Hello,
It is my understanding that OpenLDAP keys its entries on UUIDs under the hood. I have a system that makes extensive use of UUIDs as canonical (and sometimes public-facing) identifiers, and would like to tap into the UUIDs generated for the objects in the LDAP directory for certain operations over those objects. The problem is I'm using type 4 (random) UUIDs [1] everywhere, and OpenLDAP uses type 1 (time-based).
It is important to the system to some extent that these identifiers be resistant to sequencing. As such, they really ought to be random. Since it hasn't been deployed in production yet, the sanest course of action seems to be to bend OpenLDAP to comply. (The alternative would be to maintain a dictionary of some kind, which I'm not keen about.)
A survey of the code is as such: OpenLDAP doesn't appear to care which version of UUID it uses save for the generator function itself. The util library is hardcoded [2] to use type 1, and the entryUUID attribute itself is constrained in the schema [3] to not permit modification (where "modification" ostensibly also extends to adding new records). I'm not too familiar with the source but at a glance it appears to accommodate an entryUUID attribute as input [4].
I guess my question is: what's the best strategy?
* Relax NO-USER-MODIFY on the entryUUID schema entry and set it at the application layer (easiest but most prone to problems) * Hack uuid.c to use uuid_generate_random instead of uuid_generate (easy, but introduces a maintenance problem) * Create an overlay (no idea where to start but can figure it out) * Figure out some way to make the UUID version configurable and send a patch upstream (most work and would it even be desirable?)
Links:
1) http://tools.ietf.org/html/rfc4122#section-4.4 2) http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/l... 3) http://tools.ietf.org/html/rfc4530#section-2.4 4) http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/sla...
-- Dorian Taylor http://doriantaylor.com/