« Return to Thread: Questionning some parts of the configuration
Re: Questionning some parts of the configuration
by elecharny-2
::
Rate this Message:
A few more things at the end of this mail ...
Emmanuel Lecharny wrote:
> Hi guys,
>
> as I'm trying to figure out a DiT based configuration for ADS, I'm now
> questioning some choice that have been made long ago. I think we can
> simplify the configuration a bit.
>
> Let's start with some preliminary comments.
>
> - the base for all the storage is a DirectoryService. This is the
> heart of our system.
> - we have built a lot of servers on top of it, like Kerberos, DHCP,
> DNS, ChangePW and LDAP. Those servers rely on the DirectoryService
> - we have one unique server, NTP, which is standalone - ie, it does
> not need any DirectoryService -.
> - the Ldap server is a bit special, as it is not named LdapServer, as
> we would expect when we have a look at the other servers, but
> ApacheDS, and it points to 2 LdapService (which in turn associate a
> DirectoryService with a transport)
> - a Transport is a protocol layer defining the host, port, protocol
> and some other network related parameters. Each server has at least
> one transport.
>
> Ok, so far, we are lost now :)
>
> I would suggest we clean up a bit all of this.
>
> 1) ApacheDS is a condensed name for ApacheDirectoryServer. It's a
> server. we will keep the two services (Ldap and Ldaps), even if we
> should treat them as transport, not service.
> 2) All the other servers (NTP, DHCP, Kerberos, DNS) are a combinaison
> of one or more transport and an optional DirectoryService, if needed.
> 3) We will define only one DirectoryService for LDAP. We may want 2
> DirectoryServices, one for LDAP and another one for LDAPS. But this is
> not what we have in ApacheDS atm (looking at the code, the
> DirectoryService is define 3 times : in ApacheDS and in both
> LdapService).
> 4) The consequence is that some flags like AllowAnonymousAccess is now
> useless in ApacheDS, as it's already present in the LdapService
> instances.
> 5) The SyncOnWrite flag is define in a Service class, instanciated in
> ApacheDS. That's most certainly not what we want, as it defines a
> worker thread in charge of calling directoryService.synch()
> periodically. This thread is specific to ApacheDS, and won't be
> available to someone who want to use a DirectoryService as a server
> backend. I suggest we move the Worker to DirectoryService.6) LdapService should be renamed to LdapServer. Everything associated
with a Transport is a server, not a service.
7) We should be able to handle LDAP _and_ LDAPS in the LdapServer. Atm,
it's done by declaring two LdapService, which is not a good idea, as its
duplicate a lot of configuration elements. There is no difference
between LDAP and LDAPS, except that we use SSL. Imo, it's just a matter
of defining some new transport (different port, SSL enabled)
8) The transport class should e extended to enable or disable SSL.
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
Emmanuel Lecharny wrote:
> Hi guys,
>
> as I'm trying to figure out a DiT based configuration for ADS, I'm now
> questioning some choice that have been made long ago. I think we can
> simplify the configuration a bit.
>
> Let's start with some preliminary comments.
>
> - the base for all the storage is a DirectoryService. This is the
> heart of our system.
> - we have built a lot of servers on top of it, like Kerberos, DHCP,
> DNS, ChangePW and LDAP. Those servers rely on the DirectoryService
> - we have one unique server, NTP, which is standalone - ie, it does
> not need any DirectoryService -.
> - the Ldap server is a bit special, as it is not named LdapServer, as
> we would expect when we have a look at the other servers, but
> ApacheDS, and it points to 2 LdapService (which in turn associate a
> DirectoryService with a transport)
> - a Transport is a protocol layer defining the host, port, protocol
> and some other network related parameters. Each server has at least
> one transport.
>
> Ok, so far, we are lost now :)
>
> I would suggest we clean up a bit all of this.
>
> 1) ApacheDS is a condensed name for ApacheDirectoryServer. It's a
> server. we will keep the two services (Ldap and Ldaps), even if we
> should treat them as transport, not service.
> 2) All the other servers (NTP, DHCP, Kerberos, DNS) are a combinaison
> of one or more transport and an optional DirectoryService, if needed.
> 3) We will define only one DirectoryService for LDAP. We may want 2
> DirectoryServices, one for LDAP and another one for LDAPS. But this is
> not what we have in ApacheDS atm (looking at the code, the
> DirectoryService is define 3 times : in ApacheDS and in both
> LdapService).
> 4) The consequence is that some flags like AllowAnonymousAccess is now
> useless in ApacheDS, as it's already present in the LdapService
> instances.
> 5) The SyncOnWrite flag is define in a Service class, instanciated in
> ApacheDS. That's most certainly not what we want, as it defines a
> worker thread in charge of calling directoryService.synch()
> periodically. This thread is specific to ApacheDS, and won't be
> available to someone who want to use a DirectoryService as a server
> backend. I suggest we move the Worker to DirectoryService.
with a Transport is a server, not a service.
7) We should be able to handle LDAP _and_ LDAPS in the LdapServer. Atm,
it's done by declaring two LdapService, which is not a good idea, as its
duplicate a lot of configuration elements. There is no difference
between LDAP and LDAPS, except that we use SSL. Imo, it's just a matter
of defining some new transport (different port, SSL enabled)
8) The transport class should e extended to enable or disable SSL.
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
« Return to Thread: Questionning some parts of the configuration
| Free embeddable forum powered by Nabble | Forum Help |
