www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <t...@pc-tony.com>
Subject Re: LDAP - Next Steps
Date Tue, 26 May 2009 17:28:03 GMT
Emmanuel,

Can you give us some more detailed information?  i.e. how would we  
implement this, how would we ensure no chnages are missed?

I assume this means setting up an ADS LDAP Server, which has this  
option enabled.  Replicating from OpenLDAP to ADS to then kick off the  
replication?



Cheers,
Tony


On 26 May 2009, at 16:45, Emmanuel L├ęcharny wrote:

> Tony Stevenson wrote:
>> Folks,
>>
>> Now that we can look to move LDAP on a little more, I have a  
>> question that I'd appreciate some feedback on.
>>
>> As you know, at the moment the SVN Authz file is in Subversion,  
>> when we move groups into LDAP, this will no longer be the case.
>> The SVN authz file will be dynamically rebuilt after every change  
>> to a group (or the template that creates the Authz file).
>>
>> To achieve this we have 2 options:
>>
>> 1)  Use OpenLDAP's  'accesslog overlay' to record all changes to  
>> the database.
>> 2)  Use a custom script that polls the groups and when it notices a  
>> change, it will force a rebuild.
>>
>> Now each of these has it's ups and downs.  1 for example logs all  
>> changes, and could be used as an audit log, but it produces shit  
>> loads of output.  2 on the other hand means that the rebuild wont  
>> be triggered as quickly, and it will rely on upon building a  
>> reliable checkpoint from the previous poll to generate a diff, and  
>> ultimately a kick of the build of a new SVN Authz file.
>>
>>
>> Of course there is always a 3rd hidden option, and that is to do  
>> away with using the SVN Authz file completely, and use <location>  
>> stanza's in httpd, and use mod_authz_ldap to control access this  
>> way.  Based on some of my very simple testing, this option provides  
>> a slightly faster turn around in changes, but it would require  
>> someone with root privileges on eris/harmonia to be able to add new  
>> location tags, and add new groups to an existing one.
> I would suggest a forth option : we have a syncrepl able java piece  
> of code which can be informed from every modification done on  
> openldap, which can be used to react when something has changed in  
> the server, and modify the authz file immediatly. It's light, not  
> too verbose, and not intrusive (no modification needed on Openldap  
> configuration).
>
> That might worth the try...
>
> Just met me know.
>
> -- 
> --
> cordialement, regards,
> Emmanuel L├ęcharny
> www.iktek.com
> directory.apache.org
>
>




Cheers,
Tony


--------------------------------------------
Tony Stevenson

tony@pc-tony.com - pctony@apache.org
pctony@freenode.net - tony@caret.cam.ac.uk

http://blog.pc-tony.com

1024D/51047D66 ECAF DC55 C608 5E82 0B5E
3359 C9C7 924E 5104 7D66
--------------------------------------------






Mime
View raw message