[Freeipa-devel] "Commit comments log" functionality in IPA
Rich Megginson
rmeggins at redhat.com
Thu Nov 6 17:55:38 UTC 2008
John Dennis wrote:
> LDAP is not the right tool/technology for storing change log
> information. Directories are optimized for particular uses, this is
> not one of them. There is a reason why directories coexist with
> databases, they solve different problems.
The directory is already used for storing "change log" information. It
can be configured to record every single operation, along with a
globally unique identifier for that operation, the timestamp, and the
identity who made that change. Replication in essence just replays this
"change log". Maybe I am misunderstanding what you mean by "change log"
- could you define what you mean by that term?
> Changelog entries of the type you envision are not bound to a single
> object in the directory, rather they are a logical unit of work which
> may affect multiple directory entries. Which entries in the directory
> are you going to tag with the comment?
That is a big problem for DS. We have no way to create a transaction
that spans several operations/entries. There is an internet draft for
LDAP transactions, and the IBM Tivoli DS supports them.
I'm not sure how the DS could know which operations to group - the user
would necessarily have to provide a "transaction ID" for the change set
either explicity (as a separate attribute) or implicitly (if we
supported transactions).
>
> This is really a problem which needs to be solved at a different level
> and a different place. It is closely related to an audit problem. The
> change needs to be given a transaction id which encapsulates the
> various component changes and binds it with a comment and other meta
> data (e.g. user id, timestamp, etc.). This is then logged somewhere
> (but not in the directory). Audit analysis should be able to correlate
> the changelog transaction with other auditable events (e.g. directory
> audit logs).
The directory server already logs the raw data - we just need some way
to collect it and group it.
>
> For now I would suggest the log destination be a file and to
> accommodate structured information it should be written in XML.
The changelog db is easily convertible to LDIF - the DS audit log is in
LDIF - LDIF is convertible to XML (we already have ldif2dsml tools).
> This might be a reasonable feature for v2, anything beyond that should
> be postponed. Just this limited functionality (write the changelog in
> xml) would meet a lot of needs, get current v2 users used to providing
> changelog information, provides a reasonable way to view the
> changelog, and we get all this for not a lot of work (a heck of a lot
> less work than the other ideas).
>
More information about the Freeipa-devel
mailing list