[Freeipa-devel] "Commit comments log" functionality in IPA

[John Dennis]

LDAP is not the right tool/technology for storing change log 
information. Directories are optimized for particular uses, this is not 
one of them. There is a reason why directories coexist with databases, 
they solve different problems.

Changelog entries of the type you envision are not bound to a single 
object in the directory, rather they are a logical unit of work which 
may affect multiple directory entries. Which entries in the directory 
are you going to tag with the comment?

This is really a problem which needs to be solved at a different level 
and a different place. It is closely related to an audit problem. The 
change needs to be given a transaction id which encapsulates the various 
component changes and binds it with a comment and other meta data (e.g. 
user id, timestamp, etc.). This is then logged somewhere (but not in the 
directory). Audit analysis should be able to correlate the changelog 
transaction with other auditable events (e.g. directory audit logs).

For now I would suggest the log destination be a file and to accommodate 
structured information it should be written in XML. This might be a 
reasonable feature for v2, anything beyond that should be postponed. 
Just this limited functionality (write the changelog in xml) would meet 
a lot of needs, get current v2 users used to providing changelog 
information, provides a reasonable way to view the changelog, and we get 
all this for not a lot of work (a heck of a lot less work than the other 
ideas).

-- 
John Dennis <jdennis at redhat.com>