[OpenAFS] Ldap & AFS

Derrick J Brashear shadow@dementia.org
Fri, 11 Oct 2002 21:40:56 -0400 (EDT)


On Fri, 11 Oct 2002, Tim C. wrote:

>   Unfortunately I was unable to attend the conference.  However, I do have some
> opinions on this. :^}  Having the pts information stored in an LDAP server
> would provide a signifigant benifit.  One is the ability to integrate with a
> larger system.  We have spent a significant amount of money building a
> replicated ldap server setup.  It would be great to be able to use that to
> control the AFS pts information.  Also it would be very helpful to have all the
> information in one place.

Yeah, whereas you can throw any tired old piece of crap into service as an
AFS dbserver and let it replicate pts, and it's almost free ;-)

>   You've already stated that it shouldn't be too dificult to make ldap be used
> for the pt database, but the pt database couldn't be used for account
> management. 

i argued before and do still that it's not that simple, because the
ptserver is optimized to be used by the fileserver, particularly the CPS
operations, so unless you're very careful how you do this, you'll be sad.

i will confess to not having looked terribly hard at the effort needed to
do it, because i find ldap to be unnecessarily complex, and because i find
that it's just not easier to take a system that isn't simple (afs) and
involve in it a system which is more complicated and as it seems to me,
less stable (openldap as deployed at carnegie mellon). i may be being
unfair, or we may just have bad luck.

my opinion is that something which uses pt_util, ptclient, or some
combination of tools to manage the ptserver database based on operations
to the ldap server would be less painful than a ptserver ldap backend, but
again, my opinion.

> Just my two cents.  Any one else agree, disagree, have other ideas on this?

how you run your systems is your business, so i'm not going to tell you
"you're wrong". if someone writes the necessary support it will 99.9%
likely be integrated, basically as long as it doesn't break non-ldap-pts
people