![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to q-dsa.tex CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / doc / manual|
Return to q-dsa.tex CVS log | Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / doc / manual |
1.1 ! root 1: %run this through LaTeX with the appropriate wrapper ! 2: ! 3: \chapter {Installing QUIPU} ! 4: ! 5: \label{quipu:install} ! 6: ! 7: This section describes how to install QUIPU, and make it operate in a basic ! 8: fashion. This is reasonably prescriptive, as it should be possible to ! 9: install and operate a QUIPU DUA and/or DSA without too much ! 10: knowledge about how it functions. ! 11: ! 12: QUIPU comes in 4 separate parts of the ISODE tree, none of which are ! 13: ``made'' as part of the default installation of ISODE. ! 14: This section assumes you have installed ISODE. ! 15: You should consult the \file{READ-ME} file in the ! 16: top level of the source tree, and \volone/ to \volfour/ of this Manual ! 17: if you have not installed ISODE. ! 18: ! 19: There are various options you can set which control ! 20: the operation of QUIPU. These are set in the file \file{h/quipu/config.h} ! 21: but are probably best left to their default values, unless you qualify ! 22: as a ``large'' site. Larger sites may want to consider enabling ! 23: the TURBO options described in the next section. ! 24: ! 25: To generate QUIPU type \verb"make all-quipu" in the top-level ISODE ! 26: directory. ! 27: ! 28: A version of \pgm{dish} that runs directly ! 29: from a \unix/ shell, ! 30: \pgm{dishinit}: ! 31: a script to create a default \file{.quipurc} file for new users, and ! 32: \pgm{sid}: a set of scripts that utilise the shell version of dish, are all ! 33: installed from the \file{others/quipu/uips/dish} directory. ! 34: The \pgm{fred}, \pgm{widget} and \pgm{sunint} interfaces ! 35: can be installed by looking at ! 36: \file{others/quipu/uips/READ-ME}. ! 37: ! 38: Each of these interfaces knows about the ``photo'' attribute that an entry ! 39: in the DIT can have. In order to display the photographs, the photo ! 40: handling code must be compiled, instructions on this can be found in ! 41: Section~\ref{dua:photo} of this Manual and the file ! 42: \file{others/quipu/photo/READ-ME}. ! 43: ! 44: \section{TURBO Options for Large Sites} ! 45: This section describes two options (TURBO\_LOAD and TURBO\_DISK) that ! 46: can be set in the file \file{h/quipu/config.h}. Both options are ! 47: most useful for sites with a large amount of data (e.g. hundreds of ! 48: entries per EDB file). The first option, TURBO\_LOAD, can be used to speed ! 49: the process of loading data from disk during startup. ! 50: When QUIPU starts, it must check each entry that it loads ! 51: against those sibling entries already loaded ! 52: to ensure that the data in each EDB ! 53: file contains no duplicate entries. Normally, this is done by ! 54: searching a linked list of loaded entries. The TURBO\_LOAD option ! 55: works by building and searching an AVL (height-balanced) ! 56: tree instead of the linked list. Also, it allocates space for this ! 57: tree in large chunks to help reduce paging. The AVL tree is only ! 58: used during the loading process and does not affect operation of the ! 59: DSA once the database is loaded. There is some extra ! 60: overhead involved in buildng the AVL tree, and the point at which ! 61: the TURBO\_LOAD option starts improving things seems to be about ! 62: 100+ entries per EDB file. If you have EDB files containing ! 63: significantly more ! 64: than 100 entries, you may want to consider enabling the TURBO\_LOAD ! 65: option. ! 66: ! 67: To use the TURBO\_LOAD option, add a line like this to the ! 68: \file{h/quipu/config.h} file: ! 69: \begin{verbatim} ! 70: #define TURBO_LOAD /* enable fast loading of big EDB files */ ! 71: \end{verbatim} ! 72: There are two run time tailor options you should be aware if the ! 73: TURBO\_LOAD option has been enabled ({\it turbo\_size} ! 74: and {\it turbo\_namelen}). These options are set in the ! 75: \file{quiputailor} file and should be left to their default values ! 76: unless the loading process fails with a message indicating that ! 77: these parameters should be changed. ! 78: ! 79: The second option, TURBO\_DISK, can be used to make modify operations ! 80: run much faster, especially on large data sets. It requires the use ! 81: of the \pgm{gdbm} library. \pgm{Gdbm} is a library of simple database routines ! 82: providing functionality similar to \pgm{dbm} and \pgm{ndbm}, but without the ! 83: filesystem page size limitations of those systems. \pgm{Gdbm} is GNU ! 84: software and is available from the Free Software Foundation. It is ! 85: not a part of the ISODE. ! 86: Normally, when an ! 87: entry is modified, QUIPU writes the entire EDB file the entry lives ! 88: in synchronously out to disk. If the EDB file is very large, this can ! 89: take some time, especially on a heavily loaded system. The TURBO\_DISK ! 90: option works by keeping the disk data in \pgm{gdbm} files instead of the ! 91: regular EDB files. This way, when an update is made, only the ! 92: affected entry need be written to disk. The performance increase ! 93: is directly proportional to the size of the EDB file. ! 94: Whereas a normal update operation takes time proportional to the size ! 95: of the EDB file, with the TURBO\_DISK option it takes a small constant ! 96: amount of time. As for TURBO\_LOAD, if you don't have EDB files with ! 97: at least a hundred or so entries, it's probably not worth enabling ! 98: the TURBO\_DISK option. ! 99: ! 100: To use the TURBO\_DISK option, add a line like this to the ! 101: \file{h/quipu/config.h} file: ! 102: \begin{verbatim} ! 103: #define TURBO_DISK /* enable fast EDB update operations */ ! 104: \end{verbatim} ! 105: Next, if you have enabled the TURBO\_LOAD option as described above, you ! 106: will need to edit the file \file{quipu/turbo\_disk.c} and make a small ! 107: change. The line: ! 108: \begin{verbatim} ! 109: #include "/u/up/tim/src/gdbm-1.3/gdbmdefs.h" ! 110: \end{verbatim} ! 111: should be changed to reflect the actual location of the \file{gdbmdefs.h} ! 112: include file on your system. Note that this file is not installed in ! 113: the normal process of installing \pgm{gdbm}. It is in the \pgm{gdbm} source ! 114: directory. Disgustingly enough, the {\it turbo\_start} routine needs ! 115: to be able to {\it stat} the \pgm{gdbm} file, and needs the definitions ! 116: in \file{gdbmdefs.h} to do so. If you are not using the TURBO\_LOAD ! 117: option, this step is not necessary. ! 118: ! 119: Now make and install QUIPU as usual. ! 120: Before running QUIPU, you will have to ! 121: convert your EDB file hierarchy into a gdbm file hierarchy. This step ! 122: is only necessary once. The \file{quipu/turbo} directory contains some ! 123: tools to help in this process. The shell script \pgm{tree2dbm} will ! 124: convert an EDB file hierarchy to a gdbm file hierarchy. To use it, ! 125: type ``\verb+tree2dbm database-directory+'' where database-directory is the ! 126: directory where the EDB file hierarchy begins. This script does a ! 127: find starting in that directory for files named EDB and runs them through the ! 128: \pgm{edb2dbm} program which creates a file called \file{EDB.gdbm}. ! 129: The original EDB file is neither removed nor ! 130: molested, so you'll need roughly twice the disk space. Alternatively, you ! 131: can run \pgm{edb2dbm} by hand on each EDB file. The reverse operation ! 132: (converting from a \pgm{gdbm} hierarchy to an EDB hierarchy) is done ! 133: by the \pgm{synctree} shell script. It is a good idea to run ! 134: \pgm{synctree} out of \file{crontab} once in a while to update the ! 135: EDB file hierarchy. ! 136: ! 137: Finally, it should be noted that parse errors will be reported ! 138: somewhat differently in the \file{dsap.log} file with the ! 139: TURBO\_DISK option enabled. Since line numbers don't make much ! 140: sense in a \pgm{gdbm} file, errors will be reported based on the ! 141: Relative Distinguished Name of the offending entry. If you get ! 142: a parse error (because of a non-printable character, for example), ! 143: the best approach is to do something like this: ! 144: \begin{verbatim} ! 145: edbcat EDB >bob ! 146: edit the file bob, locate the entry, and fix the problem ! 147: edb2dbm bob ! 148: mv bob.gdbm EDB.gdbm ! 149: \end{verbatim} ! 150: where this procedure assumes you are in the directory containing ! 151: the bad EDB.gdbm file. The edbcat program can be found in the ! 152: \file{quipu/turbo} directory and is used to convert from \pgm{gdbm} ! 153: back to plain text EDB format. ! 154: ! 155: \section{Files} ! 156: Regardless of how you install QUIPU and the ISODE, ! 157: the number of files needed to run QUIPU are quite small. ! 158: ! 159: In ISODE's \verb"BINDIR" directory, ! 160: typically \file{/usr/local/bin/}, ! 161: there are a few programs of interest: ! 162: \begin{describe} ! 163: \item[dish:] The DIrectory SHell\\ ! 164: This is discussed in Chapter~\ref{dish}. ! 165: ! 166: \item[bind:] Shell interface to \pgm{dish}\\ ! 167: There are actually several links (listed below) to a program called ! 168: \pgm{bind}. ! 169: These act to export the \pgm{dish} interface to the \unix/ ! 170: shell. ! 171: As such, ! 172: you can issue commands to \pgm{dish} from the shell, ! 173: rather than running \pgm{dish} directly. ! 174: \begin{quote} ! 175: \begin{tabular}{l} ! 176: add\\ ! 177: compare\\ ! 178: delete\\ ! 179: dsacontrol\\ ! 180: list\\ ! 181: modify\\ ! 182: modifyrdn\\ ! 183: moveto\\ ! 184: search\\ ! 185: showentry\\ ! 186: showname\\ ! 187: squid ! 188: \end{tabular} ! 189: \end{quote} ! 190: ! 191: \item[fred:] A white pages user interface\\ ! 192: See Chapter~\ref{DUA:fred}. ! 193: ! 194: \item[editentry:] Edit a Directory entry\\ ! 195: This is a simple shell script that \pgm{dish} invokes when you ! 196: ask \pgm{dish} to edit an entry in the Directory. ! 197: ! 198: \item[unbind:] Unbind from \pgm{dish}\\ ! 199: This command is used to terminate \pgm{dish}. ! 200: \end{describe} ! 201: In ISODE's \verb"SBINDIR" directory, ! 202: typically \file{/usr/etc/}, ! 203: the DSA resides: ! 204: \begin{describe} ! 205: \item[ros.quipu:] The QUIPU DSA\\ ! 206: This program will be started once, for each DSA you ! 207: are running, from rc.local. ! 208: A script is provided to invoke this program, ! 209: in case you need to restart it. ! 210: ! 211: %%%\item[dsaconfig:] a configurator for Level-1 DSAs. ! 212: \end{describe} ! 213: In ISODE's \verb"ETCDIR" directory, ! 214: also typically \file{/usr/etc/}, ! 215: there are a few programs and files of interest: ! 216: \begin{describe}\sloppy ! 217: \item[oidtable.at, oidtable.gen, oidtable.oc:] ! 218: These define the attribute types, ! 219: generic object identifiers, ! 220: and object classes known to the system. ! 221: (An object identifier is a method used to unambiguously ! 222: encode, among other things, ! 223: the names of attributes and object classes.) ! 224: These files you never deal with unless they are ! 225: accidently corrupted. ! 226: ! 227: \item[dsaptailor:] This is the run-time tailor file for the DUAs. ! 228: You will configure this file initially and then ! 229: probably leave it alone. ! 230: ! 231: ! 232: \item[isoaliases, isobjects, isoentities, isomacros, isoservices:] ! 233: These are \\ %%% ! 234: various databases used by the ISODE. ! 235: These files you never deal with unless they are ! 236: accidently corrupted. ! 237: ! 238: \item[isologs:] This script runs nightly under \man cron(8) to ! 239: trim the ISODE log files, kept in ISODE's \verb"LOGDIR" ! 240: directory, ! 241: typically \file{/usr/tmp/}. ! 242: This file you never deal with unless it is ! 243: accidently corrupted. ! 244: ! 245: \item[isotailor:] This is the run-time tailor file for the ISODE. ! 246: You will configure this file initially and then ! 247: probably leave it alone. ! 248: \end{describe} ! 249: ! 250: \chapter {Configuring a DUA} ! 251: ! 252: It is suggested that you try to get a DUA operational by connecting to ! 253: a ``well known'' DSA before you attempt ! 254: to operate a local DSA. ! 255: Or, if you have a DSA from a previous release of QUIPU - try an connect to ! 256: that. ! 257: ! 258: \section {Connecting to a DSA} ! 259: \label{dua:connect} ! 260: ! 261: A DUA essentially only needs to know one thing to be able to contact a ! 262: DSA, that is the network address of the DSA. ! 263: This parameter is defined in the file \file{dsaptailor}, ! 264: together with some other parameters. ! 265: The full set of parameters are described in Section \ref{dua:tailor}. ! 266: ! 267: The \verb"dsa_address" parameter defines the name and address of the DSA to ! 268: initially contact. For example, ! 269: \begin{quote}\begin{verbatim} ! 270: dsa_address vicuna Internet=bells.cs.ucl.ac.uk+50987 ! 271: \end{verbatim}\end{quote} ! 272: ! 273: declares the DSA \verb"vicuna" at the indicated presentation ! 274: address\footnote{The syntax of presentation addresses is discussed in ! 275: \volone/ of this manual and \cite{String.Addresses}.} ! 276: \index{presentation addresses} ! 277: to be the ! 278: default DSA for the DUA to contact. ! 279: As shown above, the address is preceded by a private key. This can ! 280: be used in some DUAs (including DISH) to specifying the address of the DSA ! 281: to contact. ! 282: If there are more than one \verb"dsa_address" entries, the first ! 283: entry will be used to supply the default DSA address. ! 284: ! 285: A default dsaptailor file ! 286: (taken from \file{dsap/dsaptailor}) is installed as ! 287: \file{dsaptailor} in the ISODE \verb"ETCDIR" directory ! 288: (usually \file{/usr/etc/}) when ! 289: the dsap library is installed, this supplies the addresses ! 290: of various DSAs that you ! 291: may be able to access. ! 292: ! 293: To try to connect to one of the DSAs listed in dsaptailor, ! 294: invoke \pgm{dish}, with a \verb"-call" ! 295: flag, e.g. ``\verb"dish -call giant"'' will try to contact the DSA ``giant'' ! 296: running at UCL. ! 297: If the connection is successful, then the prompt ``\verb"dish ->"'' will be returned. ! 298: If the connection fails, the ! 299: program will exit with an appropriate error ! 300: message. ! 301: ! 302: If this fails ! 303: you might want to ! 304: try connecting to some of the other registered DSAs, ! 305: for example, try ``\verb"dish -call alpaca"'', ``\verb"dish -call eel"'' ! 306: or ``\verb"dish -call anaconda"''. ! 307: A list of registered DSAs is given in Appendix~\ref{dsa:sites}. ! 308: ! 309: If you fail to contact a DSA at this point, there are likely to be lower ! 310: level problems. You should turn up the ISODE logging ! 311: (see \voltwo/ of this manual) to see what is happening to the ! 312: network calls. ! 313: ! 314: If you invoke \pgm{dish} without a \verb"-c" flag (using the default \file{dsaptailor}), it will ! 315: try to connect to the DSA defined by the first ! 316: \verb"dsa_address" entry. ! 317: ! 318: \pgm{dish} is described in full in Chapter~\ref{dish} ! 319: of this Manual. ! 320: ! 321: \section{Tailoring} ! 322: \label{dua:tailor} ! 323: \index{dsaptailor} ! 324: ! 325: The program configuration is tailored to ! 326: allow you to change logging levels, and other parameters at ! 327: run time. ! 328: It is used by the QUIPU DUA procedures, and by the QUIPU User Interfaces. ! 329: ! 330: The file \file{dsaptailor} is used for this purpose and ! 331: consists of single value entries (e.g. oidtable), unless otherwise ! 332: stated (e.g dsaplog). ! 333: Each entry has a parameter followed by its ! 334: value. ! 335: The various options are: ! 336: \begin{describe} ! 337: \item [\verb"oidtable":] ! 338: The path for the OID definition tables. ! 339: NOTE: It is best to have this appear as the first entry of the tailor file, as ! 340: other entries may contain attributes that need to be looked up in these ! 341: tables ! 342: There are three: ! 343: \begin{itemize} ! 344: \item \file{file.gen}, ! 345: which contains generic names for building OIDs; ! 346: \item \file{file.at}, ! 347: which contains the OIDs for attributes; and, ! 348: \item \file{file}.oc, ! 349: which contains the OIDs for object classes. ! 350: \end{itemize} ! 351: For example, ! 352: \begin{quote}\small\begin{verbatim} ! 353: oidtable /usr/lib/quipu/OIDTable ! 354: \end{verbatim}\end{quote} ! 355: will direct the DSA to consult: ! 356: \begin{quote}\begin{verbatim} ! 357: /usr/lib/quipu/OIDTable.gen ! 358: /usr/lib/quipu/OIDTable.at ! 359: /usr/lib/quipu/OIDTable.oc ! 360: \end{verbatim}\end{quote} ! 361: By default this is set to \verb"oidtable" which refers to the tables ! 362: \file{oidtable.*} in the ISODE \verb"ETCDIR" directory. ! 363: ! 364: \item [\verb"dsa\_address":] ! 365: This parameter is described in Section~\ref{dua:connect}. ! 366: ! 367: \item [\verb"dsaplog":] ! 368: Tailoring for the normal logging file. ! 369: Each entry consists of one or more key/value pairs expressed as: ! 370: \begin{quote}\small\begin{verbatim} ! 371: key=value ! 372: \end{verbatim}\end{quote} ! 373: The keys are: ! 374: \begin{describe} ! 375: \item [\verb"file":] ! 376: The name of the logfile. ! 377: \item [\verb"size":] ! 378: The size in KBytes to which the logfile should be allowed to grow. ! 379: When the log has reached this size, if the ``zero'' option ! 380: below is set, then the log will be truncated, otherwise, no further ! 381: logging will take place. ! 382: \item [\verb"level":] ! 383: The levels of logging to be written to this log file. ! 384: This can be any of the following levels: ! 385: \begin{describe} ! 386: \item [\verb"fatal":] ! 387: fatal errors only ! 388: \item [\verb"exceptions":] ! 389: serious, but hopefully temporary, errors ! 390: \item [\verb"notice":] ! 391: general logging information ! 392: \item [\verb"trace":] ! 393: program tracing ! 394: \item [\verb"pdus":] ! 395: pdu tracing ! 396: \item [\verb"debug":] ! 397: full tracing of events ! 398: \item [\verb"all":] ! 399: log all events ! 400: \end{describe} ! 401: For example to have all errors written to the file you will need ! 402: \begin{quote}\footnotesize\begin{verbatim} ! 403: dsaplog level=fatal level=exceptions ! 404: \end{verbatim}\end{quote} ! 405: \item [\verb"dlevel":] ! 406: Do not log the specified log level, this is the opposite of the above ! 407: entry. ! 408: \item [\verb"dflags"/\verb"sflags":] ! 409: The flags associated with the log may be set (with \verb"sflag") ! 410: or unset (with \verb"dflag"). The allowable options are: ! 411: \begin{describe} ! 412: \item [\verb"close":] ! 413: close the log after each entry ! 414: \item [\verb"create":] ! 415: create the log file if it doesn't exist ! 416: \item [\verb"zero":] ! 417: truncate the file when it gets too big ! 418: \item [\verb"tty":] ! 419: copy the logging information to the users tty ! 420: \end{describe} ! 421: \end{describe} ! 422: An example might be: ! 423: \begin{quote}\footnotesize\begin{verbatim} ! 424: dsaplog level=notice size=30 file=quipulog dflags=close ! 425: \end{verbatim}\end{quote} ! 426: This says log events at ``notice'' level, into the file ``quipulog'', do not ! 427: let the file grow larger than 30Kbytes, and do not close the file ! 428: after each logging message. ! 429: ! 430: \item [\verb"stats":] Used to control the level of statistical logging ! 431: (parameters as for \verb+dsaplog+ above). ! 432: ! 433: \item [\verb"local\_DIT":] ! 434: The argument is a distinguished name. When some User Interfaces start, you ! 435: will be automatically moved to this position in the DIT. ! 436: ! 437: \item [\verb"oidformat":] ! 438: Defines how object identifiers should be printed. ! 439: Use one of: ! 440: \begin{quote}\small\begin{verbatim} ! 441: oidformat short ! 442: \end{verbatim} ! 443: \end{quote} ! 444: to print in short local key form, e.g., ! 445: \begin{quote}\small\begin{verbatim} ! 446: Country ! 447: \end{verbatim}\end{quote} ! 448: or, ! 449: \begin{quote}\small\begin{verbatim} ! 450: oidformat long ! 451: \end{verbatim} ! 452: \end{quote} ! 453: to print in long object identifier form, e.g., ! 454: \begin{quote}\small\begin{verbatim} ! 455: joint.ds.attributeType.country ! 456: \end{verbatim}\end{quote} ! 457: or, ! 458: \begin{quote}\small\begin{verbatim} ! 459: oidformat numeric ! 460: \end{verbatim} ! 461: \end{quote} ! 462: to print in numeric form, e.g., ! 463: \begin{quote}\small\begin{verbatim} ! 464: 2.5.4.6 ! 465: \end{verbatim}\end{quote} ! 466: ! 467: \item [\verb"photo":] ! 468: The argument is has two parts, a ``terminal type'' such as ! 469: ``sun'' or ``xterm'', the second is the name of the process that should ! 470: handle displaying of photographs, for example ! 471: \begin{quote} ! 472: photo xterm Xphoto ! 473: \end{quote} ! 474: tells the DUA to call the process Xphoto to handle photograph attributes if ! 475: the user is on a terminal of type ``xterm''. ! 476: Handling photographs is described more fully in Section~\ref{dua:photo}. ! 477: ! 478: \item [\verb"quipurc":] ! 479: If the argument has the value \verb"on", then a program called ! 480: \pgm{dishinit} will be run every time a user without a ``.quipurc'' ! 481: file tries to access the directory. \pgm{dishinit} is discussed ! 482: in Section~\ref{dishinit}. ! 483: ! 484: \item [\verb"sizelimit":] ! 485: Defines the maximum number of entries a successful list or search should ! 486: return. ! 487: For example, ! 488: \begin{quote}\small\begin{verbatim} ! 489: sizelimit 20 ! 490: \end{verbatim}\end{quote} ! 491: sets the DAP default service control ``sizelimit'' to be 20 entries. ! 492: \end{describe} ! 493: ! 494: \chapter {Configuring a DSA} ! 495: ! 496: This Chapter discusses how to configure a QUIPU DSA. ! 497: We recommend that you get a DUA running before you try to ! 498: get a DSA working. ! 499: ! 500: \section{Basic Formats and Structures} ! 501: ! 502: All of the information a DSA requires is ! 503: stored on disk and is text structured. This includes ! 504: various files (described later), and the local DIT database itself. ! 505: A complete BNF description of the files ! 506: is given in Appendix~\ref{bnf} on page~\pageref{bnf}. ! 507: ! 508: \subsection {Entry Data Block} ! 509: \label{edb} ! 510: A key component of the Directory database is the Entry Data Block, which is ! 511: described fully in \cite{QUIPU.Design}. ! 512: Figure \ref{example_edb} shows an example EDB \index{EDB} file containing two ``person'' ! 513: entries. ! 514: ! 515: \begin{figure} ! 516: \smaller ! 517: \begin{verbatim} ! 518: MASTER ! 519: 19891025113003Z ! 520: CN= Colin Robbins ! 521: CN= Colin John Robbins ! 522: Phone= +44-1-387-7050 ext 3683 ! 523: Surname= Robbins ! 524: Room= G10 ! 525: Userid= crobbins ! 526: userClass= csstaff ! 527: rfc822Mailbox= [email protected] ! 528: Photo= {FILE}crobbins.photo ! 529: objectClass =thornPerson & quipuObject ! 530: acl=others # none # attribute # photo ! 531: acl=self # read # attribute # photo ! 532: ! 533: CN= Steve Kille ! 534: CN= Steve E. Kille & Stephen Kille ! 535: Phone= +44-1-387-7050 ext 7294 ! 536: Surname= Kille ! 537: objectClass = thornPerson & quipuObject ! 538: Room= G24 ! 539: Userid= steve ! 540: userClass= csstaff ! 541: rfc822Mailbox= [email protected] ! 542: \end{verbatim} ! 543: \caption{Example EDB File} ! 544: \label{example_edb} ! 545: \end{figure} ! 546: ! 547: ! 548: An EDB file contains a header, followed by a sequence of entries. ! 549: ! 550: The header consists of two lines of text, the first must contain the string ! 551: ``\verb"MASTER"'', ``\verb"SLAVE"'' or ``\verb"CACHE"'', ! 552: which indicates whether the data in the EDB ! 553: file represents the authoritative \verb"MASTER" data, a \verb"SLAVE" ! 554: copy of the data, or \verb"CACHE"d entries. ! 555: The next line is a string that describes the version of the EDB. Every ! 556: time the EDB is altered, the version\index{version - of an EDB} number ! 557: should be changed, so that ! 558: \verb"SLAVE" EDBs elsewhere will be automatically updated. ! 559: When a DSA alters an EDB file, it writes the current (UTC) time in string ! 560: format as the version string. ! 561: ! 562: Following the header are a sequence of blank line separated entries. ! 563: An entry consists of a set of attributes. The first line is ! 564: the Relative Distinguished Name ! 565: \index{RDN} (RDN) of the entry. ! 566: ! 567: \subsection{Object Class attribute} ! 568: Of the attributes an entry may have, the ``objectClass''\index{objectClass attribute} ! 569: attribute is one of the most important from the configuration point of view. ! 570: It defines the set of mandatory and optional attributes that must and may be ! 571: present in the entry. ! 572: For example, the object class ``person'' insists that there is a ``surname'' ! 573: attribute, and there may optionally be a ``telephone number'' attribute. ! 574: ! 575: QUIPU knows about all the standard object classes and attributes, some of ! 576: those defined by the THORN\index{thorn} project (see Section~\ref{thorn:na}) and ! 577: those defined by QUIPU itself (see Appendix~\ref{naming}). ! 578: The full set of object classes and attributes a DSA knows about is ! 579: defined by the ``oidtables'' which are explained in Section~\ref{oidtables}. ! 580: ! 581: An entry can belong to more that one object class. ! 582: For example, an entry representing an organisation might have the following ! 583: object class attribute:- ! 584: \begin{quote}\small\begin{verbatim} ! 585: objectClass = organization & quipuNonLeafObject ! 586: \end{verbatim}\end{quote} ! 587: And a person within that organisation might use the following object class ! 588: definition:- ! 589: \begin{quote}\small\begin{verbatim} ! 590: objectClass = organizationalPerson & quipuObject & thornPerson ! 591: \end{verbatim}\end{quote} ! 592: Every entry in a QUIPU DSA should belong to either the ``\verb"quipuObject"'' ! 593: or ``\verb"quipuNonLeafObject"'' object classes, as this allows ! 594: attributes the DSA needs to be added to an entry. ! 595: ! 596: Further, object classes posses the notion of ! 597: \verb"class inheritance". ! 598: This means that an object class can be defined as a ``subclass'' of ! 599: a previously defined object class with additional refinements. ! 600: As a subclass, ! 601: the newly defined object ``inherits'' all the semantics of its ! 602: superclass, ! 603: in addition to having additional semantics. ! 604: ! 605: For example, ! 606: the Directory defines an object class called \verb"person". ! 607: This object class defines the attributes which a person in ! 608: the real world might have. ! 609: It may be useful to refine this somewhat to talk about persons ! 610: who have network access. ! 611: So, we need a new object class, e.g., \verb"netPerson". ! 612: This can be defined in a straight-forward fashion: ! 613: \begin{quote} ! 614: The object class \verb"netPerson" is a subclass of the object class ! 615: \verb"person" which {\em may\/} contain an additional attribute, ! 616: \verb"netMailbox". ! 617: ! 618: The syntax of an \verb"netMailbox" is a simple string of printable ! 619: characters which is not case sensitive when performing comparisons. ! 620: \end{quote} ! 621: ! 622: It is a Quipu requirement that every entry that is not a leaf of the DIT ! 623: should belong to the object class ! 624: ``\verb"quipuNonLeafObject"''. ! 625: ! 626: This class has one mandatory attribute: ! 627: \begin{describe} ! 628: \item[masterDSA:]\index{masterDSA attribute} ! 629: identifies the Directory entity which is responsible ! 630: for maintaining the MASTER EDB for the children of ! 631: this entry. ! 632: The value is a Distinguished Name. ! 633: \end{describe} ! 634: There is typically a single MASTER for a particular entry in the tree. ! 635: Hence, this value is usually single-valued. ! 636: When an entry is to be modified, ! 637: the Directory must contact the entity responsible for the MASTER EDB for ! 638: that entry in order to perform the modification. ! 639: ! 640: This class has two optional attributes: ! 641: \begin{describe} ! 642: \item[slaveDSA:]\index{slaveDSA attribute} ! 643: identifies any Directory entities which have ! 644: authoritative copies of the EDB for the children ! 645: of this entry. ! 646: The value is one or more Distinguished Names. ! 647: ! 648: \item[treeStructure:]\index{treeStructure attribute} ! 649: identifies the object classes which may exist ! 650: immediately below this entry. ! 651: The value is one or more object classes. ! 652: See Section~\ref{quipu:schema} for full details ! 653: of how to set this attribute. ! 654: \end{describe} ! 655: Since a fundamental assumption of the Directory is that reads (queries) ! 656: occur much more frequently than writes (updates), ! 657: it is common to have several entities containing authoritative copies of an ! 658: EDB. ! 659: By keeping copies locally, ! 660: queries can be answered with less latency. ! 661: ! 662: \subsection {Database Structure} ! 663: ! 664: All the information held by the Directory in its in-core database, is loaded ! 665: from disk when the Directory starts. ! 666: The data on disk is held in a \unix/ tree of EDB files that map ! 667: the DIT. ! 668: At every level in the DIT for which the DSA holds data, there is a single ! 669: file called \file{EDB}\index{EDB file}. ! 670: If an entry defined in an \file{EDB} file has ! 671: children, the \file{EDB} file for the children will be found in a ! 672: sub-directory whose name is the string encoded Relative ! 673: Distinguished Name of the entry. ! 674: For example, if an \file{EDB} file has an entry whose RDN is ! 675: ``ou= Computer Science'', then if the entry ``ou= Computer Science'' has children and is stored locally, ! 676: it can be found in the file \file{ou=Computer Science/EDB} relative to the current directory. ! 677: NOTE that the case sensitivity of the sub-directory naming is one of the ! 678: few areas within QUIPU where string matching is case sensitive. ! 679: The case of the attribute type is taken from the definition of the attribute ! 680: in the oid tables, whereas the case of the attribute value is the same as ! 681: that found in the EDB file. ! 682: ! 683: When an entry is modified, the modified \file{EDB} file is re-written to ! 684: disk. The old \file{EDB} is renamed \file{EDB.bak} to provide ! 685: a back-up. ! 686: ! 687: \subsection{Long Distinguished Names} ! 688: \label{EDB:mapped} ! 689: There is a problem with the above method for naming \unix/ sub directories ! 690: with some versions of \unix/ --- particularly System~V. ! 691: In these systems directory names are limited in length. ! 692: ! 693: To allow for this, \verb"any" distinguished name can be given a mapping ! 694: name, which will be used as the \unix/ sub-directory name. ! 695: For example the entry for ``o=University College London'', may be mapped and ! 696: stored in the file \file{UCL/EDB}. ! 697: The mapped names are specified in a file \file{EDB.map}\index{EDB.map file}, ! 698: the syntax of which is: ! 699: \begin{quote}\begin{verbatim} ! 700: <Distinguished Name> `#' <Mapped name> ! 701: \end{verbatim}\end{quote} ! 702: so for the example used above the file will contain: ! 703: \begin{quote}\begin{verbatim} ! 704: o=University College London#UCL ! 705: \end{verbatim}\end{quote} ! 706: ! 707: If a name is not found in the mapping file, then the long directory name will ! 708: be used. ! 709: ! 710: When a DSA needs to create a sub-directory (e.g after an add operation) ! 711: it will use the relative distinguished name for each subdirectory, ! 712: unless the name is longer than the maximum number of allowed characters ! 713: (usually 15), in which case it will generate a shorter mapped name. ! 714: ! 715: \section {Setting up an Initial DSA} ! 716: ! 717: These instructions are assuming that you are trying to set up a DSA with the ! 718: following characteristics:- ! 719: \begin{itemize} ! 720: \item It is the first DSA in an Organisation ! 721: \item It is not the first DSA in the Country ! 722: \item It holds a copy of the root EDB ! 723: \end{itemize} ! 724: ! 725: This is found in the example:- ! 726: \begin{quote} ! 727: \file{others/quipu/quipu-db/organisation} ! 728: \end{quote} ! 729: ! 730: There are two other examples which might also be used as illustrations for ! 731: national DSAs and organisational DSAs not holding a copy of the root EDB. ! 732: These are in :- ! 733: \begin{quote} ! 734: \file{others/quipu/quipu-db/national} ! 735: \end{quote} ! 736: and ! 737: \begin{quote} ! 738: \file{others/quipu/quipu-db/non-root} ! 739: \end{quote} ! 740: ! 741: Note that if you are going to be running a DSA in the United States, ! 742: then you should skip this section and refer to the document ! 743: \cite{NYSER.Admin}, ! 744: which is provided in the ISODE documentation set ! 745: (look in the source tree area for the directory \file{doc/whitepages/admin/}). ! 746: This document describes turn-key installation mechanisms for DSAs in the ! 747: United States. ! 748: ! 749: To start a DSA with one of these example databases ! 750: go into the relevant database directory and type:- ! 751: \begin{quote}\begin{verbatim} ! 752: $(SBINDIR)ros.quipu -t ./quiputailor ! 753: \end{verbatim}\end{quote} ! 754: ! 755: The \tt -t\rm \ flag tells Quipu to use the tailor file \file{./quiputailor} ! 756: rather than the default file (\file{quiputailor} in the ISODE \verb"ETCDIR" ! 757: directory). ! 758: ! 759: This will cause the DSA to print some logging information onto the screen, ! 760: followed by the message ! 761: \begin{quote}\begin{verbatim} ! 762: DSA c=GB@cn=toucan has started on localHost=17003 ! 763: \end{verbatim}\end{quote} ! 764: ! 765: \begin{figure} ! 766: \smaller ! 767: \begin{verbatim} ! 768: cn=Toucan ! 769: presentationAddress= localHost=17003 ! 770: edbinfo= #cn=giant tortoise## ! 771: description= Demonstration slave-root DSA ! 772: description= Bird with large colourful bill. ! 773: objectClass= quipuDSA & quipuObject ! 774: manager= c=GB@o=University College London@ou=Computer Science@cn=Colin Robbins ! 775: acl= self # write # attributes # acl $ userPassword ! 776: acl= others # compare # attributes # acl $ userPassword ! 777: userPassword = toucan ! 778: quipuVersion= 6.0 Distribution ! 779: supportedApplicationContext= QuipuDSP & X500DSP & X500DAP ! 780: \end{verbatim} ! 781: \caption{Example DSA Entry} ! 782: \label{DSA:Toucan} ! 783: \end{figure} ! 784: ! 785: The default setup assumes you have TCP/IP access and starts a DSA on the IP ! 786: address of the local machine (127.0.0.1). If you do not have TCP/IP, you ! 787: will need to change the address the DSA will attempt to listen on. ! 788: This is done by editing the file ! 789: \begin{quote} ! 790: \file{others/quipu/quipu-db/organisation/c=GB/EDB} ! 791: \end{quote} ! 792: The first entry in this file is the entry for a DSA called ! 793: ``c=GB@cn=Toucan'', which is the name of the DSA we are trying to start (as ! 794: defined by the ``mydsaname'' entry in quiputailor). ! 795: The entry is shown in Figure~\ref{DSA:Toucan}. ! 796: The attribute \verb"presentationAddress" defines the address that the DSA is ! 797: going to listen to the network on. ! 798: If you need to listen on a different address, you should change the value of ! 799: the attribute to the address you want to listen on. ! 800: For more details of address see \volone/ of this manual and ! 801: \cite{String.Addresses}, an example of an X.25 address is given below: ! 802: \begin{quote}\begin{verbatim} ! 803: presentationAddress= Int-X25(80)=23421920030045 ! 804: \end{verbatim}\end{quote} ! 805: ! 806: Having started your DSAs you should be able to connect to it by ! 807: invoking \pgm{dish}. If you are using the default DSA address, and are ! 808: using the default \file{dsaptailor} file, then invoking \pgm{dish} ! 809: without arguments is sufficient. ! 810: If you are not using the default address or ``dsaptailor'' file, then you ! 811: will need to edit \file{dsaptailor} in the ISODE \verb"ETCDIR" directory. ! 812: You should add an entry ! 813: \begin{quote}\begin{verbatim} ! 814: dsa_address toucan <presentation address> ! 815: \end{verbatim}\end{quote} ! 816: Note that \verb+<presentation address>+ should have {\em exactly} the same ! 817: value as ! 818: the \verb+presentationAddress+ attribute in the DSAs entry in the EDB file. ! 819: Now to contact the DSA use ! 820: \begin{quote}\begin{verbatim} ! 821: dish -c toucan ! 822: \end{verbatim}\end{quote} ! 823: ! 824: ! 825: Once connected to the DSA, try issuing the ! 826: command:- ! 827: \begin{quote}\small\begin{verbatim} ! 828: list "@c=GB@o=University College London@ou=Computer Science" ! 829: \end{verbatim}\end{quote} ! 830: You should get a list of four names ! 831: back:- ! 832: \begin{quote}\begin{verbatim} ! 833: 1 commonName=Colin Robbins ! 834: 2 userid=quipu%commonName=Colin Robbins ! 835: 3 commonName=Steve Kille ! 836: 4 commonName=Michael Roe ! 837: \end{verbatim}\end{quote} ! 838: If this happens you have a working DSA. ! 839: (The entry numbered 2, is an example of an RDN with multiple values !) ! 840: ! 841: \subsection{Setting up YOUR DSA} ! 842: The examples are tailored to start a DSA called ``toucan'', ! 843: and will be sufficient to get an example DSA started, ! 844: but this will not be of much use when you want to start adding you own data. ! 845: To allow other DSA to connect to you, you will need a new unique ! 846: distinguished name for ! 847: your own DSA. ! 848: Section~\ref{dsa:connect} describes how to choose a name for your DSA and set ! 849: up the connections. ! 850: ! 851: A DSA needs to find the entry associated with its own name, it will generally ! 852: be able to find this in the local database (the entry ``cn=toucan'' ! 853: in the file \file{quipu-db/organisation/c=GB/EDB} for example). ! 854: ! 855: Having located its own entry, a DSA will know its network ! 856: address by looking at the \verb+presentionAddress+ attribute, ! 857: hence it can start listening for operations. ! 858: ! 859: But first it must load the database. ! 860: In its own entry it will have a \verb"edbInfo" attribute, this ! 861: describes which EDBs the DSA is expected to hold. ! 862: The format of the \verb"edbInfo" \index{edbInfo attribute} attribute is described fully in ! 863: Section~\ref{slave_update}, but essentially the first parameter ! 864: supplied says ``load this EDB''. Thus the attribute ! 865: \begin{quote}\begin{verbatim} ! 866: edbInfo = ## ! 867: edbInfo = c=US@o=The Wollongong Group ## ! 868: edbInfo = c=GB ## ! 869: \end{verbatim}\end{quote} ! 870: requests that the EDB files ! 871: \begin{quote} ! 872: \file{quipu-db/EDB} ! 873: \end{quote} ! 874: (signified by no data before the first `\verb+#+' sign), ! 875: \begin{quote} ! 876: \file{quipu-db/c=US/o=The Wollongong Group/EDB} ! 877: \end{quote} ! 878: and ! 879: \begin{quote} ! 880: \file{quipu-db/c=GB/EDB} ! 881: \end{quote} ! 882: are loaded. ! 883: ! 884: There are a few other important attributes your DSAs entry should have, the ``toucan'' ! 885: entry in Figure~\ref{DSA:Toucan} gives examples of the other attributes. ! 886: They are briefly described below. ! 887: \begin{describe} ! 888: \item[description] A Textual message describing the DSA, and the wildlife! ! 889: \item[quipuVersion] This should contain the version number of the ! 890: Quipu software you are using. This can be found by using the dish ! 891: command \verb+squid -version+. ! 892: \item[manager] The DN of the manager of the DSA, this user will not be blocked by ! 893: access control when modifying the local database over DAP. ! 894: \item[supportedApplicationContext] This should always have the value ! 895: \begin{quote}\begin{verbatim} ! 896: QuipuDSP \& X500DSP \& X500DAP ! 897: \end{verbatim}\end{quote} ! 898: for this version of Quipu. ! 899: It is used by remote DSAs to decide which protocols your ! 900: DSA supports, and ! 901: thus how best to contact it. ! 902: \end{describe} ! 903: ! 904: To connect a DUA to this DSA, ! 905: try typing \verb"dish", the DUA will try to contact the default DSA. ! 906: ! 907: If you have changed the address of the default DSA ! 908: (by modifying the ``presentationAddress'' attribute of the DSAs entry) ! 909: you will need to modify the ! 910: \verb"dsa_address" variable in the file \file{dsaptailor} to tell the DUAs ! 911: your DSAs address. ! 912: If you add ! 913: \begin{quote}\begin{verbatim} ! 914: dsa_address mydsa <the presentation address> ! 915: \end{verbatim}\end{quote} ! 916: to your \file{dsaptailor} file, then ! 917: \begin{quote}\begin{verbatim} ! 918: dish -c mydsa ! 919: \end{verbatim}\end{quote} ! 920: should connect you to your new DSA. ! 921: ! 922: Section~\ref{adding_data} describes how you can add data to you DSA by ! 923: extending the supplied textual database to include your ! 924: own data ! 925: or by sending data to the Directory via the DUA modify operations. ! 926: This may be done independently from connecting to the global directory. ! 927: ! 928: \section {Tailoring}\label{dsa:tailor} ! 929: ! 930: On start up the DSA first consults a run time tailor file \index{quiputailor} ! 931: (the default DSA tailor file is called \file{quiputailor} in the ISODE ! 932: \verb"ETCDIR" directory, but can be ! 933: changed with a \verb"-t" parameter to \pgm{ros.quipu}; ! 934: consult \man quipu(8c) for details), ! 935: which indicates such things as: ! 936: ! 937: \begin{itemize} ! 938: \item ! 939: name of the DSA ! 940: \item ! 941: location of the database ! 942: \item ! 943: location and level of the logs that the DSA will produce. ! 944: \item ! 945: location of any other DSAs for initial bootstrap ! 946: \end{itemize} ! 947: ! 948: ! 949: The format is identical to the DUA tailor file ! 950: described in Section~\ref{dua:tailor}, with the addition of the ! 951: following options: ! 952: \begin{describe} ! 953: \item [\verb"mydsaname":] ! 954: The distinguished name of the DSA. ! 955: For example, ! 956: \begin{quote}\small\begin{verbatim} ! 957: mydsaname CN=axolotl ! 958: \end{verbatim}\end{quote} ! 959: declares this DSA to have the common name of \verb"axolotl". ! 960: ! 961: \item [\verb"parent":] ! 962: This entry consists of a name/address pair of a parent DSA, ! 963: and is needed only for DSAs not holding the root EDB. ! 964: The DSA referenced needs to hold a Master or Slave copy of an EDB ! 965: higher up in the DIT than the highest locally held EDB. ! 966: If more than one \verb"parent" tailor entries are found, the DSA ! 967: will chose which DSA to contact. The algorithm for making this ! 968: choice has not been fully explored yet ! 969: (currently, the first entry is always used, if this fails the second\ldots). ! 970: For example, ! 971: \begin{quote}\small\begin{verbatim} ! 972: parent C=GB@CN=vicuna Internet=vs1.ucl.cs.ac.uk+50987 ! 973: \end{verbatim}\end{quote} ! 974: \index{presentation addresses} ! 975: declares the parent DSA to be ``C=GB@CN=vicuna'' at the ! 976: indicated address. ! 977: ! 978: \item [\verb"stats":] ! 979: The value has the same format as the \verb"dsaplog" entry described in ! 980: Section~\ref{dua:tailor}, and is used to control the level of ! 981: DSA statistical logging. ! 982: ! 983: \item [\verb"treedir":] ! 984: Defines the directory in which the textual database is stored. ! 985: For example, ! 986: \begin{quote}\small\begin{verbatim} ! 987: treedir /usr/etc/quipu-db/ ! 988: \end{verbatim}\end{quote} ! 989: declares the directory \file{/usr/etc/quipu-db/} to contain the local ! 990: part of the Directory Information Tree. ! 991: ! 992: \item [\verb"update":] ! 993: The value ``on'' tells the DSA to update SLAVE EDB files when it starts up. ! 994: See section \ref{slave_update} for further details, by default ! 995: this parameter is ``off''. ! 996: ! 997: \item [\verb"searchlevel":] Defines the level from which users will be able ! 998: to search the DIT --- default 2 (e.g organisations). ! 999: If they try to search from higher up, a ``unwilling to perform'' service ! 1000: error will result. ! 1001: ! 1002: \item [\verb"lastmodified":] If `\verb"off"', `\verb+lastmodifiedby+' ! 1003: attributes will not be added by the DSA when an entry is altered. ! 1004: ! 1005: \item[\verb"readonly":] Bring the DSA up in ``read only'' mode --- that is ! 1006: prevent user modification. Slave updates are still allowed. ! 1007: ! 1008: \item [\verb"dspchaining":] ! 1009: The value ``on'' tells the DSA to chain DSP requests to other DSAs ! 1010: if necessary. ! 1011: The default mode of operation is to return a DSA referral. ! 1012: The full set of issues deciding whether to use chaining or referrals ! 1013: is discussed in the QUIPU design document (\cite{QUIPU.Design}), and ! 1014: \cite{QUIPU.Navigate}. ! 1015: ! 1016: \item [\verb"adminsize":] The administrative size limit for use on search ! 1017: and list operations. ! 1018: ! 1019: \item[\verb"admintime":] The maximum time allow to spend on a user query. ! 1020: ! 1021: \item[\verb"cachetime":] The length of time to keep / use ``cached'' ! 1022: information. ! 1023: ! 1024: \item[\verb"conntime":] The length of time to hold a unused connection open. ! 1025: ! 1026: \item[\verb"nsaptime":] The length of time to wait before deciding a ! 1027: connection can not be established for a given NSAP. ! 1028: ! 1029: \item[\verb"retrytime":] The length of time before deciding it is worth ! 1030: attempting to connect to a DSA that could not be contacted earlier. ! 1031: ! 1032: \item[\verb"slavetime":] The length of time between attempting to update ! 1033: slave EDB files. ! 1034: ! 1035: \item[\verb"preferdsa":] When a DSA has creates a reference to other DSAs it ! 1036: tries to discriminate between and chose the "best" DSA to contact. ! 1037: This variable gives you a handle on controlling the choice. For example the ! 1038: lines ! 1039: \begin{verbatim} ! 1040: preferDSA c=GB@cn=Vicuna ! 1041: preferDSA cn=Giant Tortoise ! 1042: \end{verbatim} ! 1043: tells the DSA to use either ``c=GB@cn=Vicuna'' or ``cn=Giant Tortoise'' in ! 1044: preference to any other DSA. Further, use the DSA ``c=GB@cn=Vicuna'' rather than ! 1045: ``cn=Giant Tortoise'' if possible. ! 1046: ! 1047: \item[\verb"cainfo":] For authentication. ! 1048: ! 1049: \item[\verb"secretkey":] For authentication. ! 1050: ! 1051: \item[\verb"bindwindow":] For authentication. ! 1052: ! 1053: \item [\verb"isode":] ! 1054: The argument is an \verb"isodevariable" \verb"isodevalue" pair as would ! 1055: be found in \file{isotailor}. This is used to ``override'' isotailor ! 1056: settings. ! 1057: \end{describe} ! 1058: ! 1059: \subsection {Tailoring a Running DSA} ! 1060: \label{dsa:mgmt} ! 1061: ! 1062: The tailoring described above is performed when the DSA is ! 1063: booted. It is sometimes useful to alter the tailor settings ! 1064: after the DSA has started without having to bring ! 1065: the DSA down and rebooting. This can be done by via ! 1066: the special ``{\bf dsacontrol}'' command in the \man dish(1c) program ! 1067: as described in Section~\ref{dua:mgmt} on page~\pageref{dua:mgmt}. ! 1068: ! 1069: The DUA invokes a modify operation, with a ! 1070: single special attribute ``dSAControl'' defined in \cite{QUIPU.Design}. ! 1071: The DSA recognises the special attribute, and provided you are ! 1072: bound as the manager of the DSA, passes the attribute value to the ! 1073: appropriate routine. ! 1074: ! 1075: \cite{QUIPU.Design} describes this process in full. ! 1076: ! 1077: \section {Connection to Other DSAs} ! 1078: \label{dsa:connect} ! 1079: ! 1080: All QUIPU DSAs should be connected. This section describes how you should ! 1081: configure your DSA to connect to other DSAs in order ! 1082: to read the data not held locally. ! 1083: Section \ref{dsa:global} describes how to make sure that other DSAs can access your DSA ! 1084: (See Appendix~\ref{dsa:sites} on page~\pageref{dsa:sites} for a partial list ! 1085: of registered QUIPU DSAs.) ! 1086: ! 1087: A dynamic approach is used to bootstrap a new DSA. ! 1088: The ``global master'' DSA is administered at UCL, ! 1089: and other DSAs should be configured in relation to this one. ! 1090: ! 1091: Every DSA needs to know the distinguished name and ! 1092: presentation address of one ! 1093: or more DSA's nearer to, or actually holding, the root EDB. This parameter ! 1094: is supplied in the tailor file (see Section~\ref{dsa:tailor}) ! 1095: under the name \verb"parent". ! 1096: This information is used by the QUIPU DSA when it can not find a DSAs entry ! 1097: in the local database, or can find no pointers in the local database to the ! 1098: whereabouts of the data. ! 1099: If you hold a \verb"SLAVE" copy of the root EDB, then your ! 1100: parent should be a DSA that is ``closer'' to the MASTER copy of the root ! 1101: EDB. ! 1102: ! 1103: The example databases are set up with default parents (defined in the file ! 1104: \file{quipu-db/organisation/quiputailor}) ! 1105: To see if your DSA can contact the ``parent'', connect to ! 1106: the local test (root holding) DSA using \verb"dish", and type ! 1107: ! 1108: \begin{quote}\begin{verbatim} ! 1109: list @ ! 1110: \end{verbatim}\end{quote} ! 1111: ! 1112: This will list the locally held root, now try ! 1113: ! 1114: \begin{quote}\begin{verbatim} ! 1115: list @ -dontusecopy ! 1116: \end{verbatim}\end{quote} ! 1117: ! 1118: This will try to connect to the parent DSA. ! 1119: If it is successful, there should be a lot more data returned. ! 1120: ! 1121: Care should be taken in choosing the parent ! 1122: DSA. If all DSAs have the same parent ! 1123: DSA then that DSA will become overloaded. ! 1124: Typically each site will have several DSAs. One of these should ! 1125: be the default parent for all the other DSAs, with only one DSA having a ! 1126: default parent outside the site. ! 1127: ! 1128: ! 1129: When ``walking down'' the DIT, QUIPU needs access to information to tell it ! 1130: on which DSA the next level of the DIT is stored. ! 1131: To do this each non-leaf entry MUST have a ``masterDSA''\index{masterDSA attribute} ! 1132: or ``slaveDSA'' ! 1133: attribute. The value of the attribute is the distinguished name of the DSA ! 1134: holding the next level of the DIT (it may be your own DSA name, if you hold ! 1135: the next level as well). If there is no such attribute, QUIPU assumes the ! 1136: entry is a leaf. ! 1137: If the information required is not held in the local DSA then QUIPU ! 1138: chains the request to the named DSA or returns a referral ! 1139: --- depending upon the mode of operation ! 1140: (The named DSAs entry is read to establish the ! 1141: address --- this may mean a connection to another DSA ! 1142: in-order to read the entry). ! 1143: ! 1144: Once you have started your DSA, you should try to connect to other DSAs ! 1145: using the \verb"DISH" program (this connects to the local DSA, which will ! 1146: chain requests to other DSAs). Try listing the children of ! 1147: organisations other than yourself, to find which organisations are connected, ! 1148: try listing your countries children. ! 1149: ! 1150: \subsection {Choosing a Name for Your DSA} ! 1151: \label{dsa:naming} ! 1152: Every QUIPU DSA MUST have an entry in the DIT, hence ! 1153: your DSA will need a unique distinguished name. ! 1154: The name ``cn=Toucan'' ! 1155: given in the example databases is not unique. ! 1156: There are two aspects to consider in choosing a name for you DSA. ! 1157: ! 1158: This entry is used by other DSAs to identify you DSA, and so is needed if ! 1159: other DSAs are going to be able to see your DSA. ! 1160: ! 1161: Firstly, it is a QUIPU convention that DSAs should be named ! 1162: after endangered South ! 1163: American wildlife, and that the entry for the DSA should contain a ! 1164: description of the animal or plant in question. ! 1165: Some examples are shown in Table~\ref{wildlife}. ! 1166: A more comprehensive list can be found in the IUCN's ``Red Book'' ! 1167: \cite{IUCN.Mammal}. ! 1168: ! 1169: Secondly, the entry for your DSA must be visible to other DSAs who do not know ! 1170: how to contact your DSA. ! 1171: So, the MASTER copy of your DSAs own entry must be held at least one level higher up ! 1172: in the DIT than the part of the DIT it holds as \verb"MASTER" data. ! 1173: For example the DSA which holds ! 1174: ``c=GB @ o=University College London @ ou=Computer Science'', ! 1175: must be held at the ! 1176: ``c=GB @ o=University College London'' level ! 1177: (e.g. ``c=GB @ o=University College London @ cn=wombat'') or above. ! 1178: Such naming also helps prevent loops as described more fully in ! 1179: \cite{QUIPU.Design}. ! 1180: ! 1181: In practice DSAs should be named fairly high up the tree. ! 1182: Each country should have at least two DSAs named at the root level. ! 1183: Each Organisation should have at least two DSA named at the national level. ! 1184: ! 1185: \tagtable[tp]{q-1}{Endangered South American Wildlife}{wildlife} ! 1186: ! 1187: You should use \pgm{dish} to find out if the name you want is already taken. ! 1188: For example, ! 1189: if you are creating a DSA for an organization in Great Britain, ! 1190: you might use: ! 1191: \begin{quote}\small\begin{verbatim} ! 1192: % dish -c "Giant Tortoise" ! 1193: Welcome to Dish (DIrectory SHell) ! 1194: Dish -> search @c=GB -filter objectClass=dsa ! 1195: \end{verbatim}\end{quote} ! 1196: This will print out the list of names already in use. ! 1197: ! 1198: Having chosen a name, you will need to tell your DSA its name, and ! 1199: make sure it can find an EDB file for its own entry. ! 1200: ! 1201: A DSA finds it own name from the ``mydsaname'' variable defined in the file ! 1202: \file{quiputailor} (see Section~\ref{dsa:tailor} for details). ! 1203: An example \verb"quiputailor" entry would be:- ! 1204: \begin{quote}\small\begin{verbatim} ! 1205: mydsaname: "c=GB@cn=a dsa name" ! 1206: \end{verbatim}\end{quote} ! 1207: Having read this name from \verb"quiputailor", a DSA will try to find ! 1208: the corresponding entry. ! 1209: The process for doing this is complex, and is ! 1210: described in full in Section~\ref{dsa:starting}. Essentially the ! 1211: DSA needs to find the EDB file holding the entry, and hence you MUST ! 1212: supply it, if supplied correctly it will be found. ! 1213: ! 1214: If you hold the EDB that the entry should be in, simply ! 1215: make sure the entry is in that EDB and then it will be found. ! 1216: If you do not hold, and do not want to hold the EDB in which your ! 1217: DSA is named (e.g., your DSA is called \verb"c=GB@cn=toucan" but ! 1218: you do not hold the EDB \verb"c=GB"), then you should (normally) ! 1219: supply a cached copy of the EDB which contains only the ! 1220: entry for the DSA, and not all the others entries the full EDB would have. ! 1221: If you do not supply it, your DSA will have to rely on others DSAs before it ! 1222: can start. ! 1223: ! 1224: \subsection {Connection to the Global Directory}\label{dsa:global} ! 1225: ! 1226: ! 1227: To enable the global directory to connect to you, you must contact the ! 1228: manager of the DSA immediately above the node you want to added under. ! 1229: Supply them with the entry for your DSA, and the top level ! 1230: entry of the sub-tree ! 1231: you want to hold. ! 1232: For example, to add the organisation ``o=foobar'' below ``c=US'', ! 1233: contact the manager of the DSA holding ``c=US'' as a MASTER, giving them the ! 1234: entry for ``c=US@o=foobar'' and ``c=US@cn=foobar\_dsa'', assuming ! 1235: ``c=US@cn=foobar\_dsa'' is the name of your DSA (see Section~\ref{dsa:naming} ! 1236: on naming a DSA). ! 1237: ! 1238: By convention, ! 1239: to find out who administers the master EDB for a particular node, ! 1240: run the \man dish(1c) program and retrieve the \verb"manager" attribute ! 1241: from the entry for the DSA holding that node. ! 1242: ! 1243: You can then find a mail address by looking that person up in the directory. ! 1244: ! 1245: The following example shows you how to get the mail address of the ! 1246: manager of the c=GB subtree. ! 1247: ! 1248: \begin{verbatim} ! 1249: % dish ! 1250: Welcome to Dish (DIrectory SHell) ! 1251: Dish -> showentry @c=GB -type masterDSA ! 1252: masterDSA - cn = Giant Tortoise ! 1253: Dish -> showentry "@cn=Giant Tortoise" -type manager ! 1254: manager - countryName=GB ! 1255: organization=University College London ! 1256: organizationalUnit=Computer Science ! 1257: commonName=Colin Robbins ! 1258: Dish -> moveto "@c=gb@o=University College London @ ! 1259: ou=Computer Science @ cn=Colin Robbins" ! 1260: Dish -> showentry -type rfc822Mailbox ! 1261: rfc822Mailbox - [email protected] ! 1262: Dish -> quit ! 1263: % ! 1264: \end{verbatim} ! 1265: ! 1266: If you want to add data to the root node of the ``global tree'' ! 1267: (e.g., a new country) then you will probably want a copy of the ! 1268: ROOT EDB (or you might want a copy for other reasons). ! 1269: The master can be accessed via the FTAM service at UCL as ! 1270: file \file{$<$PUB$>$/masterEDB}. ! 1271: (The address of this service is found in the {\bf Preface\/} of this volume.) ! 1272: If you are unable to access the FTAM service, ! 1273: a copy of the master can also be obtained from the {\em quipu-support} ! 1274: address given in Section~\ref{quipu:support}. ! 1275: Having obtained the root EDB, add the new entries, and mail the new ! 1276: information to the {\em quipu-support} address given in ! 1277: Section~\ref{quipu:support}. ! 1278: ! 1279: To keep this EDB upto date you should use the ``getEDB'' ! 1280: operation discussed in Section~\ref{slave_update} (this can also be used to ! 1281: get the EDB in the first place). ! 1282: ! 1283: When you think you are connected to the ``global DIT'', ! 1284: you should test that you are. To do this use \verb"dish" to connect ! 1285: to a DSA higher than you in the DIT (using the \verb"-call" flag as described ! 1286: in Section~\ref{dua:tailor}, then see if you can navigate to your ! 1287: own part of the DIT, and look at your data --- if so ! 1288: then the DSA is connected. ! 1289: ! 1290: \section {Adding more Data} ! 1291: \label{adding_data} ! 1292: ! 1293: Having got a DSA started, and connected to the global DIT, you should start ! 1294: to add lots of data. ! 1295: There are many sources of such data, and with just a relatively small amount ! 1296: of effort this data can be added to the directory. ! 1297: ! 1298: There are two ways such data can be added. ! 1299: First of all you can use one of the DUA programs to bind to the DSA as the ! 1300: DSA manager, and send data to the directory via the ``add'' and ``modify'' ! 1301: operations (see Sections~\ref{dish:add} and \ref{dish:modify}). ! 1302: This is probably the best way to add relatively small amounts of data, ! 1303: or make minor changes to the data. ! 1304: ! 1305: To add a large amount of data (i.e., the initial creation of a ! 1306: large database) if is probably easiest to write a shell script using \unix/ ! 1307: tools such as \verb"awk" and \verb"grep" to create the EDB files directly. ! 1308: In the next version of the software there will be tools to facilitate this. ! 1309: ! 1310: When adding data for users it is advisable to allocate a ``userPassword''. ! 1311: \index{user password attribute} ! 1312: Chapter~\ref{Security} describes how to do this. ! 1313: ! 1314: \subsection {More on Object Classes} ! 1315: The only object class discussed so far is the ``quipuDSA'' objectclass. ! 1316: When you start to add data, you will probably want to add information about ! 1317: people, sub-divisions of your organisation, and other application entities. ! 1318: This Section introduces some of the more important object classes, and the ! 1319: attributes they may contain. ! 1320: In many cases, only the attribute type is specified, for details of typical ! 1321: values and the value syntax you should read Chapter~\ref{syntaxes}. ! 1322: ! 1323: As already discribed, every entry in the DIT must belong to the object ! 1324: class \verb+top+, which means every entry must have an \verb+objectClass+ ! 1325: attribute. ! 1326: Also, every entry in the Quipu DIT should belong to either the ! 1327: \verb+quipuNonLeafObject+ or \verb+quipuObject+. ! 1328: ! 1329: \subsubsection{Person} ! 1330: This is a base object class used to represent a person. ! 1331: ! 1332: There are two mandatory attributes: ! 1333: \begin{describe} ! 1334: \item[commonName:] ! 1335: which gives a (potentially ambiguous) name for ! 1336: the person. ! 1337: The value of this attribute is a string usually ! 1338: containing the person's first and last names; e.g., ! 1339: \begin{quote}\small\begin{verbatim} ! 1340: Marshall Rose ! 1341: \end{verbatim}\end{quote} ! 1342: This attribute is usually multi-valued, containing ! 1343: variations on the first, middle, and last names; e.g., ! 1344: \begin{quote}\small\begin{verbatim} ! 1345: Colin Robbins ! 1346: Colin John Robbins ! 1347: Colin J. Robbins ! 1348: \end{verbatim}\end{quote} ! 1349: Generally this attribute will supply the ! 1350: distinguished attribute of the entry. ! 1351: \item[surName:] ! 1352: which gives the person's last name. ! 1353: \end{describe} ! 1354: ! 1355: The optional attributes are:- ! 1356: \begin{quote}\small\begin{verbatim} ! 1357: userPassword ! 1358: seeAlso ! 1359: telephoneNumber ! 1360: description ! 1361: \end{verbatim}\end{quote} ! 1362: ! 1363: \subsubsection{OrganizationalPerson} ! 1364: This is a sub-class of \verb+person+ and introduces the following optional ! 1365: attributes:- ! 1366: \begin{quote}\small\begin{verbatim} ! 1367: preferredDeliveryMethod ! 1368: destinationIndicator ! 1369: registeredAddress ! 1370: internationaliSDNNumber ! 1371: x121Address ! 1372: facsimileTelephoneNumber ! 1373: teletexTerminalIdentifier ! 1374: telexNumber ! 1375: physicalDeliveryOfficeName ! 1376: postOfficeBox ! 1377: postalCode ! 1378: postalAddress ! 1379: title ! 1380: organizationalUnitName ! 1381: streetAddress ! 1382: stateOrProvinceName ! 1383: locality ! 1384: \end{verbatim}\end{quote} ! 1385: ! 1386: \subsubsection{ThornPerson} ! 1387: like \verb+OrganizationalPerson+, this is also a sub-class of \verb+person+ ! 1388: and introduces the following optional ! 1389: attributes:- ! 1390: \begin{quote}\small\begin{verbatim} ! 1391: homePostalAddress ! 1392: lastModifiedBy ! 1393: lastModifiedTime ! 1394: secretary ! 1395: homePhone ! 1396: userClass ! 1397: photo ! 1398: roomNumber ! 1399: favouriteDrink ! 1400: info ! 1401: rfc822Mailbox ! 1402: textEncodedORaddress ! 1403: userid ! 1404: \end{verbatim}\end{quote} ! 1405: ! 1406: Two example \verb+ThornPerson+ entries are given in Figure~\ref{example_edb} on ! 1407: page~\pageref{example_edb}. ! 1408: ! 1409: \subsubsection{OrganizationalRole} ! 1410: Entries of this class are used to represent a position or role within an ! 1411: organization. ! 1412: ! 1413: There is one mandatory attribute: ! 1414: \begin{describe} ! 1415: \item[commonName:] which gives the name of the role. ! 1416: The value of this attribute is a string; e.g., ! 1417: \begin{quote}\small\begin{verbatim} ! 1418: PostMaster ! 1419: \end{verbatim}\end{quote} ! 1420: \end{describe} ! 1421: ! 1422: There are many optional attributes including: ! 1423: \begin{describe} ! 1424: \item[roleOccupant:] which is the Distinguished Name of the person ! 1425: who fulfills the role e.g., ! 1426: \begin{quote}\small\begin{verbatim} ! 1427: c=US@o=NYSERNet Inc.@ou=Operations@cn=Chris Kolb ! 1428: \end{verbatim}\end{quote} ! 1429: \end{describe} ! 1430: ! 1431: The other optional attributes are: ! 1432: \begin{quote}\small\begin{verbatim} ! 1433: seeAlso ! 1434: preferredDeliveryMethod ! 1435: destinationIndicator ! 1436: registeredAddress ! 1437: internationaliSDNNumber ! 1438: x121Address ! 1439: facsimileTelephoneNumber ! 1440: teletexTerminalIdentifier ! 1441: telexNumber ! 1442: telephoneNumber ! 1443: physicalDeliveryOfficeName ! 1444: postOfficeBox ! 1445: postalCode ! 1446: postalAddress ! 1447: description ! 1448: organizationalUnitName ! 1449: streetAddress ! 1450: stateOrProvinceName ! 1451: locality ! 1452: \end{verbatim}\end{quote} ! 1453: ! 1454: ! 1455: \subsubsection{Alias} ! 1456: Objects of this class represent an alias to some other entry in the ! 1457: DIT. It is generaly used when an entity belongs in one or more subtrees of ! 1458: the DIT, and is used to ``point'' one entry at the other. ! 1459: ! 1460: There are two mandatory attributes: ! 1461: \begin{describe} ! 1462: \item[commonName:] which gives the name of the alias. ! 1463: The value of this attribute is a string; e.g., ! 1464: \begin{quote}\small\begin{verbatim} ! 1465: Colin Robbins ! 1466: \end{verbatim}\end{quote} ! 1467: ! 1468: \item[aliasedObjectName:] which is a pointer to another object in the Directory; ! 1469: e.g., ! 1470: \begin{quote}\small\begin{verbatim} ! 1471: c=GB@o=University College London@ou=Computer Science@cn=Colin Robbins ! 1472: \end{verbatim}\end{quote} ! 1473: \end{describe} ! 1474: There are no optional attributes for this object class. ! 1475: ! 1476: An example of an Alias entry is given below:- ! 1477: \begin{quote}\small\begin{verbatim} ! 1478: cn= Quipu-support ! 1479: aliasedObjectName= c=GB@o=University College London@ou=Computer ! 1480: Science@cn=Incads ! 1481: objectClass= quipuObject & alias & top ! 1482: \end{verbatim}\end{quote} ! 1483: ! 1484: \subsubsection{OrganizationalUnit} ! 1485: The \verb+OrganisationalUnit+ object class is used to represent a unit within ! 1486: your organisation. ! 1487: There is one mandatory attribute ! 1488: \begin{describe} ! 1489: \item[organizationalUnitName:] ! 1490: which gives the name of the organizational unit. ! 1491: The value of this attribute is a string; e.g., ! 1492: \begin{quote}\small\begin{verbatim} ! 1493: Research and Development ! 1494: \end{verbatim}\end{quote} ! 1495: \end{describe} ! 1496: ! 1497: The optional attributes are:- ! 1498: \begin{quote}\small\begin{verbatim} ! 1499: userPassword ! 1500: seeAlso ! 1501: preferredDeliveryMethod ! 1502: destinationIndicator ! 1503: registeredAddress ! 1504: internationaliSDNNumber ! 1505: x121Address ! 1506: facsimileTelephoneNumber ! 1507: teletexTerminalIdentifier ! 1508: telexNumber ! 1509: telephoneNumber ! 1510: physicalDeliveryOfficeName ! 1511: postOfficeBox ! 1512: postalCode ! 1513: postalAddress ! 1514: businessCategory ! 1515: searchGuide ! 1516: description ! 1517: streetAddress ! 1518: stateOrProvinceName ! 1519: locality ! 1520: \end{verbatim}\end{quote} ! 1521: ! 1522: \subsubsection{Organization} ! 1523: Objects of this class represent a top-level organizational entity, ! 1524: such as a corporation, university, government entity, and so on. ! 1525: ! 1526: There is one mandatory attribute: ! 1527: \begin{describe} ! 1528: \item[organizationName:] ! 1529: which gives the name of the organization. ! 1530: The value of this attribute is a string; e.g., ! 1531: \begin{quote}\small\begin{verbatim} ! 1532: NYSERNet Inc. ! 1533: \end{verbatim}\end{quote} ! 1534: \end{describe} ! 1535: ! 1536: The optional attributes are:- ! 1537: \begin{quote}\small\begin{verbatim} ! 1538: userPassword ! 1539: seeAlso ! 1540: preferredDeliveryMethod ! 1541: destinationIndicator ! 1542: registeredAddress ! 1543: internationaliSDNNumber ! 1544: x121Address ! 1545: facsimileTelephoneNumber ! 1546: teletexTerminalIdentifier ! 1547: telexNumber ! 1548: telephoneNumber ! 1549: physicalDeliveryOfficeName ! 1550: postOfficeBox ! 1551: postalCode ! 1552: postalAddress ! 1553: businessCategory ! 1554: searchGuide ! 1555: description ! 1556: streetAddress ! 1557: stateOrProvinceName ! 1558: locality ! 1559: \end{verbatim}\end{quote} ! 1560: ! 1561: \subsubsection {domainRelatedObject} ! 1562: If an object has some relationship to the Internet Domain Name System (DNS), ! 1563: then this can be represented in the DIT using this objectclass. ! 1564: ! 1565: This class has one mandatory attribute: ! 1566: \begin{describe} ! 1567: \item[associatedDomain:] ! 1568: identifies the domain which corresponds to this object. ! 1569: The value is a domain string, e.g., ! 1570: \begin{quote}\small\begin{verbatim} ! 1571: nyser.net ! 1572: cs.ucl.ac.uk ! 1573: \end{verbatim}\end{quote} ! 1574: \end{describe} ! 1575: ! 1576: \subsection {Schemas} ! 1577: \label{quipu:schema} ! 1578: ! 1579: Directories should provide a very flexible tool ! 1580: which enables any information to be stored. There is a danger that Schemas, ! 1581: as specified in the OSI Directory, will lead to procrustean directory implementations ! 1582: which impose unreasonable restrictions. The QUIPU Directory does not, per ! 1583: se, place restrictions on what can be placed in a DSA. ! 1584: It does however give control so that managers may control what is stored in the ! 1585: directory. ! 1586: ! 1587: The first aspect of structure is with respect to attributes which may be ! 1588: present in an entry. A QUIPU DSA will allow an entry to belong to one or ! 1589: more object classes which are known to the DSA (stored in a table). An ! 1590: entry will typically have a small number of object classes (e.g., TOP ! 1591: (implicit) + Person + Organisational Person + QUIPU Object). The DSA will ! 1592: maintain a table of mandatory and optional attributes for each object class ! 1593: supported. This will be follow the guidelines of the standard or ! 1594: specification identifying the object class in question. From this ! 1595: information, the DSA can determine the permitted and mandatory attributes for a ! 1596: given entry, by calculating the union of all the object classes of that ! 1597: entry. Free extension (i.e., the ability to store any attribute) was ! 1598: rejected, as there does not appear to be a reasonable mechanism to manage ! 1599: this. However, it is straightforward for managers to create new object ! 1600: classes as desired. ! 1601: ! 1602: \tagrind[htb]{schema}{Schema definition}{schema-py} ! 1603: ! 1604: It is important ! 1605: to allow management control of what is permitted at a given level. ! 1606: Therefore a ``tree structure'' ! 1607: attribute may be created. ! 1608: This attribute is defined in Figure~\ref{schema-py}, with the string syntax ! 1609: discussed in ~\ref{tree_struct}. ! 1610: This specifies for the level below, ! 1611: what types of object are permitted. ! 1612: Each attribute value identifies a class of object which can exist at the level ! 1613: below, and ! 1614: defines a set of mandatory and optional object classes. ! 1615: This can be considered as defining a (private) object class implied by the ! 1616: combination of these classes. ! 1617: For each type of object, the attribute types permitted in the RDN are also ! 1618: listed. This is not checked in QUIPU-6.0 ! 1619: The directory knows about the tree structure attribute, and will ! 1620: ensure consistency. ! 1621: When creating an entry, the DSA must check that it conforms to the ! 1622: treeStructure attribute of the parent entry. ! 1623: When removing information from a treeStructure attribute, the ! 1624: Directory will check that all of the children conform to the ! 1625: modified attribute. ! 1626: ! 1627: \subsection {Photograph Attributes} ! 1628: \label{dua:photo} ! 1629: ! 1630: The data that a DSA can hold does not have to be limited to data that can be ! 1631: represented by printable strings. ! 1632: Any attribute a QUIPU DSA does not know a string syntax for, it will hold as ! 1633: a block of ASN.1. ! 1634: One such attribute is the ``photo'' attribute. ! 1635: Photographs of people and objects are stored in the directory as a ! 1636: g3fax encoded block of ASN.1, and are best stored as ``file'' attributes ! 1637: described in the next Section. ! 1638: There is an example of a photograph attribute in the example database. ! 1639: This can be looked at by connecting to the directory with \verb"dish" ! 1640: and looking at the entry ! 1641: ``c= GB @ o= University College London @ ou= Computer Science @ cn= Steve Kille" ! 1642: ! 1643: ! 1644: Unless you you have compiled and installed the ``photo'' code as ! 1645: described in Section~\ref{quipu:install} you will see the message ! 1646: \begin{quote}\begin{verbatim} ! 1647: ``No display process defined'' ! 1648: \end{verbatim}\end{quote} ! 1649: ! 1650: Having compiled the ``photo'' code, you will need to add a line such ! 1651: as ! 1652: \begin{quote}\small\begin{verbatim} ! 1653: photo xterm Xphoto ! 1654: \end{verbatim}\end{quote} ! 1655: to your dsaptailor file (see Section~\ref{dua:tailor}) ! 1656: This says that if the user in logged on to a terminal ! 1657: of the type \verb"xterm" then use the process \file{g3fax/Xphoto} ! 1658: in the ISODE \verb"ETCDIR" directory to display the photograph. ! 1659: ! 1660: There are display routines provided for the X~window system, SunView, ! 1661: Tektronix~4014, and ``dumb'' terminals. ! 1662: ! 1663: \subsection {File Attributes} ! 1664: \label{file_attr} ! 1665: Attributes values are generally stored in the EDB file, and loaded ! 1666: into memory when the DSA starts. ! 1667: For some large attributes such a photos, this is not a sensible approach, so the ! 1668: concept of a ``file'' attribute is introduced. ! 1669: ! 1670: If an attribute value is prefixed by \verb"FILE", then the value is assumed ! 1671: to be stored on disk. ! 1672: For example if the following were found in an EDB file:- ! 1673: \begin{quote}\small\begin{verbatim} ! 1674: photo = {FILE} /usr/local/pictures/steve ! 1675: \end{verbatim}\end{quote} ! 1676: then the value for the photo attribute would be read from the file ! 1677: \begin{quote} ! 1678: \verb"/usr/local/pictures/steve". ! 1679: \end{quote} ! 1680: ! 1681: The syntax of the data in the file is expected to be the same as ! 1682: the string syntax, except in the case of ASN and PHOTO attributes which ! 1683: are expected to be in raw ASN.1. ! 1684: ! 1685: If there is not a file name supplied, then a default name is allocated. ! 1686: The default file name is the RDN of the entry the attribute belongs to ! 1687: followed by a dot ``.'', followed by the attributeType. This file is expected ! 1688: to be in the same directory as the EDB file for the entry. ! 1689: For example the default file for photo attribute, representing the entry ! 1690: for ! 1691: ``c= GB @ o= University College London @ ! 1692: ou= Computer Science @ cn= Colin Robbins'' ! 1693: would be:- ! 1694: \begin{quote}\small\begin{verbatim} ! 1695: cn=Colin Robbins.photo ! 1696: \end{verbatim}\end{quote} ! 1697: in the directory ! 1698: \begin{quote}\small\begin{verbatim} ! 1699: quipu-db/c=GB/o=University College London/ou=Computer Science ! 1700: \end{verbatim}\end{quote} ! 1701: or equivalent mapped file as described in Section~\ref{EDB:mapped}. ! 1702: ! 1703: The process defined so far allows for attribute stored in a EDB in file ! 1704: format to be read by a DSA. ! 1705: Writing the attributes back to files if modified/added by a DUA requires ! 1706: a little more. ! 1707: The DSA needs to know which attributes should be stored on disk. ! 1708: This information is supplied in the attribute oidtables which are ! 1709: defined in Section~\ref{oidtables}. ! 1710: For example if the following entry was found in the file ! 1711: \file{oidtable.at} in the ISODE \verb"ETCDIR" directory ! 1712: then a ``photo'' attributed would always be written ! 1713: back to disk. ! 1714: \begin{quote}\small\begin{verbatim} ! 1715: photo: thornAttribute.7: photo : file ! 1716: \end{verbatim}\end{quote} ! 1717: ! 1718: ! 1719: \section {How a DSA Starts} ! 1720: \label{dsa:starting} ! 1721: ! 1722: The Section gives a brief description of how a QUIPU DSA starts. ! 1723: This is intended to help people who have experienced problems in getting ! 1724: their DSAs started. ! 1725: ! 1726: First of all the tailor file \file{quiputailor} in the ISODE \verb"ETCDIR" directory ! 1727: is read (unless you ! 1728: specify a different tailor file using the \verb"-t" option to ! 1729: \pgm{ros.quipu}). ! 1730: This tells the DSA, amongst other things, its own name, and its parent ! 1731: DSA(s). ! 1732: ! 1733: The first thing a DSA need to do if find its own entry, thus it tries to ! 1734: load the EDB that should contain it. ! 1735: If it can not find its own entry, then it will try connecting to the ! 1736: parent DSA to read its own entry. If this fails the DSA will stop. ! 1737: ! 1738: Having found its own entry, the DSA will check to see if it is a cached ! 1739: entry read from disk, if so it will attempt to read a new version from the ! 1740: parent --- if successful a new cache EDB file will be written. ! 1741: ! 1742: Now the rest of the local DIT can be loaded. Each EDB specified in the ! 1743: ``edbInfo'' attribute \index{edbInfo attribute} is in turn loaded from disk. ! 1744: ! 1745: As each EDB is loaded from disk, it is checked to make sure all the ! 1746: attributes in the entry are allowed, as defined by the ``objectClass'' ! 1747: attribute, \index{objectClass attribute} and that the tree shape conforms to that defined by the ! 1748: ``treeStruture'' attribute. \index{treeStructure attribute} ! 1749: If any EDB fails these checks then the DSA will not start, and an appropriate ! 1750: message will be logged. ! 1751: ! 1752: A check is now made on the \verb"quipuVersion" \index{quipuVersion attribute} ! 1753: that a DSA entry MUST contain. ! 1754: If this attribute does not have the same version string as the ! 1755: running DSA process, a warning message is printed to the logs. ! 1756: On seeing this message, you should update the version string ! 1757: in your DSAs entry. ! 1758: Future version of the software will maintain the attribute for you. ! 1759: ! 1760: Having loaded all its data, the DSA will start listening for DAP and DSP ! 1761: associations. ! 1762: ! 1763: \section {Adding more DSAs} ! 1764: ! 1765: Many organisations will need to have more than one DSA to meet ! 1766: their requirements, the Section suggests how you might arrange your ! 1767: DSAs to get the most out of the system. ! 1768: ! 1769: You will almost certainly need at least one DSA that holds a ! 1770: copy of the root EDB, and your country EDB. ! 1771: This DSA should also hold the MASTER copy of your organisations own EDB. ! 1772: Subsequent DSAs that are set up, should have this DSA defined ! 1773: as one of their parent DSAs. ! 1774: ! 1775: For robustness, it is a good idea to have some other DSAs replicating ! 1776: these EDBs, so that if one local machine or DSA becomes unavailable, then ! 1777: there is another copy elsewhere that can be used. ! 1778: EDBs that contain addresses of other DSAs that you may want to contact ! 1779: regularly should also be replicated, to prevent extra associations ! 1780: having to be made just to read DSA addresses. ! 1781: In short, if you know that data from a certain ! 1782: EDB is going to be accessed a lot, replicate it locally. ! 1783: Replication does not have a high cost. ! 1784: ! 1785: When setting up multiple DSAs be sure to name them as described in ! 1786: Section~\ref{dsa:naming}, ! 1787: ensure the DSA entries are sufficiently high in the DIT, so that other DSAs ! 1788: can read the entry, without having to contact the DSA concerned. ! 1789: ! 1790: \section {Receiving EDB Updates} ! 1791: \label{slave_update} ! 1792: If your DSA holds a slave copy of one or more EDBs, then it can ! 1793: automatically update these for you. ! 1794: The current approach is very simple minded, but will be extended for future ! 1795: versions. ! 1796: ! 1797: There are two ways to ask a DSA to update its slave EDBs, either use \pgm {dish} ! 1798: program and issue a ``dsacontrol --slave'' command --- see ! 1799: Section~\ref{dua:mgmt}, or set the \verb"quiputailor" parameter ! 1800: ``update'' to ``on'' (see Section~\ref{dsa:tailor}) ! 1801: --- in which case the DSA will try to update its slaves ! 1802: when it starts up. ! 1803: ! 1804: To update the slaves, the DSA uses the ``edbinfo'' attribute that the DSAs ! 1805: entry in the DIT MUST have. ! 1806: This attribute specifies which EDBs you hold, and where to get updates of ! 1807: the from. ! 1808: NOTE you do not necessarily have to get updates from a \verb"MASTER" EDB, ! 1809: a \verb"SLAVE" is acceptable. ! 1810: In many cases this will be preferable to prevent the ! 1811: load on the \verb"MASTER" DSA being too high. ! 1812: For example a ``national'' EDB is likely to be highly replicated, ! 1813: it would not be a good idea to have just one DSA ! 1814: handling updates. It would be better to have the load spread over several ! 1815: DSAs. ! 1816: ! 1817: The syntax of the attribute is \index{edbInfo attribute} ! 1818: \begin{quote}\begin{verbatim} ! 1819: edbinfo = EDB concerned # get from # send to ! 1820: \end{verbatim}\end{quote} ! 1821: It is a multi-valued attribute. ! 1822: ! 1823: A few examples: ! 1824: \begin{quote}\small\begin{verbatim} ! 1825: # cn=Giant Tortoise # cn=Fruit Bat ! 1826: c=US # # cn=Fruit Bat ! 1827: c=US # # c=US@cn=Spectacled Bear ! 1828: c=US@l=NY # cn=Fruit Bat # ! 1829: \end{verbatim}\end{quote} ! 1830: Note that there is no harm to using multiple \verb"eDBinfo" lines, ! 1831: even if they refer to the same EDB. ! 1832: These lines indicate that: ! 1833: \begin{itemize} ! 1834: \item The ROOT EDB is read from the \verb"cn=Giant Tortoise" DSA, ! 1835: further the \verb"cn=Fruit Bat" DSA is allowed to read the ! 1836: ROOT EDB from this DSA. ! 1837: This is an important point --- A DSA has to explicitly say it will ! 1838: allow you to update from it, before it will send EDB files. ! 1839: Thus if you want to pull EDB files from a remote DSA, you will need ! 1840: to ask the manager to add you DSA to their DSAs ``send to'' field. ! 1841: ! 1842: \item The \verb"cn=Fruit Bat" DSA and the \verb"c=US@cn=Spectacled Bear" DSA ! 1843: are allowed to read the EDB for \verb"c=US". ! 1844: Note that the second and third line could be combined as: ! 1845: \begin{quote}\small\begin{verbatim} ! 1846: c=US # # cn=Fruit Bat$c=US@cn=Spectacled Bear ! 1847: \end{verbatim}\end{quote} ! 1848: \item The DSA named \verb"cn=Fruit Bat" supplies the EDB for \verb"c=US@l=NY" ! 1849: to this DSA. ! 1850: \end{itemize} ! 1851: ! 1852: Some EDB files, such as the ROOT, and country level EDB files are highly ! 1853: replicated, and having to list all the DSAs that are allowed to pull such EDBs ! 1854: is too restrictive. ! 1855: Thus the following syntax can be used as an abbreviation: ! 1856: \begin{quote}\small\begin{verbatim} ! 1857: c=US # # c=US ! 1858: \end{verbatim}\end{quote} ! 1859: This indicates that the c=US EDB file can be sent to DSA named at the c=US ! 1860: level of the DIT, for example ! 1861: \begin{quote}\small\begin{verbatim} ! 1862: c=US@cn=Wombat ! 1863: \end{verbatim}\end{quote} ! 1864: is allowed to pull the EDB, but the following are not: ! 1865: \begin{quote}\small\begin{verbatim} ! 1866: cn=Wombat ! 1867: c=US@o=Foobar Inc.@cn=Wombat ! 1868: c=GB@cn=Wombat ! 1869: \end{verbatim}\end{quote} ! 1870: ! 1871: Whether to update is decided upon by looking at the version string, if the ! 1872: two EDB files have a different version string, then the EDB will be updated. ! 1873: ! 1874: \section {Tables} ! 1875: \label {oidtables} ! 1876: Throughout QUIPU, all the Object Identifiers that need to be specified, are ! 1877: specified using a string representation, for example:- ! 1878: ! 1879: \[\begin{tabular}{|l|l|} \hline ! 1880: String representation & Object Identifier \\ \hline ! 1881: attributeType & 2.5.4 \\ ! 1882: surname & 2.5.4.4 \\ ! 1883: streetAddress & 2.5.4.9 \\ ! 1884: organizationName & attributeType.10 \\ \hline ! 1885: \end{tabular}\] ! 1886: ! 1887: A set of Object Identifier tables in the ISODE \verb"ETCDIR" directory are ! 1888: used to ! 1889: provide this mapping (see also Section~\ref{isobject} in \volone/). ! 1890: In general the default table will be sufficient, ! 1891: this section describes the tables for those who want to extend ! 1892: the default definitions. ! 1893: ! 1894: This basic format is used to build up the specification of general object ! 1895: identifiers. ! 1896: This file is by default named \file{oidtable.gen}, and has simple ! 1897: mappings from string to oid. ! 1898: These strings can then be used in the definition of further oids (for example ! 1899: the ``organizationName'' oid in the table above). ! 1900: ! 1901: This simple table is extended to give table formats for attributes ! 1902: This file is by default named \file{oidtable.at}. ! 1903: Each entry in this table is assumed to represent an attribute, so ! 1904: in addition to mapping strings onto oids, ! 1905: it also defines the syntax for that attribute:- ! 1906: ! 1907: \[\begin{tabular}{|l|l|l|} \hline ! 1908: String representation & Object Identifier & Syntax\\ \hline ! 1909: objectClass:& attributeType.0: &objectclass \\ ! 1910: aliasedObjectName:& attributeType.1: &dn\\ ! 1911: commonName,cn:& attributeType.3: &caseignorestring\\ ! 1912: searchGuide:& attributeType.14: &asn\\ ! 1913: x121Address:& attributeType.24: &numericstring\\ ! 1914: presentationAddress:& attributeType.29: &presentationaddress\\ ! 1915: \hline ! 1916: \end{tabular}\] ! 1917: ! 1918: This says that the attribute named ``objectclass'' represents the oid ! 1919: ``attributeType.0'' --- using the expansion of ``attributeType'' ( ! 1920: as defined in the ! 1921: file \file{oidtable.gen}) thus gives the oid ``2.5.4.0''. ! 1922: The syntax taken by the attribute value is ``objectclass''. ! 1923: ! 1924: Similarly an ``aliasedObjectName'' has ``dn'' (DistinguishedName) syntax. ! 1925: The recognised syntaxes are defined in the BNF in ! 1926: Appendix~\ref{bnf}. ! 1927: ! 1928: After the ``syntax'' an extra optional parameter is allowed; ! 1929: if this is the string ``\verb"file"'' the the relevant attribute is ! 1930: designated a file attribute --- see Section~\ref{file_attr} for a ! 1931: description of file attributes. ! 1932: ! 1933: ! 1934: The file \file{oidtable.oc} defines the object classes\index{object ! 1935: class} QUIPU knows about. ! 1936: The file again maps strings onto oids. ! 1937: Each string is assumed to represent an object class, abd for each it ! 1938: defines the hierarchy (which object classes it is a subclass of), ! 1939: the mandatory attributes of the object class, and the optional attributes of ! 1940: the object class. ! 1941: ! 1942: For example the entry ! 1943: \begin{quote}\small\begin{verbatim} ! 1944: quipuObject: quipuObjectClass.2 : top : acl : \ ! 1945: masterDSA, slaveDSA, treeStructure ! 1946: \end{verbatim}\end{quote} ! 1947: ! 1948: defines ``quipuObject'' to be an objectClass represented by the oid ! 1949: ``quipuObjectClass.2''. ! 1950: It is a SUBCLASS of the object class ``top''. ! 1951: An entry having this object class MUST have the attribute ``acl'', and MAY ! 1952: have the attributes ``masterDSA'', ``slaveDSA'' and ``treeStructure'' ! 1953: (NOTE The similarity between this definition and the ASN.1 definition of ! 1954: a ``quipuObject'' in Appendix \ref{naming}). ! 1955: ! 1956: To allow for definitions of ``attribute sets'', there is a simple ! 1957: MACRO facility provided, for example, using the MACRO ! 1958: \begin{quote}\small\begin{verbatim} ! 1959: localeAttributeSet = localityName, streetAddress ... ! 1960: \end{verbatim}\end{quote} ! 1961: every occurrence of ``\verb"localeAttributeSet"'' will be replace by the right ! 1962: hand side expression. ! 1963: ! 1964: ! 1965: With the definition of the ``string'' form of the oid it is also possible ! 1966: to specify ONE abbreviation for the name. ! 1967: The standard tables use the following abbreviations:- ! 1968: ! 1969: \[\begin{tabular}{|l|l|} ! 1970: \hline ! 1971: c & countryName \\ ! 1972: o & organizationName \\ ! 1973: ou & organizationalUnitName \\ ! 1974: cn & commonName \\ ! 1975: co & friendlyCountryName \\ ! 1976: \hline ! 1977: \end{tabular}\] ! 1978: ! 1979: The abbreviated name may be used anywhere the full name would be allowed. ! 1980: ! 1981: ! 1982: Every entry stored in the QUIPU DSA is checked against these tables to see if ! 1983: the attributes supplied are allowed in the entry, to make sure the mandatory ! 1984: attributes are present, and the attributes themselves have the correct syntax. ! 1985: ! 1986: If you wish to add you own definitions to the tables you should add them to ! 1987: the files ! 1988: \file{isode/dsap/oidtable.at.local}, ! 1989: \file{isode/dsap/oidtable.oc.local} and ! 1990: \file{isode/dsap/oidtable.gen.local} ! 1991: in that way, if a new set of tables are issued, you local entries will be ! 1992: preserved. ! 1993: ! 1994: \section{More Help Installing Quipu} ! 1995: Contact ``quipu-support'', ! 1996: the mail address is given in Section~\ref{quipu:support}. ! 1997:
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.