LDAP vs Dbase semantics - Ivan Gyurdiev

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ivan Gyurdiev <ivg2@cornell.edu>
To: SELinux List <SELinux@tycho.nsa.gov>
Cc: Joshua Brindle <jbrindle@tresys.com>, Daniel J Walsh <dwalsh@redhat.com>
Subject: LDAP vs Dbase semantics
Date: Fri, 20 Jan 2006 05:00:00 -0700	[thread overview]
Message-ID: <43D0D0C0.7030603@cornell.edu> (raw)
In-Reply-To: <43CE880B.3020908@cornell.edu>

I am looking at LDAP, and I don't like it so far...

Apparently it doesn't support transactions, one of the things expected 
and assumed of a semanage dbase backend. According to the OpenLDAP 
roadmap, they will support LDAPv3 extensions, including "LDAP 
transactions" in 2006 Q1. Please correct me if this is wrong, and I've 
missed transactions somewhere...

So.... that creates lots of problems. How do we handle modifications?
We can fetch all the data in a local copy, work on it, then send it back 
(ignoring the fact that the flush() operation might fail in an 
irreversable way). That seems like a bad idea, because it eliminates our 
ability to use the LDAP read optimizations. We're replacing a server 
with some dumb local-store solution, like the linked list thing, which 
is the worst data structure possible.

Alternatively we can store deltas (user requests for change), and then 
on flush() we can try to apply them all. That creates its own set of 
problems, because current semantics are that semanage changes are 
immediately visible in the dbase they're applied to (not so in the case 
of storing deltas, not unless we apply them on every read request). 
Furthermore, this increases the possibility of failure, since the client 
can easily generate an invalid sequence of requests, and none of them 
will get verified until flush(), not even something simple like "does 
the user exist"). I.E. rquests 1-55 passed, 56 failed, because the 
client did something wrong, now we have to _try_ to reverse the other 55 
(if we have enough info to do so).

Hmm....

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2006-01-20 12:00 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-01-18 18:25 Seusers vs ldap Ivan Gyurdiev
2006-01-18 18:37 ` Daniel J Walsh
2006-01-18 21:13   ` Joshua Brindle
2006-01-20  8:52     ` Ivan Gyurdiev
2006-01-20 13:10       ` Joshua Brindle
2006-01-20 13:25         ` Ivan Gyurdiev
2006-01-20 12:00 ` Ivan Gyurdiev [this message]
2006-01-20 12:13   ` LDAP vs Dbase semantics Ivan Gyurdiev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43D0D0C0.7030603@cornell.edu \
    --to=ivg2@cornell.edu \
    --cc=SELinux@tycho.nsa.gov \
    --cc=dwalsh@redhat.com \
    --cc=jbrindle@tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.