[Freeipa-devel] [PATCH] Add group plugin port to new LDAP backend.
Pavel Zuna
pzuna at redhat.com
Fri May 15 10:35:23 UTC 2009
Jason Gerard DeRose wrote:
> On Thu, 2009-05-14 at 19:06 -0400, Simo Sorce wrote:
>> On Thu, 2009-05-14 at 13:59 -0600, Jason Gerard DeRose wrote:
>>>> When no attributes to retrieve are specified, python-ldap retrieves
>>> them all in
>>>> the original form - camel case. If we specify them, then it returns
>>> them in the
>>>> same form as we requested them. The new LDAP backend doesn't use
>>> CIDicts
>>>> anymore, but only the normal python dict type, so everything is case
>>> sensitive.
>>>> Of course I can make it return attribute names always as lowercase
>>> if that's
>>>> what we want.
>>> +1. I personally think this is the best approach.
>>
>> I would seriously prefer case-insensitive dictionaries unless there is
>> some strong technical/performance reason not to.
>
> Yes, there is. We want the processing pipeline to use
> least-common-denominator data types so that it's easy glue in existing
> tools, libraries, extension modules, etc. Some libraries/extensions
> that expect a dict might fail if passed a CIDict. And they certainly
> wont know to return our special CIDict.
>
> I also use the (*args, **kw) calling semantics often in the pipeline,
> which will cause our CIDict to disappear the first time it's passed as
> **keyword arguments.
>
> And there will be a performance hit in the Python code as I used/abused
> the dict type extensively in order to keep the processing pipeline
> generic and flexible. The builtin dict type is implemented in C and is
> very fast... but as soon as we subclass it and start overriding methods,
> that performance gets blown out the window big time. I'd have to do
> some benchmarks, but my shoot from the hip guess is that operations on
> the CIDict are probably in the ballpark of 50 times slower than
> operations on the builtin dict. Although I personally feel the above
> least-common-denominator issue is a more important reason not to use the
> CIDict.
>
>> The point is that LDAP *is* case insensitive for attribute names, and we
>> are going to hit bugs (like we did before we had CIDIcts) if we do not
>> acknowledge this fact and try to ignore it or dumb it down.
>
> There is no reason using lowercase keys will cause bugs. In fact, it
> will reduce the chances for them. Direct interaction with LDAP only
> occurs within the Backend.ldap plugin. All the ldap plugin has to do is
> lowercase the keys of entries it pulls. By putting this small amount of
> babysitting in the ldap plugin, we prevent unexpected corner cases from
> exploding out into the other 95% of the code. And we make it much
> easier for existing code-bases to integrate with IPA. IHMO, this is
> without a doubt the simplest and most maintainable approach.
>
>> If we are ever going to provide an ldap browser for example it would be
>> strongly desirable to show attributes and values in the same case they
>> were returned by the LDAP server.
>
> This use case, while interesting, is also an odd ball... IPA, correct me
> if I'm wrong, is largely designed to hide the LDAP details.
>
> We could always change the Backend.ldap methods to accept a flag to
> preserve the case for special consumers like an LDAP browser. But
> there's no reason to complicate the rest of the code (which is also the
> great majority of the code) by making this the default, IHMO.
Take a look at the Encoder class I posted on freeipa-devel yesterday.
It's far from perfect, but it could solves some of these issues. By
default, 'decode_postprocessor' will be set to 'string.lower()' in the
LDAP backend and postprocessing will be active for keys only (case of
values will remain untouched). If a consumer wants to switch
postprocessing off and get the original case, it can do so before making
the backend call. The only possible problem I can see at the moment is
that these settings are effective for the whole backend and probably not
thread-safe (one plugin changing the setting for all other plugins using
the backend at the same time).
>> So do we have a strong technical case for why we can't keep using
>> CIDicts ?
>
> By the way, as far as I know, CIDicts aren't being used at all in the v2
> codebase. They've never been part of the plugin architecture and I
> don't think they've been used in any of the plugins.
>
>> Simo.
>
> So there's my two cents. Now the question is, did I convenience
> you? ;)
>
> -Jason
>
Pavel
More information about the Freeipa-devel
mailing list