A few more things at the end of this mail ...
Emmanuel Lecharny wrote:
Hi guys,
as I'm trying to figure out a DiT based configuration for ADS, I'm now
questioning some choice that have been made long ago. I think we can
simplify the configuration a bit.
Let's start with some preliminary comments.
- the base for all the storage is a DirectoryService. This is the
heart of our system.
- we have built a lot of servers on top of it, like Kerberos, DHCP,
DNS, ChangePW and LDAP. Those servers rely on the DirectoryService
- we have one unique server, NTP, which is standalone - ie, it does
not need any DirectoryService -.
- the Ldap server is a bit special, as it is not named LdapServer, as
we would expect when we have a look at the other servers, but
ApacheDS, and it points to 2 LdapService (which in turn associate a
DirectoryService with a transport)
- a Transport is a protocol layer defining the host, port, protocol
and some other network related parameters. Each server has at least
one transport.
Ok, so far, we are lost now :)
I would suggest we clean up a bit all of this.
1) ApacheDS is a condensed name for ApacheDirectoryServer. It's a
server. we will keep the two services (Ldap and Ldaps), even if we
should treat them as transport, not service.
2) All the other servers (NTP, DHCP, Kerberos, DNS) are a combinaison
of one or more transport and an optional DirectoryService, if needed.
3) We will define only one DirectoryService for LDAP. We may want 2
DirectoryServices, one for LDAP and another one for LDAPS. But this is
not what we have in ApacheDS atm (looking at the code, the
DirectoryService is define 3 times : in ApacheDS and in both
LdapService).
4) The consequence is that some flags like AllowAnonymousAccess is now
useless in ApacheDS, as it's already present in the LdapService
instances.
5) The SyncOnWrite flag is define in a Service class, instanciated in
ApacheDS. That's most certainly not what we want, as it defines a
worker thread in charge of calling directoryService.synch()
periodically. This thread is specific to ApacheDS, and won't be
available to someone who want to use a DirectoryService as a server
backend. I suggest we move the Worker to DirectoryService.
6) LdapService should be renamed to LdapServer. Everything associated
with a Transport is a server, not a service.
7) We should be able to handle LDAP _and_ LDAPS in the LdapServer. Atm,
it's done by declaring two LdapService, which is not a good idea, as its
duplicate a lot of configuration elements. There is no difference
between LDAP and LDAPS, except that we use SSL. Imo, it's just a matter
of defining some new transport (different port, SSL enabled)
8) The transport class should e extended to enable or disable SSL.
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
