www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <t...@pc-tony.com>
Subject Re: LDAP - Next Steps
Date Tue, 26 May 2009 17:28:03 GMT

Can you give us some more detailed information?  i.e. how would we  
implement this, how would we ensure no chnages are missed?

I assume this means setting up an ADS LDAP Server, which has this  
option enabled.  Replicating from OpenLDAP to ADS to then kick off the  


On 26 May 2009, at 16:45, Emmanuel L├ęcharny wrote:

> Tony Stevenson wrote:
>> Folks,
>> Now that we can look to move LDAP on a little more, I have a  
>> question that I'd appreciate some feedback on.
>> As you know, at the moment the SVN Authz file is in Subversion,  
>> when we move groups into LDAP, this will no longer be the case.
>> The SVN authz file will be dynamically rebuilt after every change  
>> to a group (or the template that creates the Authz file).
>> To achieve this we have 2 options:
>> 1)  Use OpenLDAP's  'accesslog overlay' to record all changes to  
>> the database.
>> 2)  Use a custom script that polls the groups and when it notices a  
>> change, it will force a rebuild.
>> Now each of these has it's ups and downs.  1 for example logs all  
>> changes, and could be used as an audit log, but it produces shit  
>> loads of output.  2 on the other hand means that the rebuild wont  
>> be triggered as quickly, and it will rely on upon building a  
>> reliable checkpoint from the previous poll to generate a diff, and  
>> ultimately a kick of the build of a new SVN Authz file.
>> Of course there is always a 3rd hidden option, and that is to do  
>> away with using the SVN Authz file completely, and use <location>  
>> stanza's in httpd, and use mod_authz_ldap to control access this  
>> way.  Based on some of my very simple testing, this option provides  
>> a slightly faster turn around in changes, but it would require  
>> someone with root privileges on eris/harmonia to be able to add new  
>> location tags, and add new groups to an existing one.
> I would suggest a forth option : we have a syncrepl able java piece  
> of code which can be informed from every modification done on  
> openldap, which can be used to react when something has changed in  
> the server, and modify the authz file immediatly. It's light, not  
> too verbose, and not intrusive (no modification needed on Openldap  
> configuration).
> That might worth the try...
> Just met me know.
> -- 
> --
> cordialement, regards,
> Emmanuel L├ęcharny
> www.iktek.com
> directory.apache.org


Tony Stevenson

tony@pc-tony.com - pctony@apache.org
pctony@freenode.net - tony@caret.cam.ac.uk


1024D/51047D66 ECAF DC55 C608 5E82 0B5E
3359 C9C7 924E 5104 7D66

View raw message