Hi Georges, On 11/21/06, George Stoianov <[EMAIL PROTECTED]> wrote:
Hi, I read a thread on the possibility of having a database back end for ADS and have tried to understand all the arguements pro and con and I think I am on cross roads regarding the philosophical and design aspects of the whole idea :)
Philosophcal? We are not that smart ! ;) (leaning towards an rdbms aren't you
using BerkleyDB??),
nope, because the BDB license prohibit it. but still as a person that has/is using databases
for many other things I see some benefits to be had if you could enable at least the presentation of database data in response to ldap queries.
There is no way to do that, because LDAP is a protocol which enforce the response structure... One major drawback of ldap compared to a relation storage architecture
is that it is not relational in database terms it is more of a network type of database structure
Let's say it's pretty much more like a Hierarchical database. (as of 1970, where you had Hierarchical, network and relationnal database - which was the new commer ) where the information for each node of data
is stored at the node level and the uniqueness is guaranteed by the path i.e.
Agreed. if I have a person that belongs to two different
departements I would have to create two records for that person and all the common data would be duplicated in order to have that person access the different resources for the other department.
You could also use aliases, to avoid such a duplication. Basically, you point to the unique entry by its path (DN) I know that
if you could possibly put all the requirements down you could get a good enough structure to account for that but flexibility in the long term seems a lot harder to attain that with an rdbms engine,
Not necessarily. Basically, what you should consider is wether you would benefit more from a hierarchical structure or from a relationnal one. Of course, everything can be done with a RDBMS (and when you look at IBM Directory Server, which is backed by a RDBMS - DB2 -, you can see that, yes, this is possible :), but sometime, a RDBMS is the best choice (may be often ;) although
I like the trigger and view capabilities you are building they maybe the solution. I am completely new to ldap so please correct me if I am wrong.
I can't say you are wrong. You pointed out some of the elements that should help you to make the best chocie :) I am currently in the processes of helping with the implementaion of a
solution that uses ldap for user credentials, those credentials are also used to form groups of people based on database records that experiences frequent updates and changes so I am looking for a flexible and quick in respect of updates/deletes solution and was really happy to find ADS as I thought that maybe/is the answer???
Ahha... Well, hum, what I can say is that ADS has a full fledged ACI implementation, based on X500 specification, which is one of the most complete(complex?) . So, I think that it can fill your needs. Just check some doco : http://docs.safehaus.org/display/TRIPLESEC/Home (Has been voted to be a part of Apache Directory Server one month ago) We also have two presentations done in ApacheCon EU last october : http://people.apache.org/~ersiner/apachecon-us06/ac-us-06-FR20-ErsinEr-ApacheDS_Access_Control_Administration_The_X.500_Way.pdf and http://people.apache.org/~ersiner/apachecon-us06/ So let me get to my question: Is there a place in the ADS API where I
could plug in another representation of a storage structure which I then will inadvertantly tie to a rdbms back end.
yep, but this will need some work ... What I need is the
power and the standards compliance from ADS and the ability to serve my own data from a different source. Can you please point me in the right direction on this??
I hope I did. Are you in a urge, or do you have time ? Thanks,
George
You are welcome ! Emmanuel -- Cordialement, Emmanuel Lécharny
