[Freeipa-devel] "Commit comments log" functionality in IPA

Simo Sorce ssorce at redhat.com
Thu Nov 6 18:15:46 UTC 2008 

Lets not make confusion, the change log we are talking about in this
thread is not the low level change log in DS. It is a very high level
log about why a (set of) operation(s) has been performed in IPA (and I
say IPA and not DS, because I believe it could span more than just
modifications in the Directory Server).

On Thu, 2008-11-06 at 10:55 -0700, Rich Megginson wrote:
> John Dennis wrote:
> > LDAP is not the right tool/technology for storing change log 
> > information. Directories are optimized for particular uses, this is 
> > not one of them. There is a reason why directories coexist with 
> > databases, they solve different problems.
> The directory is already used for storing "change log" information.  It 
> can be configured to record every single operation, along with a 
> globally unique identifier for that operation, the timestamp, and the 
> identity who made that change.  Replication in essence just replays this 
> "change log".  Maybe I am misunderstanding what you mean by "change log" 
> - could you define what you mean by that term?

See the title, it is a comment set interactively by a human operator on
the reasons why he did some high level operation.

> > Changelog entries of the type you envision are not bound to a single 
> > object in the directory, rather they are a logical unit of work which 
> > may affect multiple directory entries. Which entries in the directory 
> > are you going to tag with the comment?
> That is a big problem for DS.  We have no way to create a transaction 
> that spans several operations/entries.  There is an internet draft for 
> LDAP transactions, and the IBM Tivoli DS supports them.

This really goes beyond transactions. If I change 2 policies because
they are somewhat related I really do not need an LDAP transaction to
bind the 2 operations together.

> I'm not sure how the DS could know which operations to group - the user 
> would necessarily have to provide a "transaction ID" for the change set 
> either explicity (as a separate attribute) or implicitly (if we 
> supported transactions).
> >
> > This is really a problem which needs to be solved at a different level 
> > and a different place. It is closely related to an audit problem. The 
> > change needs to be given a transaction id which encapsulates the 
> > various component changes and binds it with a comment and other meta 
> > data (e.g. user id, timestamp, etc.). This is then logged somewhere 
> > (but not in the directory). Audit analysis should be able to correlate 
> > the changelog transaction with other auditable events (e.g. directory 
> > audit logs).
> The directory server already logs the raw data - we just need some way 
> to collect it and group it.

Yes but that's at a completely different level.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list