cn=Directory Manager
All about Directory Server
All | Personal | Sun

« Understanding Schema... | Main | Data Distribution in... »
20070212 Monday February 12, 2007

LDAP, Transactions, and OpenDS

A few days ago, Trey (who, by the way, is doing a tremendous job in his new role as the OpenDS community liaison) wrote about LDAP directory servers versus relational databases. He neglected to mention one of my favorite benefits, which is the standardized protocol (which means that you don't have to rewrite your applications or at the very least change drivers if you switch from one server implementation to another, and you don't really have to worry about what exactly "varchar" means in the particular flavor you're using). But ignoring that, some of the comments were interesting. In this post, I want to focus on the ones regarding the ACID properties of the protocol and the server.

First, I do think that it's important to point out that both the Sun Java System Directory Server (through the Berkeley DB) and OpenDS (through the Berkeley DB Java Edition) use an underlying data store that fully supports ACID semantics, and we do make extensive use of transactions when interacting with it. In particular, any time that you need to perform a write operation the server will need to update multiple databases (in particular, the main id2entry DB and any associated indexes), and that is protected with a transaction to ensure that they will all be updated together as a single atomic unit, or if some problem occurs that none of them get updated. We also rely on the transactional nature for recovery in the event that the server isn't stopped gracefully (e.g., if the server should happen to crash or get forcefully killed, or if there's a hardware failure or underlying system crash) so that it comes back to a consistent state. The Directory Server is able to operate in a fully ACID-compliant manner so that any acknowledged change will be guaranteed on stable storage before returning the result to the client (although administrators can also configure the server to relax these restrictions if they can accept the trade-offs for better performance).

However, when most people are talking about the ACID-compliant nature (or potential lack thereof) of LDAP directories, they probably aren't talking about the underlying data store. They're talking about what is exposed through LDAP itself. It's true that the core protocol specification doesn't have much in the way of atomicity other than to say that multiple changes included in a single modification should all be applied atomically. However, there are a number of extensions to the protocol that can provide various forms of atomicity. They include:

  • Modify DN Operation -- In its simplest form, this operation simply changes the RDN of a leaf entry. However, it also provides the ability to move the entry below a new parent, and it doesn't necessarily need to be performed on a leaf entry. In fact, the modify DN operation can be used to rename an entire subtree (in which case all entries in that subtree will be renamed as a single atomic unit), although we do recommend that it be restricted to small subtrees to avoid locking huge portions of the tree while the operation is in progress. This capability is currently available in OpenDS, and will also be available in the imminent release of the Sun Java System Directory Server 6.0.

  • Subtree Delete Operation -- draft-armijo-ldap-treedelete defines a control which can be used to delete an entire subtree of entries as a single atomic operation. OpenDS currently supports this capability.

  • LDAP Increment Modify Extension -- RFC 4525 defines a new "increment" attribute modification type which can be used to atomically increment or decrement the integer value of an attribute, without the need to know its current value. This can be particularly useful in conjunction with the LDAP read entry controls as described below. OpenDS currently supports this capability.

  • LDAP Read Entry Controls -- RFC 4527 defines a pair of controls which can be used to atomically retrieve an entry as it appeared either immediately before or immediately after applying some change. This can be used to obtain an atomic "set and check" type of behavior, especially when combined with the increment extension. OpenDS currently supports this capability.

  • LDAP Assertion Control -- RFC 4528 defines a control which can be used to perform an operation only if a given assertion is satisfied. This can be used to obtain an atomic "check and set" type of behavior. OpenDS currently supports this capability.

  • LDAP Transactions -- draft-zeilenga-ldap-txn defines a set of extended operations and controls that can be used to perform multiple write operations as a single atomic entity. This draft currently isn't quite far enough along yet to have official OIDs assigned for these components, but we do intend to provide support for it in OpenDS.

With the capabilities that we already have and what we intend to provide in the future, hopefully we can put concerns about the ACID and transactional nature of directory servers to rest.

Posted by cn_equals_directory_manager ( Feb 12 2007, 10:32:26 PM CST ) Permalink Comments [3]

Comments:

While it's true that the need to switch client libraries to match server implementations is rare (though I have had to do that to cover LDAP controls and extensions), I wouldn't oversell the standardization between implementations. I've encountered applications that started with a "put it in the LDAP, it is standard" assumption, and ended up with long, meandering "if (dirtype == ACTIVE_DIRECTORY) {...} else if (dirtype == DOMINO) {...} else {...}" code that made you want to throw the mouse against the wall. As for transactions, I haven't really encountered that many LDAP-based applications that truly needed them, and in other cases, the area where you would want them was handled 'under the covers' by the LDAP server (e.g., when you delete a user from Active Directory, the 'member' attributes of any groups of which that user was previously a member are automatically updated for you). If you application will need to deal seamlessly with multiple flavors of LDAP implementation, you'd be well served to take the same model-view-controller approach that you'd take if you had to deal with swapping out MySQL for Oracle.

Posted by nate moser on February 14, 2007 at 12:37 PM CST #

I apologize for the problem in which your comments didn't show up right away. For some reason, it got flagged as SPAM and I had to manually approve it.

Checks like "if (dirtype == ACTIVE_DIRECTORY) ..." are generally a very bad idea. The set of features supported by a directory type can change over time, and in some cases you can't even do a simple version check because features may be backported. It also doesn't work well for directories that you don't explicitly code to handle, and it puts far too much onus on the developer to know all of the quirks of each directory implementation.

Fortunately, though, there is a standard way of determining the capabilities that a given server supports. This is exposed through attributes like supportedControls, supportedExtensions, and supportedFeatures in the root DSE. If you're wondering whether a particular server supports a given control, then just check for the OID of that control in the supportedControls attribute.

Also, note that the feature you mentioned about automatically cleaning up groups when a user is deleted (or renamed with a modify DN operation) is handled by referential integrity and clients generally shouldn't worry about that. Certainly the Sun Java System Directory Server supports this capability, and most other implementations do as well.

Posted by Neil A. Wilson on February 14, 2007 at 10:57 PM CST #

By the way, the reason your comment was marked as SPAM was that it contained more than 1000 characters. It doesn't appear that I have any control over that setting, but I do apologize for the inconvenience. For what it's worth, my response was also marked as SPAM for the same reason.

Posted by Neil A. Wilson on February 14, 2007 at 11:03 PM CST #

Post a Comment:

Comments are closed for this entry.
Archives
« August 2008
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today

XML


Language

Links


blogs.sun.com
Weblog
Login


Referrers

Today's Page Hits: 298