[Freeipa-devel] LDAP schema for DNSSEC keys

Jan Cholasta jcholast at redhat.com
Mon May 5 12:55:07 UTC 2014 

On 5.5.2014 10:45, Ludwig Krispenz wrote:
> Hi Petr,
>
> On 05/02/2014 08:48 PM, Petr Spacek wrote:
>> On 1.5.2014 16:10, Rich Megginson wrote:
>>> On 04/30/2014 10:19 AM, Petr Spacek wrote:
>>>>  - We need to decide about object naming:
>>>>   - One obvious option for RDN is to use uniqueID but I don't like
>>>> it. It is
>>>> hard to read for humans.
>>>>   - Other option is to use uniqueID+PKCS#11 label or other
>>>> attributes to
>>>> make it more readable. Can we use multi-valued RDN? If not, why?
>>>> What are
>>>> technical reasons behind it?
>>>
>>> I would encourage you not to use multi-valued RDNs.  There aren't any
>>> technical reasons - multi-valued RDNs are part of the LDAP standards
>>> and all
>>> conforming LDAP implementations must support them.  However, they are
>>> hard to
>>> deal with - you _must_ have some sort of DN class/api on the client
>>> side to
>>> handle them, and not all clients do - many clients expect to be able
>>> to just
>>> do dnstr.lower() == dnstr2.lower() or possibly do simple escaping.
>>>
>>> As far as being human readable - the whole goal is that humans
>>> _never_ have to
>>> look at a DN.  If humans have to look at and understand a DN to
>>> accomplish a
>>> task, then we have failed.
>> I agree, users should not see them. I want to make life easier for
>> administrators and developers *debugging* it.
>>
>> I'm facing UUIDs-only logs and database in oVirt for more than year
>> now and I can tell you that it is horrible, horrible, horrible. It is
>> PITA when I have to debug something in oVirt because I have to search
>> for UUIDs all the time. I want to scream and jump out of the window
>> when I see single log line with 4 or more different UUIDs... :-)
>>
>>> Has the DogTag team reviewed this proposal?  Their data storage and
>>> workflows
>>> are similar.
>> That is very good point! Nathan, could somebody from DS team (maybe
>> somebody involved in Password Vault) review this "vault without Vault"?
>>
>> Thank you!
>>
>>>> It is question if we like:
>>>>  nsUniqID = 0b0b7e53-957d11e3-a51dc0e5-9a05ecda
>>>>  nsUniqID = 8ae4190d-957a11e3-a51dc0e5-9a05ecda
>>>> more than:
>>>>  ipk11Label=meaningful_label+ipk11Private=TRUE
>>>>  ipk11Label=meaningful_label+ipk11Private=FALSE
> there are two goals for choosing the naming attribute(s): they have to
> be unique in a level of the DIT and they should be meaningful/readable.
> I agree with Rich that technically nothing excludes multi-valued rdns,
> but could make things complicated for clients and in my opinion it does
> not increase readability.
> In your case:
> - are there really two entries with the same ipk11label, on private one
> not ? not all info has to be in the rdn, so you could use ipk11label as
> naming attribute
> - couldn't you just use an other attribute as anming attr where you are
> free to put in what you want eg cn="<ipk11labe>(True)"
> - we did define an ipk11uniquid to be used as naming attr for storage
> objects, but there are no definitions on its structure, you could use it
> as you like as long as it is unique (could be unique and meaningful and
> readable)

+1 on the last suggestion

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list