The OpenLDAP FAQ http://www.openldap.org/faq/index.cgi?_highlightWords=structure&file=147...
and TODO file http://www.openldap.org/devel/cvsweb.cgi/doc/devel/todo?hideattic=1&sort...
indicate that OpenLDAP does not currently support DIT Structure Rules. Is this correct?
-james
James Lentini wrote:
The OpenLDAP FAQ http://www.openldap.org/faq/index.cgi?_highlightWords=structure&file=147...
and TODO file http://www.openldap.org/devel/cvsweb.cgi/doc/devel/todo?hideattic=1&sort...
indicate that OpenLDAP does not currently support DIT Structure Rules. Is this correct?
Yes, that's correct. What are your requirements?
Ciao, Michael.
On Tue, 2 Jun 2009, Michael Ströder wrote:
James Lentini wrote:
The OpenLDAP FAQ http://www.openldap.org/faq/index.cgi?_highlightWords=structure&file=147...
and TODO file http://www.openldap.org/devel/cvsweb.cgi/doc/devel/todo?hideattic=1&sort...
indicate that OpenLDAP does not currently support DIT Structure Rules. Is this correct?
Yes, that's correct. What are your requirements?
Ciao, Michael.
Thanks for confirming the current state.
I'm working on a proposal in the IETF that uses LDAP to store file system namespace information:
http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-federated-fs-protocol-0...
Our schema is sprinkled throughout Section 6. In Section 6.3 we define two LDAP objects, the FSN and FSL (the exact schema definitions in the current draft have some typos that will be cleaned up in the next version).
An FSN is intended to be superior to its FSLs in a DIT. I was considering including DIT Structure Rules in the draft as a way to enforce this arrangement. However, I'm not inclined to do this if popular LDAP implementations, such as OpenLDAP, don't support them.
If there is a standard, well supported mechanisms for enforcing DIT structure, I'd be interested to know about it.
-james
On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote:
An FSN is intended to be superior to its FSLs in a DIT. I was considering including DIT Structure Rules in the draft as a way to enforce this arrangement. However, I'm not inclined to do this if popular LDAP implementations, such as OpenLDAP, don't support them.
If there is a standard, well supported mechanisms for enforcing DIT structure, I'd be interested to know about it.
Standard - yes. Well supported - no. DIT Structure Rules along with DIT Content Rules are the "standard" way to do this, but hardly anyone implements them.
In fact very few LDAP servers can do what you describe by any means at all. OpenLDAP can do it, using a combination of ACLs and DIT Content Rules. Some of the other server products will partially enforce it using ACLs, but there are ways to subvert that.
See section 10.2 of my paper on Access Control for some examples:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Andrew
Andrew Findlay wrote:
On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote:
An FSN is intended to be superior to its FSLs in a DIT. I was considering including DIT Structure Rules in the draft as a way to enforce this arrangement. However, I'm not inclined to do this if popular LDAP implementations, such as OpenLDAP, don't support them.
If there is a standard, well supported mechanisms for enforcing DIT structure, I'd be interested to know about it.
Standard - yes. Well supported - no. DIT Structure Rules along with DIT Content Rules are the "standard" way to do this, but hardly anyone implements them.
ApacheDS and OpenDS do now; we'll probably add them in OpenLDAP 2.5. It's a bit late to add to 2.4. Up till now, hardly anyone ever needed them.
In fact very few LDAP servers can do what you describe by any means at all. OpenLDAP can do it, using a combination of ACLs and DIT Content Rules. Some of the other server products will partially enforce it using ACLs, but there are ways to subvert that.
See section 10.2 of my paper on Access Control for some examples:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Andrew
Howard Chu wrote:
Andrew Findlay wrote:
On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote: Standard - yes. Well supported - no. DIT Structure Rules along with DIT Content Rules are the "standard" way to do this, but hardly anyone implements them.
[..] we'll probably add them in OpenLDAP 2.5. It's a bit late to add to 2.4. Up till now, hardly anyone ever needed them.
Well, I've requested them. ;-) Serious: If a mechanism is there people will start using it. Many people are not aware that these even exist in the LDAPv3 standard. They use what's implemented.
In my case one of my customers will use web2ldap for some rare use-cases conducted by admins adding administrative entries to an OpenLDAP DSA. web2ldap already obeys DIT structure/content rules and name forms and I'm even thinking about letting people specify supplemental LDAPv3 schema information within web2ldap's configuration (for host or name-space) to guide the admin to do the right thing in the UI.
Also with DIT structure/content rules and name forms you can specify directory layout and profiled use of object classes in a more formal way in an operational concept.
Ciao, Michael.
Michael Ströder wrote:
Howard Chu wrote:
Andrew Findlay wrote:
On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote: Standard - yes. Well supported - no. DIT Structure Rules along with DIT Content Rules are the "standard" way to do this, but hardly anyone implements them.
[..] we'll probably add them in OpenLDAP 2.5. It's a bit late to add to 2.4. Up till now, hardly anyone ever needed them.
Well, I've requested them. ;-) Serious: If a mechanism is there people will start using it. Many people are not aware that these even exist in the LDAPv3 standard. They use what's implemented.
In my case one of my customers will use web2ldap for some rare use-cases conducted by admins adding administrative entries to an OpenLDAP DSA. web2ldap already obeys DIT structure/content rules and name forms and I'm even thinking about letting people specify supplemental LDAPv3 schema information within web2ldap's configuration (for host or name-space) to guide the admin to do the right thing in the UI.
Also with DIT structure/content rules and name forms you can specify directory layout and profiled use of object classes in a more formal way in an operational concept.
No need to convince me; I've wanted to finish aligning our code with X.500 for years. But this is one of many features that I've wanted that nobody else ever expressed any interest in. Yet another concept the LDAP designers tossed out without sufficient thought, making client writers' lives even harder...
As 2.4 goes into maintenance-only phase we can start playing with this in HEAD, anyway.
This is great feedback.
I'm coming away with 3 things:
(1) DIT Structure Rules are the standard way to enforce DIT organization.
(2) DIT Structure Rules are supported by few LDAP implementations today, but OpenLDAP and other implementations plan to add support for DIT Structure Rules in the future.
(3) For the FedFS standard, it would be useful to describe optional (but not required) DIT Structure Rules.
-james
Standard - yes. Well supported - no. DIT Structure Rules along with DIT Content Rules are the "standard" way to do this, but hardly anyone implements them.
ApacheDS and OpenDS do now;
Regarding ApacheDS, we don't support it atm, but it's in the server's ADN ! We are waiting for the next evolution to have them working.
Andrew Findlay wrote:
On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote:
An FSN is intended to be superior to its FSLs in a DIT. I was considering including DIT Structure Rules in the draft as a way to enforce this arrangement. However, I'm not inclined to do this if popular LDAP implementations, such as OpenLDAP, don't support them.
If there is a standard, well supported mechanisms for enforcing DIT structure, I'd be interested to know about it.
Standard - yes. Well supported - no. DIT Structure Rules along with DIT Content Rules are the "standard" way to do this, but hardly anyone implements them.
This is somewhat true. There are various server implementations but AFAIK only one open source client. ;-)
I've tested support in web2ldap for DIT structure rules and name forms with three different commercial servers and one open source implementations. I still have to sort out some issues with determining the governing structure rule at the client side (in case the DSA does not return operational attribute 'governingStructureRule').
OpenLDAP can do it, using a combination of ACLs and DIT Content Rules.
While this is a solution for enforcing DIT structure rules at server-side a client cannot determine the rules and guide the user to do the right thing.
Ciao, Michael.
On Jun 2, 2009, at 1:24 PM, Andrew Findlay wrote:
On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote:
Standard - yes. Well supported - no. DIT Structure Rules along with DIT Content Rules are the "standard" way to do this, but hardly anyone implements them.
Here's a fairly good explanation of DIT structure rules: http://tinyurl.com/rxxwgy
On Jun 2, 2009, at 8:39 AM, James Lentini wrote:
http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-federated-fs-protocol-0...
Our schema is sprinkled throughout Section 6. In Section 6.3 we define two LDAP objects, the FSN and FSL (the exact schema definitions in the current draft have some typos that will be cleaned up in the next version).
An FSN is intended to be superior to its FSLs in a DIT. I was considering including DIT Structure Rules in the draft as a way to enforce this arrangement. However, I'm not inclined to do this if popular LDAP implementations, such as OpenLDAP, don't support them.
While it might be appropriate to suggest possible DIT structural rules and associated name forms in your I-D, I would recommend against stating a requirement or recommendation of any particular structure or naming as the specifics of these are generally best left to directory administrators not specification authors.
Regards, Kurt
openldap-technical@openldap.org
-
Andrew Findlay -
Emmanuel Lecharny -
Howard Chu -
James Lentini -
Kurt Zeilenga -
Michael Ströder -
Terry Gardner