:
>>> 
>>> Hi All,
>>> 
>>>    I am currently implementing an X509 trust manager that is used for
>>> checking client certificates while using TLS for replication.
>>> 
>>>    This trust manager can work in any one of the two modes
>>>            1. trust all (default mode)
>>>            2. trust only the specified certificates
>>> 
>>> 
>>> Sounds cool. :)
>>> 
>>>    In the 2 mode trust manager loads a set of certificates stored in
>>> DiT under ou=certificates,ou=system (a new branch) [1]
>>> 
>>> 
>>> Sorry to hijack a little the original topic here, but I think its related.
>>> I really think we should get rid of the system partition, it has no use and
>>> the only interesting thing it still holds is the default/admin user.
>>> 
>> we discussed about this several times, but later I started to think
>> that we should keep it
>> 
>> let me state the reasons that support this in my view:
>> 
>>   o this serves as a play ground for users without having to go
>> through the creation of a partition
>>      and multiple restarts before he can actually inject an entry and use it
> 
> I do agree. If we remove the ou=system partition, then we will have to create a new partition
for users who want to play with the server, without having to create a specific new partition.

We already have it, "dc=example,dc=com". It's already included in the default config file.

>>   o parts of the system partition comes with default protection using
>> ACI and this is also a nice to
>>      have in out of the box installation

We could probably apply the same ACIs to "dc=example,dc=com".

>>   o the system partition is very tightly coupled with the internals
>> (though _can_ be changed it requires substantial
>>      amount of effort)

Probably.
Should it forbid us to make any change to it or remove it, maybe not.

> Especially when it comes to change the many tests depending on it...
> 
> But I don't think those two last points are valid : just because we depend on a partition
which should not have existed at the beginning, we should not refrain of thinking about removing
it.
> 
> Now, the ou=system not only contains the configuration - which could (should ?) be in
a separate partition - it also stores the ou=groups and ou=users branches. I guess many users
are storing entries in those branches, removing it can impact severely those existing users.

I'm not really sure it's used by our users, as most of the docs refer to "dc=example,dc=com"
when it comes to populate the DIT.

> One other thing : the prefNodeName=sysPrefRoot branch can probably be removed (see http://osdir.com/ml/dev-directory-apache/2010-05/msg00190.html)
>> 
>>> Everything that is configurable (including the default/admin user) has its
>>> place in the configuration partition.
>>> That includes the certificates you're talking about.
> Certficates are not part of the server configuration, if you except the admin user. And
here, if the admin user contains its own certificate, that's fine.

We are not talking about users certificates here, but certificates that are used by the server
itself to communicate with other servers.
That's a really server-level configuration to me.

> Maybe we need to have a server certificate, which is not asociated with the admin user
though...
> 
>> other than the feature that it can be edited using a text editor am
>> really not comfortable with this
>> config LDIF partition, cause it is quite inefficient in the way it
>> handles updates, a complete re-write
>> after each modification is making it vulnerable to corruption (when I
>> try applying an ACI it takes way too long to
>> complete and leaves the partition corrupted if the process is killed
>> in the middle)
> We can differ the update on disk. Before using a LDIF partition, it was a JDBM partition.
Having a corrupted JDBM partition was even worse := we weren't able to fix it at all ! With
a LDIF partition, we can still use a text editor and fix what has been broken...
> 
> Morever, I do think that the performances is not really an issue : we don't modify the
configuration frequently, and this is not an operation you want to do on production before
bing sure that you won't break the server, I don't really mind if we are at risk to break
the server.
> 
> In other words : this is an admin task, and the admin must me cautious before changing
anything... Including backups !
>> The point am trying to make is adding certificates to this partition
>> makes the backing LDIF file grow in large size
>> making any modify operation even more slow.
> I agree with that.

Indeed, I agree too, but as Emmanuel said, this isn't something that's going change every
minute.

>>> ATM, the default password is not included in the configuration and it makes
>>> it uncomfortable having to first launch the server to be able to edit this
>>> value.
>> currently the config.ldif is not written to disk unless the server is
>> started for the very first time
> 
> We can discuss this specific problem in another thread. It would be way better if the
admin password was not stored in clear anywhere... (currently it *is* stored as PLAINTEXT
: it would be way better to _at least_ stored the hash value of it...)
> 
>>> It would be the same thing for those certificates.
>>> 
>> adding a certificate content in an LDIF entry is quite involved, I
>> would personally prefer the server to take care
>> of it instead of manually encoding and adding in config.ldif

I see no difference between adding it to an LDIF partition or to a JDBM partition.
In the end, to be user friendly, an application with an nice UI is required.

> Agreed. Certificates are stored as a byte[], and in LDIF, it's a base64 value. Note that
it's note *taht* complicated to create the LDIF file : Studio can do it for you :)

Exactly. ;)

Having the certificates out of the configuration makes them totally not configurable with
the ApacheDS Configuration plugin or the user editing the config.ldif file, and it adds two
locations for configuration elements which will probably confuse most of our users...
To me, it looks bad from a user POV.

Regards,
Pierre-Arnaud

>>> I think the configuration partition should really be the place where we
>>> store everything that can be configured.
>>> Once that's done, the system partition has no reason to exist anymore
>>> 
>>> WDYT?
>>> 
>> hope I have made my view clear in the above lines about keeping the
>> system partition :)
> 
> I would keep the ou=system partition around atm. It's not a big deal to have it, it's
convenient for tests, and for users.
> 
> I would rather suggest that we remove the ou=configuration,ou=system branch, it's most
certainly useless.
> 
> 
> -- 
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
> 


Mime
View raw message