Database information back end

[George Stoianov <gs...@gmail.com>]

Hi,

I read a thread on the possibility of having a database back end for
ADS and have tried to understand all the arguements pro and con and I
think I am on cross roads regarding the philosophical and design
aspects of the whole idea :) (leaning towards an rdbms aren't you
using BerkleyDB??), but still as a person that has/is using databases
for many other things I see some benefits to be had if you could
enable at least the presentation of database data in response to ldap
queries.

One major drawback of ldap compared to a relation storage architecture
is that it is not relational in database terms it is more of a network
type of database structure where the information for each node of data
is stored at the node level and the uniqueness is guaranteed by the
path i.e. if I have a person that belongs to two different
departements I would have to create two records for that person and
all the common data would be duplicated in order to have that person
access the different resources for the other department. I know that
if you could possibly put all the requirements down you could get a
good enough structure to account for that but flexibility in the long
term seems a lot harder to attain that with an rdbms engine, although
I like the trigger and view capabilities you are building they maybe
the solution. I am completely new to ldap so please correct me if I am
wrong.

I am currently in the processes of helping with the implementaion of a
solution that uses ldap for user credentials, those credentials are
also used to form groups of people based on database records that
experiences frequent updates and changes so I am looking for a
flexible and quick in respect of updates/deletes solution and was
really happy to find ADS as I thought that maybe/is the answer???

So let me get to my question: Is there a place in the ADS API where I
could plug in another representation of a storage structure which I
then will inadvertantly tie to a rdbms back end. What I need is the
power and the standards compliance from ADS and the ability to serve
my own data from a different source. Can you please point me in the
right direction on this??

Thanks,
George

Re: Database information back end

[Ersin Er <er...@gmail.com>]

On 11/22/06, George Stoianov <gs...@gmail.com> wrote:
> On 11/21/06, Alex Karasulu <ao...@bellsouth.net> wrote:
> > George Stoianov wrote:
> > >> > (leaning towards an rdbms aren't you
> > >> > using BerkleyDB??),
> > >>
> > >> nope, because the BDB license prohibit it.
> > >
> > > Really so what kind of files are the .db files in var??
> >
> > They are JDBM files ...
> >
> >    http://jdbm.sourceforge.net/
>
> I see with the B-Tree instead of the H-Tree as I learned from the web site.
>
> >
> > Is the license
> > > problem a problem in combination with the Apache license??
> >
> > Yep it's too viral.
> >
> > Berkley DB
> > > is dual licensed right?
> >
> > Yep it is.
> >
> > Or did Oracle change all of that?
> >
> > No they kept the original licensing terms.
> >
> > >> > but still as a person that has/is using databases
> > >> > for many other things I see some benefits to be had if you could
> > >> > enable at least the presentation of database data in response to ldap
> > >> > queries.
> >
> > I see what you mean.  You want a virtual directory.
>
> I guess, I have no clue what virtual directories are. Are they a way
> to present an LDAP tree from a non-native datasource be it an rdbms, a
> file or another ldap server???
> Is this is any indication
> http://developers.slashdot.org/article.pl?sid=05/06/06/1036204&from=rss
> then that is what I am looking for/need.
>
> >I think it is about
> > time we tried to build something like that here.  You interested in
> > working on that here?
>
> Am I interested - yes. I do not know what is involved though nor how
> you guys operate my availability is not very good but assume almost
> everyone else will have a day job as well...
>
> >
> > >>  There is no way to do that, because LDAP is a protocol which enforce the
> > >> response structure...
> > >
> > > Can you eloborate on this?? To me it seems that when I ask for Jane
> > > Smith from the HR department from the Oxford office in the UK I can do
> > > that same thing using sql selecting the country table than the office
> > > table with cities and then the people table and then Jane Smith. As
> > > far as the response structure I think that is true for every protocol
> > > and yet the end data storage for many of them is an rdbms. This is
> > > where the middle program/ldap server provides the proper
> > > representation of the response in my mind.
> >
> > I think I understand what you want to do.  You want to present a
> > specific RDBMS schema as a Directory Information Tree.  You want to
> > adapt one access model to another essentially.  This is what virtual
> > directories do.
> >
> > Is this what you want to do?
>
> Precisely I am not looking to force a specific structure that may be
> slow/inefficient or inappropriate but just add the capability to plug
> in another schema/directory tree as an information provider. I am
> looking for modularity that makes code and software reuse easier and
> also adds some capabilities that will be benefitial to a particular
> group or scenario like mine :).
>
> >
> > >> > if I have a person that belongs to two different
> > >> > departements I would have to create two records for that person and
> > >> > all the common data would be duplicated in order to have that person
> > >> > access the different resources for the other department.
> > >>
> > >> You could also use aliases, to avoid such a duplication. Basically, you
> > >> point to the unique entry by its path (DN)
> > >
> > > I do not think so as an alias would point to the same entity, which
> > > would not solve the problem of the same entity having different
> > > attributes or attribute values, depending on the location in the node
> > > structure.
> >
> > Sounds like you want different views/perspectives of the same entry in
> > different places.
> >
> > ...
>
> Yes
>
> >
> > > Yes X.500 is complex :) . Triplesec is not LDAP server right? I need
> > > an ldap server as that is what the application using the groups and
> > > people credentials uses natively.
> >
> > Triplesec builds on top of ApacheDS so yes it is an LDAP server with
> > some customizations.
> >
> > >> We also have two presentations done in ApacheCon EU last october :
> > >> http://people.apache.org/~ersiner/apachecon-us06/ac-us-06-FR20-ErsinEr-ApacheDS_Access_Control_Administration_The_X.500_Way.pdf
> > >>
> > >>
> > >> and
> > >>
> > >> http://people.apache.org/~ersiner/apachecon-us06/
> > >
> > > So with stored procedures I can store a Java object and have it called
> > > with a standar ldap query and it can return whatever text value I
> > > choose??? That seems like a really good way to do what I need the
> > > security concerns are kind of troublesome but if you can isolate the
> > > calls to just one secured process you maybe OK doing it this way. Do
> > > you have a step by step example of doing this?
> >
> > Ersin's the man behind this great work.  Perhaps he can chime in.

LDAP Stored Procedures, as we have designed and implemented, are just
java bytecodes stored in the DIT and loaded via a special LDAP class
loader and run inside the server. An LDAP stored procedure can be
executed by in-server means or by an LDAP extended operation (which is
defined) invoked by an external client. LDAP stored procedures mainly
serves for LDAP Triggers but they can be used for various purposes
like server administration, dynamic schema etc.

Currently, the best resource for LDAP SP and Triggers is:

http://people.apache.org/~ersiner/apachecon-us06/ac-us-06-FR14-ErsinEr-Stored_Procedures_and_Triggers_Arrive_in_ApacheDS.pdf
(and http://people.apache.org/~ersiner/apachecon-us06/FR14.README)

> I see you are discussing documentation now ... I do not known if I am
> a correct representative of the groups most interested in open source
> projects but one think find difficult looking at a project at first is
> the lack or incomplete documentation the mailing list is usually the
> best place to learn things :) and I am perfectly OK with that. Here is
> a link I found to a book on X.500 on the web that may help with the
> documentation: http://sec.cs.kent.ac.uk/x500book/ I am not sure but I
> think linking to it may have to be cleared with the author.

I think we have mastered most of it.. :-) BTW, it is an excellent book.

> Thanks for your help, I am still learning about LDAP and ADS.

We are glad to help you and also we learn about user experinces/needs.

> George
>
> >
> > Regards,
> > Alex
> >
> >
>


-- 
Ersin

Re: Database information back end

[George Stoianov <gs...@gmail.com>]

On 11/21/06, Alex Karasulu <ao...@bellsouth.net> wrote:
> George Stoianov wrote:
> >> > (leaning towards an rdbms aren't you
> >> > using BerkleyDB??),
> >>
> >> nope, because the BDB license prohibit it.
> >
> > Really so what kind of files are the .db files in var??
>
> They are JDBM files ...
>
>    http://jdbm.sourceforge.net/

I see with the B-Tree instead of the H-Tree as I learned from the web site.

>
> Is the license
> > problem a problem in combination with the Apache license??
>
> Yep it's too viral.
>
> Berkley DB
> > is dual licensed right?
>
> Yep it is.
>
> Or did Oracle change all of that?
>
> No they kept the original licensing terms.
>
> >> > but still as a person that has/is using databases
> >> > for many other things I see some benefits to be had if you could
> >> > enable at least the presentation of database data in response to ldap
> >> > queries.
>
> I see what you mean.  You want a virtual directory.

I guess, I have no clue what virtual directories are. Are they a way
to present an LDAP tree from a non-native datasource be it an rdbms, a
file or another ldap server???
Is this is any indication
http://developers.slashdot.org/article.pl?sid=05/06/06/1036204&from=rss
then that is what I am looking for/need.

>I think it is about
> time we tried to build something like that here.  You interested in
> working on that here?

Am I interested - yes. I do not know what is involved though nor how
you guys operate my availability is not very good but assume almost
everyone else will have a day job as well...

>
> >>  There is no way to do that, because LDAP is a protocol which enforce the
> >> response structure...
> >
> > Can you eloborate on this?? To me it seems that when I ask for Jane
> > Smith from the HR department from the Oxford office in the UK I can do
> > that same thing using sql selecting the country table than the office
> > table with cities and then the people table and then Jane Smith. As
> > far as the response structure I think that is true for every protocol
> > and yet the end data storage for many of them is an rdbms. This is
> > where the middle program/ldap server provides the proper
> > representation of the response in my mind.
>
> I think I understand what you want to do.  You want to present a
> specific RDBMS schema as a Directory Information Tree.  You want to
> adapt one access model to another essentially.  This is what virtual
> directories do.
>
> Is this what you want to do?

Precisely I am not looking to force a specific structure that may be
slow/inefficient or inappropriate but just add the capability to plug
in another schema/directory tree as an information provider. I am
looking for modularity that makes code and software reuse easier and
also adds some capabilities that will be benefitial to a particular
group or scenario like mine :).

>
> >> > if I have a person that belongs to two different
> >> > departements I would have to create two records for that person and
> >> > all the common data would be duplicated in order to have that person
> >> > access the different resources for the other department.
> >>
> >> You could also use aliases, to avoid such a duplication. Basically, you
> >> point to the unique entry by its path (DN)
> >
> > I do not think so as an alias would point to the same entity, which
> > would not solve the problem of the same entity having different
> > attributes or attribute values, depending on the location in the node
> > structure.
>
> Sounds like you want different views/perspectives of the same entry in
> different places.
>
> ...

Yes

>
> > Yes X.500 is complex :) . Triplesec is not LDAP server right? I need
> > an ldap server as that is what the application using the groups and
> > people credentials uses natively.
>
> Triplesec builds on top of ApacheDS so yes it is an LDAP server with
> some customizations.
>
> >> We also have two presentations done in ApacheCon EU last october :
> >> http://people.apache.org/~ersiner/apachecon-us06/ac-us-06-FR20-ErsinEr-ApacheDS_Access_Control_Administration_The_X.500_Way.pdf
> >>
> >>
> >> and
> >>
> >> http://people.apache.org/~ersiner/apachecon-us06/
> >
> > So with stored procedures I can store a Java object and have it called
> > with a standar ldap query and it can return whatever text value I
> > choose??? That seems like a really good way to do what I need the
> > security concerns are kind of troublesome but if you can isolate the
> > calls to just one secured process you maybe OK doing it this way. Do
> > you have a step by step example of doing this?
>
> Ersin's the man behind this great work.  Perhaps he can chime in.

I see you are discussing documentation now ... I do not known if I am
a correct representative of the groups most interested in open source
projects but one think find difficult looking at a project at first is
the lack or incomplete documentation the mailing list is usually the
best place to learn things :) and I am perfectly OK with that. Here is
a link I found to a book on X.500 on the web that may help with the
documentation: http://sec.cs.kent.ac.uk/x500book/ I am not sure but I
think linking to it may have to be cleared with the author.

Thanks for your help, I am still learning about LDAP and ADS.
George

>
> Regards,
> Alex
>
>

Re: Database information back end

[Alex Karasulu <ao...@bellsouth.net>]

George Stoianov wrote:
>> > (leaning towards an rdbms aren't you
>> > using BerkleyDB??),
>>
>> nope, because the BDB license prohibit it.
> 
> Really so what kind of files are the .db files in var?? 

They are JDBM files ...

   http://jdbm.sourceforge.net/

Is the license
> problem a problem in combination with the Apache license?? 

Yep it's too viral.

Berkley DB
> is dual licensed right? 

Yep it is.

Or did Oracle change all of that?

No they kept the original licensing terms.

>> > but still as a person that has/is using databases
>> > for many other things I see some benefits to be had if you could
>> > enable at least the presentation of database data in response to ldap
>> > queries.

I see what you mean.  You want a virtual directory.  I think it is about 
time we tried to build something like that here.  You interested in 
working on that here?

>>  There is no way to do that, because LDAP is a protocol which enforce the
>> response structure...
> 
> Can you eloborate on this?? To me it seems that when I ask for Jane
> Smith from the HR department from the Oxford office in the UK I can do
> that same thing using sql selecting the country table than the office
> table with cities and then the people table and then Jane Smith. As
> far as the response structure I think that is true for every protocol
> and yet the end data storage for many of them is an rdbms. This is
> where the middle program/ldap server provides the proper
> representation of the response in my mind.

I think I understand what you want to do.  You want to present a 
specific RDBMS schema as a Directory Information Tree.  You want to 
adapt one access model to another essentially.  This is what virtual 
directories do.

Is this what you want to do?

>> > if I have a person that belongs to two different
>> > departements I would have to create two records for that person and
>> > all the common data would be duplicated in order to have that person
>> > access the different resources for the other department.
>>
>> You could also use aliases, to avoid such a duplication. Basically, you
>> point to the unique entry by its path (DN)
> 
> I do not think so as an alias would point to the same entity, which
> would not solve the problem of the same entity having different
> attributes or attribute values, depending on the location in the node
> structure.

Sounds like you want different views/perspectives of the same entry in 
different places.

...

> Yes X.500 is complex :) . Triplesec is not LDAP server right? I need
> an ldap server as that is what the application using the groups and
> people credentials uses natively.

Triplesec builds on top of ApacheDS so yes it is an LDAP server with 
some customizations.

>> We also have two presentations done in ApacheCon EU last october :
>> http://people.apache.org/~ersiner/apachecon-us06/ac-us-06-FR20-ErsinEr-ApacheDS_Access_Control_Administration_The_X.500_Way.pdf 
>>
>>
>> and
>>
>> http://people.apache.org/~ersiner/apachecon-us06/
> 
> So with stored procedures I can store a Java object and have it called
> with a standar ldap query and it can return whatever text value I
> choose??? That seems like a really good way to do what I need the
> security concerns are kind of troublesome but if you can isolate the
> calls to just one secured process you maybe OK doing it this way. Do
> you have a step by step example of doing this?

Ersin's the man behind this great work.  Perhaps he can chime in.

Regards,
Alex

Re: Database information back end

[George Stoianov <gs...@gmail.com>]

On 11/21/06, Emmanuel Lecharny <el...@gmail.com> wrote:
> Hi Georges,
>
> On 11/21/06, George Stoianov <gs...@gmail.com> wrote:
> > Hi,
> >
> > I read a thread on the possibility of having a database back end for
> > ADS and have tried to understand all the arguements pro and con and I
> > think I am on cross roads regarding the philosophical and design
> > aspects of the whole idea :)
>
> Philosophcal? We are not that smart ! ;)

I am not either but I was thinking so much it felt philosopical :)

>
> > (leaning towards an rdbms aren't you
> > using BerkleyDB??),
>
> nope, because the BDB license prohibit it.

Really so what kind of files are the .db files in var?? Is the license
problem a problem in combination with the Apache license?? Berkley DB
is dual licensed right? Or did Oracle change all of that? Actuall
forget this question the open source license does not allow for third
party redistribution where as the Apache one does
(http://www.oracle.com/technology/software/products/berkeley-db/htdocs/licensing.html)

> > but still as a person that has/is using databases
> > for many other things I see some benefits to be had if you could
> > enable at least the presentation of database data in response to ldap
> > queries.
>
>  There is no way to do that, because LDAP is a protocol which enforce the
> response structure...

Can you eloborate on this?? To me it seems that when I ask for Jane
Smith from the HR department from the Oxford office in the UK I can do
that same thing using sql selecting the country table than the office
table with cities and then the people table and then Jane Smith. As
far as the response structure I think that is true for every protocol
and yet the end data storage for many of them is an rdbms. This is
where the middle program/ldap server provides the proper
representation of the response in my mind.

>
> > One major drawback of ldap compared to a relation storage architecture
> > is that it is not relational in database terms it is more of a network
> > type of database structure
>
> Let's say it's pretty much more like a Hierarchical database. (as of 1970,
> where you had Hierarchical, network and relationnal database - which was the
> new commer )

Agreed.

>
> > where the information for each node of data
> > is stored at the node level and the uniqueness is guaranteed by the
> > path i.e.
>
> Agreed.
>
> > if I have a person that belongs to two different
> > departements I would have to create two records for that person and
> > all the common data would be duplicated in order to have that person
> > access the different resources for the other department.
>
> You could also use aliases, to avoid such a duplication. Basically, you
> point to the unique entry by its path (DN)

I do not think so as an alias would point to the same entity, which
would not solve the problem of the same entity having different
attributes or attribute values, depending on the location in the node
structure.

What I mean is let's say there were two different schools in a
universtity and Jane was a professor delievering lectures at both
schools but was actually a member of the faculty in the first school
and not the second. Now let say she had the privilige of a university
laptop and electronic library access on campus 1 but not on campus 2.
How would you solve this with an LDAP structure... I think create two
records under the different branches of the tree (campus1 and campus2)
and have the laptop and library access attributes set accrodingly in
campus1 not the campus2. So in doing this you would possibly be
imposing a list of attributes in campus2 that may not even pertain to
that campus as they have no internet access and do not use laptops. If
you were to do this in a database you would create a table for the
campus and a table for faculty-campus-priviliges etc. campus one will
have some stuff in it and campus 2 nothing. If later you needed to add
something you can easily do so for 1 and even 2 without storing
unnecessary information. I do not know if this makes any sense :).

>
> > I know that
> > if you could possibly put all the requirements down you could get a
> > good enough structure to account for that but flexibility in the long
> > term seems a lot harder to attain that with an rdbms engine,
>
>
> Not necessarily. Basically, what you should consider is wether you would
> benefit more from a hierarchical structure or from a relationnal one. Of
> course, everything can be done with a RDBMS (and when you look at IBM
> Directory Server, which is backed by a RDBMS - DB2
> -, you can see that, yes, this is possible :), but sometime, a RDBMS is the
> best choice (may be often ;)

I think the benefits are in the way storage is supposed to work (I
have seen many database that way worse than a hierarchical structure
ldap has) and that things naturally lend themselves to relations in
real life in my mind despite the fact that people hate rules and want
eat and not pay for it :) so the requirements often make you design
yourself into a complete mess.

>
> > although
> > I like the trigger and view capabilities you are building they maybe
> > the solution. I am completely new to ldap so please correct me if I am
> > wrong.
>
> I can't say you are wrong. You pointed out some of the elements that should
> help you to make the best chocie :)
>
> > I am currently in the processes of helping with the implementaion of a
> > solution that uses ldap for user credentials, those credentials are
> > also used to form groups of people based on database records that
> > experiences frequent updates and changes so I am looking for a
> > flexible and quick in respect of updates/deletes solution and was
> > really happy to find ADS as I thought that maybe/is the answer???
>
> Ahha... Well, hum, what I can say is that ADS has a full fledged ACI
> implementation, based on X500 specification, which is one of the most
> complete(complex?) . So, I think that it can fill your needs. Just check
> some doco :
>  http://docs.safehaus.org/display/TRIPLESEC/Home (Has been
> voted to be a part of Apache Directory Server one month ago)

Yes X.500 is complex :) . Triplesec is not LDAP server right? I need
an ldap server as that is what the application using the groups and
people credentials uses natively.

>
> We also have two presentations done in ApacheCon EU last october :
> http://people.apache.org/~ersiner/apachecon-us06/ac-us-06-FR20-ErsinEr-ApacheDS_Access_Control_Administration_The_X.500_Way.pdf
>
> and
>
> http://people.apache.org/~ersiner/apachecon-us06/

So with stored procedures I can store a Java object and have it called
with a standar ldap query and it can return whatever text value I
choose??? That seems like a really good way to do what I need the
security concerns are kind of troublesome but if you can isolate the
calls to just one secured process you maybe OK doing it this way. Do
you have a step by step example of doing this?

>
> > So let me get to my question: Is there a place in the ADS API where I
> > could plug in another representation of a storage structure which I
> > then will inadvertantly tie to a rdbms back end.
>
> yep, but this will need some work ...

>From your reply I take it a lot of work ... ???

>
> > What I need is the
> > power and the standards compliance from ADS and the ability to serve
> > my own data from a different source. Can you please point me in the
> > right direction on this??
>
> I hope I did. Are you in a urge, or do you have time ?

Yes you did, thank you! I am in a urge but I would like to at least
look at that side of the problem before giving up ;) ...

TIA,
George

>
> > Thanks,
> > George
> >
>
> You are welcome !
>
> Emmanuel
>
> --
> Cordialement,
> Emmanuel Lécharny

Re: Database information back end

[Emmanuel Lecharny <el...@gmail.com>]

Hi Georges,

On 11/21/06, George Stoianov <gs...@gmail.com> wrote:
>
> Hi,
>
> I read a thread on the possibility of having a database back end for
> ADS and have tried to understand all the arguements pro and con and I
> think I am on cross roads regarding the philosophical and design
> aspects of the whole idea :)


Philosophcal? We are not that smart ! ;)

(leaning towards an rdbms aren't you
> using BerkleyDB??),


nope, because the BDB license prohibit it.

but still as a person that has/is using databases
> for many other things I see some benefits to be had if you could
> enable at least the presentation of database data in response to ldap
> queries.


There is no way to do that, because LDAP is a protocol which enforce the
response structure...


One major drawback of ldap compared to a relation storage architecture
> is that it is not relational in database terms it is more of a network
> type of database structure


Let's say it's pretty much more like a Hierarchical database. (as of 1970,
where you had Hierarchical, network and relationnal database - which was the
new commer )

where the information for each node of data
> is stored at the node level and the uniqueness is guaranteed by the
> path i.e.


Agreed.

if I have a person that belongs to two different
> departements I would have to create two records for that person and
> all the common data would be duplicated in order to have that person
> access the different resources for the other department.


You could also use aliases, to avoid such a duplication. Basically, you
point to the unique entry by its path (DN)


I know that
> if you could possibly put all the requirements down you could get a
> good enough structure to account for that but flexibility in the long
> term seems a lot harder to attain that with an rdbms engine,


Not necessarily. Basically, what you should consider is wether you would
benefit more from a hierarchical structure or from a relationnal one. Of
course, everything can be done with a RDBMS (and when you look at IBM
Directory Server, which is backed by a RDBMS - DB2
-, you can see that, yes, this is possible :), but sometime, a RDBMS is the
best choice (may be often ;)

although
> I like the trigger and view capabilities you are building they maybe
> the solution. I am completely new to ldap so please correct me if I am
> wrong.


I can't say you are wrong. You pointed out some of the elements that should
help you to make the best chocie :)

I am currently in the processes of helping with the implementaion of a
> solution that uses ldap for user credentials, those credentials are
> also used to form groups of people based on database records that
> experiences frequent updates and changes so I am looking for a
> flexible and quick in respect of updates/deletes solution and was
> really happy to find ADS as I thought that maybe/is the answer???


Ahha... Well, hum, what I can say is that ADS has a full fledged ACI
implementation, based on X500 specification, which is one of the most
complete(complex?) . So, I think that it can fill your needs. Just check
some doco :
 http://docs.safehaus.org/display/TRIPLESEC/Home (Has been voted to be a
part of Apache Directory Server one month ago)

We also have two presentations done in ApacheCon EU last october :
http://people.apache.org/~ersiner/apachecon-us06/ac-us-06-FR20-ErsinEr-ApacheDS_Access_Control_Administration_The_X.500_Way.pdf

and

http://people.apache.org/~ersiner/apachecon-us06/

So let me get to my question: Is there a place in the ADS API where I
> could plug in another representation of a storage structure which I
> then will inadvertantly tie to a rdbms back end.


yep, but this will need some work ...

What I need is the
> power and the standards compliance from ADS and the ability to serve
> my own data from a different source. Can you please point me in the
> right direction on this??


I hope I did. Are you in a urge, or do you have time ?

Thanks,
> George
>

You are welcome !

Emmanuel

-- 
Cordialement,
Emmanuel Lécharny

Re: Database information back end

[Alex Karasulu <ao...@bellsouth.net>]

George Stoianov wrote:
> Hi,
> 
> I read a thread on the possibility of having a database back end for
> ADS and have tried to understand all the arguements pro and con and I
> think I am on cross roads regarding the philosophical and design
> aspects of the whole idea :) (leaning towards an rdbms aren't you
> using BerkleyDB??), but still as a person that has/is using databases
> for many other things I see some benefits to be had if you could
> enable at least the presentation of database data in response to ldap
> queries.
> 
> One major drawback of ldap compared to a relation storage architecture
> is that it is not relational in database terms it is more of a network
> type of database structure where the information for each node of data
> is stored at the node level and the uniqueness is guaranteed by the
> path i.e. if I have a person that belongs to two different
> departements I would have to create two records for that person and
> all the common data would be duplicated in order to have that person
> access the different resources for the other department. I know that
> if you could possibly put all the requirements down you could get a
> good enough structure to account for that but flexibility in the long
> term seems a lot harder to attain that with an rdbms engine, although
> I like the trigger and view capabilities you are building they maybe
> the solution. I am completely new to ldap so please correct me if I am
> wrong.
> 
> I am currently in the processes of helping with the implementaion of a
> solution that uses ldap for user credentials, those credentials are
> also used to form groups of people based on database records that
> experiences frequent updates and changes so I am looking for a
> flexible and quick in respect of updates/deletes solution and was
> really happy to find ADS as I thought that maybe/is the answer???
> 
> So let me get to my question: Is there a place in the ADS API where I
> could plug in another representation of a storage structure which I
> then will inadvertantly tie to a rdbms back end. What I need is the
> power and the standards compliance from ADS and the ability to serve
> my own data from a different source. Can you please point me in the
> right direction on this??

Take a look at this interface which you may want to implement ...

http://svn.apache.org/repos/asf/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/partition/Partition.java

But to understand ADS architecture you might want to take a quick peek 
at this presentation here ...

https://svn.safehaus.org/repos/sandbox/workshop/

See Presentation.ppt

HTH,
Alex