[OpenAFS] Re: LDAP backend for PTS?

Andrew Deason adeason@sinenomine.net
Fri, 20 Nov 2009 10:25:19 -0600


On Fri, 20 Nov 2009 13:12:40 +0100
Holger Rauch <holger.rauch@empic.de> wrote:

> Hi Andrew,
> 
> thanks for your reply.
> 
> On Tue, 17 Nov 2009, Andrew Deason wrote:
> 
> > [...] 
> > Do you mean a way of storing ptserver data in an LDAP backend? Or a
> > way to query ptserver information via LDAP queries?
> 
> Both, actually.

These are mutually exclusive, though I didn't phrase them well. You have
two options: you either make the ptserver use LDAP as its backend
instead of the current OpenAFS-specific db format on disk, or you modify
the LDAP server to be a 'gateway' to the ptdb, and interpret certain
LDAP requests as ptdb requests, and to forward the request to the ptdb.

The latter is probably easier, though there may be a couple of issues
with the proper authorization for modifying the ptdb data...

(Actually, there are at least 4 options, which Marcus described; but
those 2 options were the ones I was talking about)

> > [...] When I wanted something like this, I
> > just set up something to sync an LDAP subtree to match what was in
> > the ptdb every so often (and triggered by a 'pts' wrapper, as well).
> 
> Could you please be a bit more specific? Are talking about
> shell/Perl/etc. scripts?

Yes, I'm talking about a perl script that just reads ptdb information,
and modifies the LDAP data in a certain subtree to represent the same
data.

As Marcus said, this is rather "low-tech". A more efficient solution
would be modifying the ptserver to just send the specific modifications
for each RPC to the LDAP server, but that requires a bit more work.

Oh, and this is also 'one-way'. It only syncs from the ptdb to LDAP; not
the other way around.

> Would you be willing to share them?

If you _really_ want it, yeah. That particular script is not very well
written (by me), and is fragile and ugly. I wouldn't recommend just
running it blindly without at least reading through it to see if there's
ways you want to make it more robust.

I'll find it and get it to you sometime over the weekend.

-- 
Andrew Deason
adeason@sinenomine.net