You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Pierre-Arnaud Marcelot <pa...@marcelot.net> on 2010/10/15 14:12:16 UTC
[ApacheDS 2.0] Should we remove the 'System' partition?
Hi Dev,
I'm really wondering if we should not remove the 'System' partition.
The only interesting piece of information we're taking from it is the admin user, especially the its password.
Wouldn't be more interesting to store this information in the config partition?
Except the Admin user the other entries of that partition look like crap and legacy from old versions.
The following configuration entries are no longer used:
- ou=configuration,ou=system
| - ou=interceptors,ou=configuration,ou=system
| - ou=partitions,ou=configuration,ou=system
| - ou=services,ou=configuration,ou=system
I don't know the role of this entry 'prefNodeName=sysPrefRoot,ou=system', if it still has any role?
The following entries are not very useful too:
- ou=groups,ou=system
| - cn=Administrators,ou=groups,ou=system
- ou=users,ou=system
Isn't is better that the user creates its users in its own partition?
Even our admin user is not in the 'ou=users' organizational unit...
As you can see, the only valid information in the whole partition is the credentials of the admin (should we say default) user.
I really think this information should be placed in the configuration (we could also allow the redefinition of the admin user DN).
It would allow the user to edit these settings without having to start the server (at least) once.
WDYT?
Regards,
Pierre-Arnaud
Re: [ApacheDS 2.0] Should we remove the 'System' partition?
Posted by Alex Karasulu <ak...@apache.org>.
On Fri, Oct 15, 2010 at 9:21 PM, Emmanuel Lecharny <el...@gmail.com>wrote:
> On 10/15/10 2:12 PM, Pierre-Arnaud Marcelot wrote:
>
>> Hi Dev,
>>
>> I'm really wondering if we should not remove the 'System' partition.
>>
> Good question ...
>
>
Been waiting for this for a while but always wanted a default partition with
nestable partitions underneath it. Spoke about this in another email on this
thread.
SNIP ..
I don't know the role of this entry 'prefNodeName=sysPrefRoot,ou=system', if
>> it still has any role?
>>
> No idea. The ou=cnfiguration branch is probably dead wood.
>
>
+1
The following entries are not very useful too:
>> - ou=groups,ou=system
>> | - cn=Administrators,ou=groups,ou=system
>> - ou=users,ou=system
>>
>> Isn't is better that the user creates its users in its own partition?
>> Even our admin user is not in the 'ou=users' organizational unit...
>>
> I *think* the ou=users,ou=system are usefull for kerberos and triplesec.
>
>
Yeah can't remember for sure. I know KRB defines path to users based on the
realm name transformation to DN using the domain-to-DN mapping technique
(think there's an real skinny RFC for this).
> As you can see, the only valid information in the whole partition is the
>> credentials of the admin (should we say default) user.
>>
> probably.
>
>
Again the groups matter.
> I really think this information should be placed in the configuration (we
>> could also allow the redefinition of the admin user DN).
>> It would allow the user to edit these settings without having to start the
>> server (at least) once.
>>
>> WDYT?
>>
> I think we can remove the ou=system partition at this point, and use the
> ou=config to store the informations related to the administrator.
>
>
That would be good but won't be trivial.
> So far, considering ou=system as a special partition is probably not
> anymore necessary.
>
>
Hope not.
> Note that, as Kiran said, this partition is used by a hell lot of tests, so
> removing it will be costly.
>
If we remove it, I would suggest we restore the automatic creation of the
> context entry : it's so painful to have to add it when we create a partition
> that we should find a way to do that automatically.
>
>
+1
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: [ApacheDS 2.0] Should we remove the 'System' partition?
Posted by Emmanuel Lecharny <el...@gmail.com>.
On 10/15/10 2:12 PM, Pierre-Arnaud Marcelot wrote:
> Hi Dev,
>
> I'm really wondering if we should not remove the 'System' partition.
Good question ...
> The only interesting piece of information we're taking from it is the admin user, especially the its password.
> Wouldn't be more interesting to store this information in the config partition?
> Except the Admin user the other entries of that partition look like crap and legacy from old versions.
>
> The following configuration entries are no longer used:
> - ou=configuration,ou=system
> | - ou=interceptors,ou=configuration,ou=system
> | - ou=partitions,ou=configuration,ou=system
> | - ou=services,ou=configuration,ou=system
>
> I don't know the role of this entry 'prefNodeName=sysPrefRoot,ou=system', if it still has any role?
No idea. The ou=cnfiguration branch is probably dead wood.
> The following entries are not very useful too:
> - ou=groups,ou=system
> | - cn=Administrators,ou=groups,ou=system
> - ou=users,ou=system
>
> Isn't is better that the user creates its users in its own partition?
> Even our admin user is not in the 'ou=users' organizational unit...
I *think* the ou=users,ou=system are usefull for kerberos and triplesec.
> As you can see, the only valid information in the whole partition is the credentials of the admin (should we say default) user.
probably.
> I really think this information should be placed in the configuration (we could also allow the redefinition of the admin user DN).
> It would allow the user to edit these settings without having to start the server (at least) once.
>
> WDYT?
I think we can remove the ou=system partition at this point, and use the
ou=config to store the informations related to the administrator.
So far, considering ou=system as a special partition is probably not
anymore necessary.
Note that, as Kiran said, this partition is used by a hell lot of tests,
so removing it will be costly.
If we remove it, I would suggest we restore the automatic creation of
the context entry : it's so painful to have to add it when we create a
partition that we should find a way to do that automatically.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: [ApacheDS 2.0] Should we remove the 'System' partition?
Posted by Alex Karasulu <ak...@apache.org>.
On Fri, Oct 15, 2010 at 3:12 PM, Pierre-Arnaud Marcelot <pa...@marcelot.net>wrote:
> Hi Dev,
>
> I really think this information should be placed in the configuration (we
> could also allow the redefinition of the admin user DN).
>
This might present some serious issues (both implementation wise and
security wise). We'd need to really think this through.
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: [ApacheDS 2.0] Should we remove the 'System' partition?
Posted by Alex Karasulu <ak...@apache.org>.
On Fri, Oct 15, 2010 at 3:42 PM, Stefan Seelmann <se...@apache.org>wrote:
> Hi Pierre-Arnaud,
>
> On Fri, Oct 15, 2010 at 2:12 PM, Pierre-Arnaud Marcelot <pa...@marcelot.net>
> wrote:
> > Hi Dev,
> >
> > I'm really wondering if we should not remove the 'System' partition.
> >
> > The only interesting piece of information we're taking from it is the
> admin user, especially the its password.
> > Wouldn't be more interesting to store this information in the config
> partition?
>
> The admin entry also contains the X.509 certificate and private/public
> keys for LDAPS and StartTLS extended operation. But I think the config
> partiton is a better place for that information. And it should also be
> possible to reference the certificate and keys to a file in
> filesystem.
>
>
We should also probably disassociate the server certificate from the admin
user.
> > Except the Admin user the other entries of that partition look like crap
> and legacy from old versions.
> >
> > The following configuration entries are no longer used:
> > - ou=configuration,ou=system
> > | - ou=interceptors,ou=configuration,ou=system
> > | - ou=partitions,ou=configuration,ou=system
> > | - ou=services,ou=configuration,ou=system
>
Yeah this never really got used. With the new configuration partition we no
longer need this.
> > I don't know the role of this entry 'prefNodeName=sysPrefRoot,ou=system',
> if it still has any role?
>
>
It was to provide a Preferences API implementation with storage in the
server. Was at some point considering using it with user specific settings
to store on the server when they log in and/or for various OSGi related
matters.
This is also dead wood.
> > The following entries are not very useful too:
> > - ou=groups,ou=system
> > | - cn=Administrators,ou=groups,ou=system
> > - ou=users,ou=system
>
> AFAIK they are still used from the "simplified" access control system,
> has to be checked.
>
Yes this actually is important. I think we can elevate someone to admin
level status by putting them into the Administrator group regardless of
which (ACI) access control system is being used. The idea is the admin user
should not be used after the first configuration and if people need
superpowers they should be doing it under their own DN once put into this
group.
So this needs to stay.
> > Isn't is better that the user creates its users in its own partition?
> > Even our admin user is not in the 'ou=users' organizational unit...
>
>
Yeah this might be advantageous. Admin user does not need to be in users
that was just an empty container put in there to add users if you like
without creating extra partitions.
Now we have the schema + config partition in addition to system by default.
It's getting expensive memory wise as well.
In fact what I wanted to do is create a default (where DN="") centrally
rooted partition as soon as we get nestable partitions working. However
never got there. So this would allow us to have a AP at the root DN to
govern the entire did and also allow us to manage the RootDSE better.
If we did away with the system partition we might have an issue with
initialization. Have to check this out. There might be some chicken and egg
problem to deal with but it might have gone away. Only way to see is to
reread the code or just try the change :-).
> > As you can see, the only valid information in the whole partition is the
> credentials of the admin (should we say default) user.
>
>
That and the Administrators group.
> > I really think this information should be placed in the configuration (we
> could also allow the redefinition of the admin user DN).
> > It would allow the user to edit these settings without having to start
> the server (at least) once.
>
> I'm +1, but keep in mind that we use "ou=system" in many places,
> especially in tests.
>
>
Yeah that will be ugly. I wish we made this into a constant somewhere :-).
That might be the first step.
--
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu
Re: [ApacheDS 2.0] Should we remove the 'System' partition?
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, Oct 15, 2010 at 6:12 PM, Stefan Seelmann <se...@apache.org> wrote:
> Hi Pierre-Arnaud,
>
> On Fri, Oct 15, 2010 at 2:12 PM, Pierre-Arnaud Marcelot <pa...@marcelot.net> wrote:
>> Hi Dev,
>>
>> I'm really wondering if we should not remove the 'System' partition.
>>
>> The only interesting piece of information we're taking from it is the admin user, especially the its password.
>> Wouldn't be more interesting to store this information in the config partition?
>
> The admin entry also contains the X.509 certificate and private/public
> keys for LDAPS and StartTLS extended operation. But I think the config
> partiton is a better place for that information. And it should also be
> possible to reference the certificate and keys to a file in
> filesystem.
>
>> Except the Admin user the other entries of that partition look like crap and legacy from old versions.
>>
>> The following configuration entries are no longer used:
>> - ou=configuration,ou=system
>> | - ou=interceptors,ou=configuration,ou=system
>> | - ou=partitions,ou=configuration,ou=system
>> | - ou=services,ou=configuration,ou=system
>>
>> I don't know the role of this entry 'prefNodeName=sysPrefRoot,ou=system', if it still has any role?
>>
>> The following entries are not very useful too:
>> - ou=groups,ou=system
>> | - cn=Administrators,ou=groups,ou=system
>> - ou=users,ou=system
>
> AFAIK they are still used from the "simplified" access control system,
> has to be checked.
>
>> Isn't is better that the user creates its users in its own partition?
>> Even our admin user is not in the 'ou=users' organizational unit...
>>
>> As you can see, the only valid information in the whole partition is the credentials of the admin (should we say default) user.
>>
>> I really think this information should be placed in the configuration (we could also allow the redefinition of the admin user DN).
>> It would allow the user to edit these settings without having to start the server (at least) once.
>
> I'm +1, but keep in mind that we use "ou=system" in many places,
> especially in tests.
yes, I have an idea, how about moving these required entries to
ou=config and treat that as system
partition or better yet how about renaming it to ou=systemconfig or
just ou=system
Kiran Ayyagari
Re: [ApacheDS 2.0] Should we remove the 'System' partition?
Posted by Stefan Seelmann <se...@apache.org>.
Hi Pierre-Arnaud,
On Fri, Oct 15, 2010 at 2:12 PM, Pierre-Arnaud Marcelot <pa...@marcelot.net> wrote:
> Hi Dev,
>
> I'm really wondering if we should not remove the 'System' partition.
>
> The only interesting piece of information we're taking from it is the admin user, especially the its password.
> Wouldn't be more interesting to store this information in the config partition?
The admin entry also contains the X.509 certificate and private/public
keys for LDAPS and StartTLS extended operation. But I think the config
partiton is a better place for that information. And it should also be
possible to reference the certificate and keys to a file in
filesystem.
> Except the Admin user the other entries of that partition look like crap and legacy from old versions.
>
> The following configuration entries are no longer used:
> - ou=configuration,ou=system
> | - ou=interceptors,ou=configuration,ou=system
> | - ou=partitions,ou=configuration,ou=system
> | - ou=services,ou=configuration,ou=system
>
> I don't know the role of this entry 'prefNodeName=sysPrefRoot,ou=system', if it still has any role?
>
> The following entries are not very useful too:
> - ou=groups,ou=system
> | - cn=Administrators,ou=groups,ou=system
> - ou=users,ou=system
AFAIK they are still used from the "simplified" access control system,
has to be checked.
> Isn't is better that the user creates its users in its own partition?
> Even our admin user is not in the 'ou=users' organizational unit...
>
> As you can see, the only valid information in the whole partition is the credentials of the admin (should we say default) user.
>
> I really think this information should be placed in the configuration (we could also allow the redefinition of the admin user DN).
> It would allow the user to edit these settings without having to start the server (at least) once.
I'm +1, but keep in mind that we use "ou=system" in many places,
especially in tests.
Kind Regards,
Stefan