On Tue, Jun 17, 2003 at 04:01:10PM -0700, Justin Mason wrote:
> One idea we've been thinking of for 2.70 or 3.0, was to use
> DBI for specifying database locations; in other words, just
> this.
> DBI uses URI-style strings to specify formats, access methods,
> etc. along with the db names; if there's a DBI/DBD module to
> access LDAP, that would be best.  And it looks like there is:

Don't. LDAP is not SQL compatible. You can map LDAP to SQL
partially, to make LDAP stores available to a relational system,
but you cannot work with LDAP through any SQL interface and
expect performance, maintainability or even full functionality

> But I'm not sure *writable* dbs like Bayes or AWL would ever
> be useful in LDAP; afaik, LDAP is very much read-frequently,
> write-seldom.

True. In any setup that does not replicate or where your
replication connections perform adequately, it may work, though.
I would discourage it, though.


(*1) I have a rant (a set of slides in german even for a lecture
     I held) on comparing and mapping SQL and LDAP. The bottom
line is, that you do not want it, unless you absolutely need to.

LDAP is a data store that is not even 1st normal form when seen
from a relational POV (multivalued attributes are arrays in the
relational model, not scalar values). Also, data storage within
the LDAP tree is not in 2nd or 3rd normal form even if you
disregard multivalued attributes.

Also, you cannot fix that, because LDAP only implements a very
limited subset of the relational algebra's operation. Relation
algebra defined five operations, projection (selection of
columns), selection (selection of rows), join (cross products
over tables), renaming (needed for self joins) and aggregation
(grouping operations). 

Of these, LDAP only implements selection fully using filter
expressions. Projection is also available, but only in a limited
way (no synthetic columns/attributes in LDAP). A join is
completely unavailable, forcing you to use precomputed joins in
LDAP by using DNs in (often multivalued) attributes to refer to
other entries within the tree and implementing the dereferencing
operation manually within the client. Renaming is not supported
at all in LDAP. Also, aggregation operations are unavailable,
forcing you to count and group manually.

The missing join forces one to use DNs to refer to other nodes
within the tree. For example, LDAPs groupOfUniqueNames
objectclass uses the DNs to members in a multivalued attribute
to refer to other groupOfUniqueNames or actual members (often
Persons or subclasses thereof). Thus, DNs have the role that
primary keys have in relational databases. 

Unfortunately, unlike true primary keys, DNs are not opaque.
Instead, they are an ordered collection of RDNs, which are also
attributes of the data. Thus, if you change values of attributes
that are also RDNs, the DN of your object changes and all
references to your object are invalidated (changing primary keys
is frowned upon in the relational model for exactly this
reason). Since you cannot select or define your DN freely as you
can with primary keys in relational databases, you cannot get
rid completely of this problem.

Some server vendors, such as Netscape/iPlanet/SunOne, offer
server plugins that try to "fix" this: If you change a DN, the
plugin traverses your _entire_ data store and changes all
references to that DN (causing a replication storm, of course).

You can rid yourself of the problem of changing DNs partially by
defining a attribute "pk" which you are using to enumerate all
objects within your store, and make it a RDN. Unfortunately, you
still cannot define flat structures, because LDAP defines
replication only over subtrees. That is, if you want to
partition your data store, you have to structure it treelike
(introducing new attributes as RDNs) in order to have subtrees
to replicate.

In relational databases, there is no need to do this: You can
selection any column (in fact, often any predicate) to partition
a table into a set of tables, then replicate any subset of
tables. There is no need for the partitioning column (or
predicate) to redefine the primary key, the functionality is

LDAP in fact maps much better to XML trees that it maps to SQL,
with nodes being elements and attributes being, well, attributes
- XML does not define multivalued attributes, though. Thus, the
LDAP query language can be compared to XPath or XQuery, exposing
even more flaws (well, opportunities for improvement) in the
definition of LDAP. For example, XPath defines a number of axes
along which a search can be performed - LDAP also defines axes,
but only three (called scopes: base, one, sub). Compare this to
the rich variety of axes that are available in XPath.

Also, the XPath query language allows you to form expressions
that take tree topology into consideration ("find me all <b/>
element directly below  <h1/> elements", "find me the title
attributes of all <answer/> elements anywhere below the
<chapter/> element that has a title attribute that contains the
literal text "about this FAQ"). There is no provision at all for
such queries within the LDAP query language.

The end result is that LDAP is a very limited data store that
maps to nothing properly. If you have to implement different
storage methods within an application, you cannot selection one
storage method and map all other onto that particular method and
expect it to work. Instead you'd have to model the storage
within your application in the terms of your application, and
then implement instances of that storage model using the
selected storage natively. This is in my experience from
projects generally less painful and produces much more robust

I am sorry for posting such a long and somewhat offtopic rant to
this list, but this is stuff that has cost me about a year of so
to learn, the hard way, in several projects involving SQL and
LDAP data stores. Being a database person more that an LDAP
person, I tried to map LDAP to a relational model, just like you
do, and it blew up in several ugly ways. An analysis of the
reasons resulted in the above rant as the short version of an

LDAP is a very limited and specialized data store, that is in
many ways inadequate, even for the things that it way "designed"
(*2) for. Don't force it do things it cannot be made to do.

(*2) Rant the second. LDAP was not designed at all. LDAP is the
     descendant of the parts of X.500 that could be salvaged.
X.500 is a 1970ies directory model that was designed by a
committee, and it was not even a committee of computer
scientists, but some working group composed of
telecommunications company executives and politicians working as
part of the CCITT/ITU. Like most CCITT/ITU/OSI inventions, it
lacks - read the soapboxes in Marshal T. Roses "The simple
book", if you want to know more about the ways in which
CCITT/ITU/OSI standards suck compared to RFCs, including the
abomination that is ASN.1 and BER/DER.

This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Spamassassin-talk mailing list

Reply via email to