9:07 a.m.
On 09/12/2011 08:41 AM, Stephen Gallagher wrote:
I'm starting to implement the "multiple search bases"
feature requested
in https://fedorahosted.org/sssd/ticket/868
I want a bit of input on my design (Original text at
https://fedorahosted.org/sssd/wiki/DesignDocs/MultipleSearchBases
I don't expect there to be any disagreements about the individual lookup
case, but I'm not sure if there will be contention around the
enumeration decisions. Recommendations are welcome.
== Purpose ==
Some deployments use search bases to limit or extend the set of users
and groups visible to a system.
One common example is for applications granting access only to users in
a hard-coded group name. In this case, the group search base would
generally be set differently for each machine running this application.
Other machines running the same application providing access to other
users would receive a different "view" of LDAP through the use of search
bases.
== Expected Behavior ==
=== Individual Lookups ===
For targeted lookups (e.g. getpwuid(), getgrnam()) we should try each of
the search bases in order until one of them returns the entry we are
looking for, or we have exhausted all of the search bases. Each search
will be performed with the search scope provided.
=== Enumeration ===
For enumeration, we will need to iterate through ALL search bases to
retrieve users, groups, etc. For each search base, we need to examine
each entry retrieved and compare it against the entries received from
earlier search bases. If there are conflicts, we will discard the
conflicting value from the later search base. (Therefore the entry in
the earlier search bases will always win.
I am not sure we should pre-match anything and sort duplicates.
We should put fetched data into the cache right away as a result of one
search and then do the second search following the same logic and so on.
If we encounter a duplicate i.e. a full duplicate of a user we just
updated (same user) we should just skip it. If we find a collision
meaning we found a user with same id but different name or vice verse
(same with group) we should report and skip. This is a misconfiguration
and admin should sort his domain out.
== Implementation ==
We will extend the ldap_*_search_base options to support behavior
similar to that of nss_base_passwd and nss_base_group from nss-ldapd.
Is it a literal * or it is a placeholder?
In either case I do not like an approach. IMO the key names should be
predefined.
May be use:
ldap_search_base_multi = triplet, triplet, triplet
The standard search base (ldap_search_base will be left alone as a
single value with scope "subtree".
The new ldap_*_search_base options will include a new delimiter, '?'. If
this is present, we will divide the string up into triples as follows:
search_base?scope?filter[?search_base?scope?filter...]
Alternatively you can add sub sections to the ldap provider (we alread
yuse this approach with domains and providers, I do not see why we
should deviate in this case too)
ldap_search_base_multi = section1, section2, section3
[.../default/ldap_search/section1]
ldap_search_base = x
ldap_search_filter = y
ldap_search_scope = z
[.../default/ldap_search/section2]
ldap_search_base = x
ldap_search_filter = y
ldap_search_scope = z
It will be easier to parse, more structured and readable and with such
organization you can extend the current search filter leaving it (if
specified) to be the first search filter to use.
In addition if the grammar validation is ever implemented we would be
able to apply the rules to such config. If we go with the original
proposal the ini validation would not be usable.
=== Parsing ===
We will split the input string on the '?' delimiter. If the resulting
array is exactly one, or is a multiple of three, we will continue.
Otherwise it will fail validation.
That would not be needed in the approach above.
The scope must be one of 'subtree', 'onelevel' or
'base' (case-insensitive).
The filter will be optional and may be a zero-length string. The filter
must be pre-sanitized and must pass filter validation with
ldb_parse_tree()
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/