Hi,
I would like to share some simple idea and find out similar interest. This is about the ldap replication using the existing xmpp network. Every server is considered as a single user entity. There is no modes like refresh or refreshonly or delete phase or current phase instead every servers acts as receiver or sender at the same time. Its also easily possible to make roles of the server to read only or master of that replica and changing them on the fly.
This idea of replicating ldap data over xmpp is inspired from Isode's sodium sync where the replication is done through series of mail exchange and XEP-0072 soap over xmpp protocol.
The rough idea is, Each server will have its own jid (Jabber id) and its password mentioned in slapd.conf. When the server comes if possible or if replication is required it logins to the jabber server like a normal user. The server becomes active.
In slapd.conf each database will mention its replicated or not. After server logins to the jabber server, during db_open the server will join the MUC (multi user chat). The room name is same as the suffix of the database. The other servers who has the same copy of the database will join the same MUC.
Then Each server will negotiate with their contextCSN? to find out the need to pull the data. (It needs a better way). The MUC can be used as a command stream to other servers. It would help to find out which servers are online right now which can do replication or which servers are busy right now and cant do replication. (I don't know yet on how to figure out the offline servers. We can have an attribute which holds the list of JID of the servers who are all holding the copy of the DIT and this attribute can be synced like any other attribute and the servers from the list that not appearing as online can be considered as offline servers).
Now we negotiated, we can send receive signals with the other server. Though its not technically very clear, its possible to achieve maximum things. The real data transfer can be done multiple ways. Like the sodium sync we can generate the ldif file and do a jingle file transfer to other servers. Or during the onreponse event catch the event and if its add/modify/delete/moddn generate the changes as xml elements for each entry and either send it through the MUC itself or each server opens a pubsub (publish-subscribe) node and publish their changes. The other remaining server who are all holding the copy will listen to the node get their updates. All the server plays the role of receiver and sender simultaneously. Once the offline servers are identified the updates can be sent over offline message so that when the server comes up they need not pull everything, its just has to process the offline messages.
(Only the required content of Modifications* strcuture orm_modlist or ora_modlist is sent)
MUC also has the role of Administrator, Owner, Participant, based on the server roles we can decide server holds master copy or read write copy but again this needs to be stored insome attribute. This helps regulating the changes from one server to another, for instance the updates from read only server can be denied. Change of the role on the fly might be possible.
Since its all either xml or ldif data the other directory server can talk to openldap as well. The next problem is schema, we could sync the entire cn=subschema as well. Or whenever the updates goes for an entry, the corresponding schema information also can be sent over for verification. Or simply the receiving server tries to update their DIT and ignore if there is a failure?
This is it for now.
There are lot of place it needs a decision. A XEP is needed to define the format of each command and data. I do have some working code (may be the worst code). I am writing it as a overlay per database basis. It logins to the xmpp server and join the MUC and creates the pubsub node and other server starts listening to the node. Right now I am trying to convert the data to xml and publish on the node.
I wanted to find out does this idea make any sense at all to someone. I hope someone finds it interesting. :)
I know I have missed a lot of technical points, its because I dont know them yet deep enough or I haven't thought about it. It would be nice if the discussion could help brushing those gray areas.
Thanks, -Kalyan
kalyan wrote:
Hi,
I would like to share some simple idea and find out similar interest. This is about the ldap replication using the existing xmpp network.
Why?
On Wed, Jul 21, 2010 at 02:50:27PM -0700, Howard Chu wrote:
kalyan wrote:
Hi,
I would like to share some simple idea and find out similar interest. This is about the ldap replication using the existing xmpp network.
Why?
To be frank, i did not think this because there is some serious problem in the existing replication mechanism. But the below might be considered for your question.
* The unchanged attribute is never sent to other server. Always the changed attribute is sent instantly. * The above delta sync does not maintain a changelog, because the changes will be sent immediatly as it happens on a server and unreachable server receives an offline message. Hence no need of a changelog. * N-Way multi-master + multi-salve combination is acheived. You could change the role of a server to master or to slave without the need to change the configuration file and restarting the server. * If its secure environment and if xmpp ports are opened this can be used as proxy as well. But I dont know such environment exist.
* I learn openldap and xmpp. * Its FUN.
Definitely this can't be a default replication method for openldap, but I am thinking what if I make another directory server to sync to openldap.
Thanks, -kalyan
On 7/22/10 8:23 AM, kalyan wrote:
On Wed, Jul 21, 2010 at 02:50:27PM -0700, Howard Chu wrote:
kalyan wrote:
Hi,
I would like to share some simple idea and find out similar interest. This is about the ldap replication using the existing xmpp network.
Why?
To be frank, i did not think this because there is some serious problem in the existing replication mechanism. But the below might be considered for your question.
<snip/>
Definitely this can't be a default replication method for openldap, but I am thinking what if I make another directory server to sync to openldap.
The best way is probably for this different server to implement RFC 4533. This is what we did at Apache Directory Server allowing us to sync with an OpenLDAP server. It works, it's not *that* complicated. Here is an exemple on how to leverage a Java API implementing this RFC :
http://fanf42.blogspot.com/2010/07/java-ldap-sdk-for-syncrepl-replication.ht...
--On Thursday, July 22, 2010 10:27 AM +0200 Emmanuel Lecharny elecharny@gmail.com wrote:
On 7/22/10 8:23 AM, kalyan wrote:
On Wed, Jul 21, 2010 at 02:50:27PM -0700, Howard Chu wrote:
kalyan wrote:
Hi,
I would like to share some simple idea and find out similar interest. This is about the ldap replication using the existing xmpp network.
Why?
To be frank, i did not think this because there is some serious problem in the existing replication mechanism. But the below might be considered for your question.
<snip/> > Definitely this can't be a default replication method for openldap, but > I am thinking what if I make another directory server to sync to > openldap. The best way is probably for this different server to implement RFC 4533. This is what we did at Apache Directory Server allowing us to sync with an OpenLDAP server. It works, it's not *that* complicated. Here is an exemple on how to leverage a Java API implementing this RFC :
http://fanf42.blogspot.com/2010/07/java-ldap-sdk-for-syncrepl-replication .html
Cool, does it support delta-syncrepl?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Emmanuel Lecharny wrote:
On 7/22/10 8:23 AM, kalyan wrote:
On Wed, Jul 21, 2010 at 02:50:27PM -0700, Howard Chu wrote:
kalyan wrote:
Hi,
I would like to share some simple idea and find out similar interest. This is about the ldap replication using the existing xmpp network.
Why?
To be frank, i did not think this because there is some serious problem in the existing replication mechanism. But the below might be considered for your question.
<snip/> > Definitely this can't be a default replication method for openldap, but > I am thinking what if I make another directory server to sync to openldap. The best way is probably for this different server to implement RFC 4533. This is what we did at Apache Directory Server allowing us to sync with an OpenLDAP server. It works, it's not *that* complicated. Here is an exemple on how to leverage a Java API implementing this RFC :
http://fanf42.blogspot.com/2010/07/java-ldap-sdk-for-syncrepl-replication.ht...
I would never be one to tell someone not to do whatever they want to do for fun. (My first C programming project was Hack 1.0.2 - there's nothing more fun than hacking on a game...) But if you're going to do something with LDAP you might as well make it useful too. Two small projects that could be completed in a short amount of time: implement a DirSync module for OpenLDAP to replicate from M$AD, and implement a passwordSync module for OpenLDAP with AD.
Inventing new protocols can be fun, but IMO it's only worthwhile if the new protocols are more efficient than existing ones. New protocols need to be more than "twice as good" as existing ones in order to have any chance of adoption. Otherwise it's not worth the effort of transitioning the installed base.
To be frank, i did not think this because there is some serious problem in the existing replication mechanism. But the below might be considered for your question.
- The unchanged attribute is never sent to other server. Always the changed attribute is sent instantly.
Delta-syncrepl already does this.
- The above delta sync does not maintain a changelog, because the changes will be sent immediatly as it happens on a server and unreachable server receives an offline message. Hence no need of a changelog.
Your offline message store becomes a changelog anyway. It's incorrect to say there is no changelog in your scheme.
- N-Way multi-master + multi-salve combination is acheived. You could change the role of a server to master or to slave without the need to change the configuration file and restarting the server.
All of this is already supported using cn=config with no restarts required.
- If its secure environment and if xmpp ports are opened this can be used as proxy as well. But I dont know such environment exist.
It's quite hard to envision an environment where LDAP is needed but is being blocked by a firewall, while the much riskier XMPP protocol is not being blocked.
- I learn openldap and xmpp.
XMPP, and anything else based on XML, is just a gross misuse of SGML. Any network that actually deployed the solution you suggest would quickly be overwhelmed by the traffic, which would be far more heavyweight in carrying LDAP traffic than just plain LDAP.
- Its FUN.
Not everything that's FUN is GOOD.
Le 22/07/2010 21:27, Howard Chu a écrit :
Two small projects that could be completed in a short amount of time: implement a DirSync module for OpenLDAP to replicate from M$AD, and implement a passwordSync module for OpenLDAP with AD.
DirSync module: oh yes, that sounds interesting! :)
passwordSync module: do you mean the password synchronization mechanism described in: http://technet.microsoft.com/en-us/library/cc727636%28WS.10%29.aspx ? Also an idea that sounds great...
Speaking of such things, maybe http://www.openldap.org/devel/todo.html needs an update?
And, although it's a bit late for this year, would such projects not make good propositions for Google's summer of code?
Jonathan
Jonathan Clarke wrote:
Le 22/07/2010 21:27, Howard Chu a écrit :
Two small projects that could be completed in a short amount of time: implement a DirSync module for OpenLDAP to replicate from M$AD, and implement a passwordSync module for OpenLDAP with AD.
DirSync module: oh yes, that sounds interesting! :)
Yes, it would just be another Type for the syncrepl consumer.
passwordSync module: do you mean the password synchronization mechanism described in: http://technet.microsoft.com/en-us/library/cc727636%28WS.10%29.aspx ? Also an idea that sounds great...
Yes, exactly that. The Unix code that Microsoft provides is abominable. It could be done a lot more cleanly as a slapd module/overlay.
Speaking of such things, maybe http://www.openldap.org/devel/todo.html needs an update?
I suppose. But at this point there aren't a lot of burning issues, it's all pretty much up to individual developer interest.
Of course I would rather not see time wasted on something like XMPP if someone is actually interested in jumping in and learning; better to work on something that will be useful to others as well.
And, although it's a bit late for this year, would such projects not make good propositions for Google's summer of code?
Probably. Our last proposals to GSoC were ignored in 2009 so I didn't bother to mention it for this year. If someone else wants to try for 2011, go ahead.
Jonathan
Hi Howard,
Am 22.07.2010 21:27, schrieb Howard Chu:
But if you're going to do something with LDAP you might as well make it useful too. Two small projects that could be completed in a short amount of time: implement a DirSync module for OpenLDAP to replicate from M$AD, and implement a passwordSync module for OpenLDAP with AD.
Indeed two interesting projects. But is syncrepl the best way to do this? Let me ask you some questions on this:
DirSync: The DIT in AD is unlikely to be the same as on the OpenLDAP side. The same is true for the attributes. Thus we need things like we have in the rewrite overlay. Are you thinking about syncrepl with a CSN store on the AD side here? What about multi master (several ADs writing to one OpenLDAP)? A more general solution IMHO would be a flexible (with respect to DN massaging and attribute mapping) queue that send plain LDAP operations to the OpenLDAP consumer. What about SPML? Do you think that that is also a "gross misuse of SGML"?
passwordSync: What are you thinking here? DLL that recognizes password changes and creates apropriate hashes and syncs these into OpenLDAP, or just plain syncing of the NT hashes into OpenLDAP, which could be done via the DirSync
The requirement fur such things is there since a long time and there are a number of different solutions out there already. Something more standardized, that could be packaged with OpenLDAP would be a nice thing, thus I would be very happy, if this could be discussed here in more detail.
Cheers,
Peter
Peter Gietz wrote:
Hi Howard,
Am 22.07.2010 21:27, schrieb Howard Chu:
But if you're going to do something with LDAP you might as well make it useful too. Two small projects that could be completed in a short amount of time: implement a DirSync module for OpenLDAP to replicate from M$AD, and implement a passwordSync module for OpenLDAP with AD.
Indeed two interesting projects. But is syncrepl the best way to do this? Let me ask you some questions on this:
DirSync: The DIT in AD is unlikely to be the same as on the OpenLDAP side. The same is true for the attributes. Thus we need things like we have in the rewrite overlay. Are you thinking about syncrepl with a CSN store on the AD side here? What about multi master (several ADs writing to one OpenLDAP)? A more general solution IMHO would be a flexible (with respect to DN massaging and attribute mapping) queue that send plain LDAP operations to the OpenLDAP consumer. What about SPML? Do you think that that is also a "gross misuse of SGML"?
DirSync is only a master/slave replication mechanism. For more sophisticated replication, it's better to use Samba4 which implements the DRSUapi.
passwordSync: What are you thinking here? DLL that recognizes password changes and creates apropriate hashes and syncs these into OpenLDAP, or
Yes. Bi-directionally, of course - it should also intercept LDAP passwordModify requests and forward them to AD.
just plain syncing of the NT hashes into OpenLDAP, which could be done via the DirSync
No.
The requirement fur such things is there since a long time and there are a number of different solutions out there already. Something more standardized, that could be packaged with OpenLDAP would be a nice thing, thus I would be very happy, if this could be discussed here in more detail.
Frankly there's not much to discuss. The scope of functionality is pretty clear, the steps to implementation are also clear. The only time-consuming part is because the sample Microsoft code is so poor and would need to be completely rewritten from scratch as a slapd overlay.
On 7/23/2010 1:35 PM, Howard Chu wrote:
passwordSync: What are you thinking here? DLL that recognizes password changes and creates apropriate hashes and syncs these into OpenLDAP, or
Yes. Bi-directionally, of course - it should also intercept LDAP passwordModify requests and forward them to AD.
Can the FDS/389 password sync client be used or are there license issues with it (I presume it'll be GPL like the rest of FDS) ? If you can use it, then some or perhaps all of the work on the Windows end can be avoided. It talks to the DS via LDAP, I think with some minimal extensions (it's been a long time since I looked at the code so I'm not 100% sure).
There's also code in FDS to send changes to AD via LDAP (including password changes). Whether or not that code would be useful I'm not sure. It'd certainly be useful as a reference for how to talk to AD successfully. Possibly there's similar code in other projects too. There are a few hoops you need to jump through in order to get password changes into AD successfully, iirc.
David Boreham wrote:
On 7/23/2010 1:35 PM, Howard Chu wrote:
passwordSync: What are you thinking here? DLL that recognizes password changes and creates apropriate hashes and syncs these into OpenLDAP, or
Yes. Bi-directionally, of course - it should also intercept LDAP passwordModify requests and forward them to AD.
Can the FDS/389 password sync client be used or are there license issues with it (I presume it'll be GPL like the rest of FDS) ? If you can use it, then some or perhaps all of the work on the Windows end can be avoided. It talks to the DS via LDAP, I think with some minimal extensions (it's been a long time since I looked at the code so I'm not 100% sure).
There's also code in FDS to send changes to AD via LDAP (including password changes). Whether or not that code would be useful I'm not sure. It'd certainly be useful as a reference for how to talk to AD successfully. Possibly there's similar code in other projects too. There are a few hoops you need to jump through in order to get password changes into AD successfully, iirc.
Right, you can make password changes by encoding the password in UTF-16 and modifying the AD "unicodePwd" attribute, assuming you have the cleartext of the password. If your schema matches, sending updates to AD in general is not a big deal.
The only part that requires custom work is the agent that receives password updates from an AD DC, since that uses a special process on the AD DC and a dedicated protocol of its own.
-
David Boreham -
Emmanuel Lecharny -
Howard Chu -
Jonathan Clarke -
kalyan -
Peter Gietz -
Quanah Gibson-Mount