[Freeipa-devel] "Commit comments log" functionality in IPA

Dmitri Pal dpal at redhat.com
Thu Nov 6 18:58:56 UTC 2008 

John Dennis wrote:
> LDAP is not the right tool/technology for storing change log 
> information. Directories are optimized for particular uses, this is 
> not one of them. There is a reason why directories coexist with 
> databases, they solve different problems.
>
> Changelog entries of the type you envision are not bound to a single 
> object in the directory, rather they are a logical unit of work which 
> may affect multiple directory entries. Which entries in the directory 
> are you going to tag with the comment?
>

The ones we decide.


> This is really a problem which needs to be solved at a different level 
> and a different place. It is closely related to an audit problem. The 
> change needs to be given a transaction id which encapsulates the 
> various component changes and binds it with a comment and other meta 
> data (e.g. user id, timestamp, etc.). This is then logged somewhere 
> (but not in the directory). Audit analysis should be able to correlate 
> the changelog transaction with other auditable events (e.g. directory 
> audit logs).
>

As I said in other response. I would have explored the audit path if the 
audit server would have been available at the moment. Unfortunately it 
is not and I doubt it will be capable to this kind of functionality in 
reasonable future (v2 may be even v3).

> For now I would suggest the log destination be a file and to 
> accommodate structured information it should be written in XML. This 
> might be a reasonable feature for v2, anything beyond that should be 
> postponed. 
If you store it in file how you replicate it? If we reuse the DS to 
replicate is we still would have to use a plugin and we will be 
replicating the whole file. If we do not replicate it it won't be 
transparently available when it is needed by UI.

> Just this limited functionality (write the changelog in xml) would 
> meet a lot of needs, 
I doubt it would in the for you suggest.

> get current v2 users used to providing changelog information, provides 
> a reasonable way to view the changelog, and we get all this for not a 
> lot of work (a heck of a lot less work than the other ideas).
>


Thanks
Dmitri

More information about the Freeipa-devel mailing list