[glue-wg] LDAP rendering document: new version as an outcome of Lund review
Laurence Field
Laurence.Field at cern.ch
Mon Jun 18 03:46:50 EDT 2012
On 06/17/2012 12:43 PM, stephen.burke at stfc.ac.uk wrote:
>
> 2) Queries do of course need to know the base DN, but there is no need for it to be hard-coded, it can e.g. be passed in an environment variable or derived from the information system itself. Hence for example we can have code which can query either a site BDII or a top BDII simply by passing a different base DN.
>
This is a key aspect for current information system. The base DN is
difficult to change. What we have so far deployed is:
Top: GLUE2GroupID=grid,o=glue
Site: GLUE2DomainID=CERN-PROD,o=glue
Resource: GLUE2GroupID=resource,o=glue
There is also the concatenation rule on now we go from distributed trees
to a single tree.
GLUE2GroupID=resource,GLUE2DomainID=CERN-PROD,GLUE2GroupID=grid,o=glue
Once these are deployed, it almost becomes impossible to change. It is
for this reason we have been using mds-vo-name=local,o=grid for the past
10 years in GLUE 1.3! With OpenLDAP 2.4 may be possible to migrated as
we can configure LDAP redirects.
The bind points and concatenation rule were discussed over 2 years ago
as part of the implementation. At the time it was agreed that client
queries should not rely on the DIT. In the current implementation we do
not care about the DIT below the bind point, as it is irrelevant for
client queries. However, as you can see the base DN and concatenation
rule is integral to the infrastructure.
Laurence
More information about the glue-wg
mailing list