[Freeipa-devel] "Commit comments log" functionality in IPA
John Dennis
jdennis at redhat.com
Thu Nov 6 17:39:55 UTC 2008
LDAP is not the right tool/technology for storing change log
information. Directories are optimized for particular uses, this is not
one of them. There is a reason why directories coexist with databases,
they solve different problems.
Changelog entries of the type you envision are not bound to a single
object in the directory, rather they are a logical unit of work which
may affect multiple directory entries. Which entries in the directory
are you going to tag with the comment?
This is really a problem which needs to be solved at a different level
and a different place. It is closely related to an audit problem. The
change needs to be given a transaction id which encapsulates the various
component changes and binds it with a comment and other meta data (e.g.
user id, timestamp, etc.). This is then logged somewhere (but not in the
directory). Audit analysis should be able to correlate the changelog
transaction with other auditable events (e.g. directory audit logs).
For now I would suggest the log destination be a file and to accommodate
structured information it should be written in XML. This might be a
reasonable feature for v2, anything beyond that should be postponed.
Just this limited functionality (write the changelog in xml) would meet
a lot of needs, get current v2 users used to providing changelog
information, provides a reasonable way to view the changelog, and we get
all this for not a lot of work (a heck of a lot less work than the other
ideas).
--
John Dennis <jdennis at redhat.com>
More information about the Freeipa-devel
mailing list