Commit | Line | Data |
---|---|---|
7227d4a4 WJ |
1 | .TL |
2 | Upgrading Quipu-6.0 to Quipu-6.8 | |
3 | .AU | |
4 | Colin Robbins | |
5 | .AI | |
6 | X-Tel Services Ltd | |
7 | .AB | |
8 | .nh | |
9 | This is a brief note to describe the differences between Quipu 6.8 and | |
10 | the previous major release of Quipu -- Quipu-6.0. | |
11 | .LP | |
12 | To clarify the version numbers, Quipu-6.0 was distributed with ISODE-6.0. | |
13 | Quipu-6.1 was an upgrade to Quipu released by UCL a short time after | |
14 | ISODE-6.0. | |
15 | Quipu-6.8 is part of ISODE-6.8. | |
16 | When I refer to Quipu-6.0 in the following text, this includes | |
17 | Quipu-6.1. | |
18 | .LP | |
19 | You should be able to compile and install the new code and | |
20 | everything should work as before. However there is some | |
21 | tailoring you can do to increase the efficiency of your DSA, and some | |
22 | new feature you may wish to use. | |
23 | .LP | |
24 | A WORD OF WARNING: This version of Quipu writes its EDB files in a | |
25 | slightly different format to 6.0. Once a 6.8 DSA writes an EDB file | |
26 | there is no easy way to roll back - make sure you have a back up. | |
27 | .AE | |
28 | ||
29 | .NH | |
30 | Robustness | |
31 | .LP | |
32 | One of the primary reasons for having this beta test is because we | |
33 | need to be sure then next Major version (i.e Quipu-7.0) is robust. Any | |
34 | failure in this version of Quipu should be investigated and reported | |
35 | to Quipu-support@cs.ucl.ac.uk, if it isn't reported it may not get fixed ! | |
36 | ||
37 | .NH | |
38 | Pepsy | |
39 | .LP | |
40 | The old pepy based encoders/decoders have been replaced with table | |
41 | driven encoders/decoders using a tool called pepsy, written by Andrew | |
42 | Worsley. This means the binaries are a lot smaller (and compile a lot | |
43 | quicker). This also increases the encoding/decoding speed. | |
44 | .LP | |
45 | If you have written your own DUA's using the old libdsap and call the | |
46 | old pepy encode or decode routines directly, you | |
47 | will need to add | |
48 | .IP | |
49 | #include <isode/quipu/syntaxes.h> | |
50 | .LP | |
51 | to the .c files that call the encoder and decoders. | |
52 | ||
53 | .NH | |
54 | Shared Libraries Under SunOS4.1 | |
55 | .LP | |
56 | ISODE and Quipu can be compiled | |
57 | with shared libraries, again this makes the binaries smaller which | |
58 | seems to help reduce the DSA paging problems (see config/sunos4.make to see | |
59 | how to generate shared libraries). | |
60 | ||
61 | ||
62 | .NH | |
63 | DSA manages its own entry. | |
64 | .LP | |
65 | A DSA now manages its own entry in the | |
66 | DIT. This is one of the most important changes to Quipu, and has the | |
67 | potential for causing the most trouble! | |
68 | Generally the MASTER EDB in | |
69 | which you DSAs entry resides is not held by your DSA. | |
70 | This means it is | |
71 | difficult for a DSA to modify its own entry, so for example it can't | |
72 | keep its version number uptodate. With Quipu 6.8, a DSA holding the | |
73 | MASTER EDB knows that any DSAs whose version number is 6.8 or greater | |
74 | wants to manage its own entry. | |
75 | To allow this to happen, The DSA holding the MASTER EDB "spot shadows" | |
76 | the remote DSA entry. That is, from | |
77 | time to time it connects to the DSA in question, reads its entry, | |
78 | and writes the result back into the MASTER EDB file. So modify | |
79 | operations on the DSAs entry can now take place in your local DSA. This | |
80 | has the advantage that attributes such as the version number are | |
81 | kept up to date. | |
82 | .LP | |
83 | There is a bit of a boot strap problem. You will need to modify the | |
84 | version number in | |
85 | your DSAs entry in the MASTER EDB first time to tell it you are running | |
86 | Quipu-6.8. | |
87 | You will have to do this by connecting straight to the relevant remote DSA | |
88 | over DAP to do the modify. If you connect straight to you local DSA it | |
89 | knows it is running 6.8, so will assume it has control of the version | |
90 | number and won't let you change it! | |
91 | .LP | |
92 | There is another problem when modifying the presentation | |
93 | address of a DSA. | |
94 | You must make | |
95 | sure the DSA with the MASTER EDB reads the new address, BEFORE you | |
96 | move the DSA. If not it will always attempt to connect to the wrong | |
97 | address to shadow the entry | |
98 | (Alternatively you could use a ts_bridge to make it looks as if the | |
99 | old address still works). | |
100 | This problem did exist before, but is now made worse! | |
101 | .LP | |
102 | If your DSA does not hold the MASTER EDB file for its own entry, then | |
103 | there is a fundamental assumption that the DSA that does hold the | |
104 | MASTER EDB file is also running the new 6.8 code. | |
105 | If it does not operations WILL go wrong. This means the new | |
106 | Quipu must be inserted into the DIT `top down'. | |
107 | .LP | |
108 | To perform this shadowing, the DSA has to read its own entry across an | |
109 | un-authenticated DSP link, thus it can not read any attributes that | |
110 | are protected by ACLs. | |
111 | So all important attributes in the DSAs entry MUST be publically | |
112 | readable (this includes the unused userPassword attribute). | |
113 | If they are not readable the shadowing operation will fail. | |
114 | .NH | |
115 | Spot Shadowing | |
116 | .LP | |
117 | As an extension to the above, a DSA can `spot shadow' | |
118 | other entries in the DIT. When searching, often a large part of the | |
119 | time is involved with chaining off to other DSAs to search aliases. | |
120 | To enhance performance it | |
121 | is sometimes useful to have a cached copy of the alias locally. To | |
122 | arrange this, you can add: | |
123 | .IP | |
124 | shadow_attribute aliasedObjectName | |
125 | .LP | |
126 | to your quiputailor file. The | |
127 | the DSA will make sure it has a cached copy of all DNs referenced by | |
128 | aliasedObjectName attributes. Similarly seeAlso, masterDSA or any DN | |
129 | attribute can be shadowed. | |
130 | .LP | |
131 | Spot shadowing can also used to interface the Quipu world to the | |
132 | non-Quipu world. | |
133 | If part of the DIT is not stored in a Quipu DSA, and the non | |
134 | Quipu DSA wants to master an entry which is held in a Quipu MASTER EDB, the entry can be | |
135 | spot shadowed. You should ask quipu-support@cs.ucl.ac.uk for details | |
136 | of how to do this. | |
137 | ||
138 | ||
139 | ||
140 | .NH | |
141 | Search Indexes | |
142 | .LP | |
143 | The performance of subtree searching has been | |
144 | greatly improved, a significant part of this has been obtained by some | |
145 | code donated by Tim Howes to add AVL trees and indexing to Quipu. To | |
146 | get the best out of your DSA, a bit of tailoring is needed. | |
147 | ||
148 | .PP | |
149 | You need to define which attributes should be indexed, typically | |
150 | commonName and surname, so add the following to quiputailor: | |
151 | .IP | |
152 | optimize_attr commonName | |
153 | .sp 0 | |
154 | optimize_attr surname | |
155 | .LP | |
156 | You can add others (only string attributes), but care should be taken | |
157 | not to add indexes unnecessarily. There is a balance to be found | |
158 | between holding the indexs in core, and the actual benefit. Too many | |
159 | indexes makes the core size large, and increases paging problems. | |
160 | ||
161 | .PP | |
162 | The index is only made for subtree searches in certain parts of the | |
163 | DIT, you need to define which. Typically you will just do this for | |
164 | the whole organisation by adding | |
165 | .IP | |
166 | index_subtree c=XX@o=My org | |
167 | .LP | |
168 | to quipu tailor. However if some OU's are also large, you may want | |
169 | to index them as well e.g. | |
170 | .IP | |
171 | index_subtree c=XX@o=My org@ou=Large OU. | |
172 | .LP | |
173 | The index is only used for equality, approximate and initial substring | |
174 | matching. General wildcard matches are not improved by indexing, but | |
175 | should still be quicker than QUIPU-6.0 due to some scheduling improvements. | |
176 | .LP | |
177 | (NOTE: The TURBO_LOAD compile option has now been removed, as the introduction | |
178 | of AVL trees has a similar effect. TURBO_DISK remains) | |
179 | ||
180 | ||
181 | .NH | |
182 | Inherited attributes | |
183 | .LP | |
184 | Attribute inheritance is a mechanism where an entry can get default | |
185 | attribute values from its parent entry. | |
186 | This can be used to make the in core database significantly smaller | |
187 | (and easier to manage). | |
188 | For example, entries of the object class `person' for a particular | |
189 | organisation might all have the same postal address attribute. | |
190 | Using inheritance this attribute can be placed in the entry one level above, | |
191 | and inherited down. | |
192 | .LP | |
193 | For example, if the following was an attribute of the parent entry | |
194 | .PS | |
195 | inheritedAttribute = person $ default ( | |
196 | .sp 0 | |
197 | postalAddress= UCL $ Gower Street $ London $ WC1E 6BT | |
198 | .sp 0 | |
199 | telephoneNumber= +44 71-387-7050 | |
200 | .sp 0 | |
201 | ) | |
202 | .PE | |
203 | .LP | |
204 | Then all entires belonging to the `person' objectclass at the level | |
205 | below would inherit the postalAddress and TelephoneNumber attributes | |
206 | IF there is not already a value there. | |
207 | .LP | |
208 | This is particularly useful for access control lists. | |
209 | Full details are given in the Manual. | |
210 | ||
211 | ||
212 | .NH | |
213 | DSA relay | |
214 | .LP | |
215 | If your DSA is not connected to | |
216 | one of the major networks (Internet, IPSS...), it may from time to time | |
217 | get references to a DSA that it can not connect to directly, so the | |
218 | operation can not proceed. | |
219 | .LP | |
220 | The DSA relay attribute in your DSAs entry supplies the DN of a DSA(s) | |
221 | that is listening on both your network and | |
222 | the major networks you are not connected to. | |
223 | There needs to be an agreement between the managers of the two | |
224 | DSAs because the | |
225 | relay DSA will be asked to perform operations on your behalf. | |
226 | .LP | |
227 | For example, if the DSA `x' has access to IPSS and Internet, but DSA `y' | |
228 | only has IPSS access, DSA `y' might add a relayDSA attribute to it own | |
229 | entry, with the DN of DSA `x' as the value. | |
230 | Then when DSA `y' gets a reference to an Internet based DSA, it will chain | |
231 | the operation the DSA `x'. | |
232 | .LP | |
233 | Clearly, if every DSA chooses the same relay DSA, that DSA will soon | |
234 | become overloaded and reject your association attempts with a `busy' | |
235 | error. So some care is needed in choosing the `right' DSA (We | |
236 | recognise that there | |
237 | needs to be some form of `relay authorisation' for ISODE-7.0 and are | |
238 | looking at possible solutions). | |
239 | ||
240 | ||
241 | .NH | |
242 | NULL EDBs. | |
243 | .LP | |
244 | You can now create NULL EDB files, that is a file that | |
245 | contains only a two line header, and no entries. This should | |
246 | make writing scripts to | |
247 | build databases a little easier. It also has the advantage that the | |
248 | last entry from any one level in the DIT can now be removed, this was | |
249 | previously greeted with `unwilling to perform' error message. | |
250 | ||
251 | .NH | |
252 | New EDB format. | |
253 | .LP | |
254 | To facilitate faster loading of EDB files, the | |
255 | format has changed slightly (The format DISH presents to the user is, | |
256 | however the same as before). With multiple attributes instead of | |
257 | repeating the attribute type, which then has to be looked up in tables, | |
258 | lines can be split using a `\\` continuation character. For example, | |
259 | previously the following multivaled attribute was recognised: | |
260 | .IP | |
261 | cn= Colin Robbins & Colin John Robbins | |
262 | .LP | |
263 | as well as | |
264 | .IP | |
265 | cn= Colin Robbins | |
266 | .sp 0 | |
267 | cn= Colin John Robbins | |
268 | .LP | |
269 | Now, the following is also allowed (and is more widely used by DSAs)... | |
270 | .IP | |
271 | cn= Colin Robbins &\\ | |
272 | .sp 0 | |
273 | Colin John Robbins | |
274 | ||
275 | .NH | |
276 | Listen address | |
277 | .LP | |
278 | Sometimes, particularly in the X.25 world, the | |
279 | address used to call a DSA is not the same as the address the DSA must | |
280 | listen on. So a new attribute "listenAddress" attribute has been introduced. | |
281 | If the address your DSA wants to listen on is different to the address | |
282 | it need to present to the outside world, use the listenAddress to | |
283 | define the address the DSA should listen on, and the standard | |
284 | PresentationAddress for the address remote DSAs should call. | |
285 | ||
286 | .NH | |
287 | Modify from dish. | |
288 | .LP | |
289 | Instead of always invoking an editor to modify an | |
290 | entry, you can now do it all from the command line with the following | |
291 | operations: | |
292 | .IP | |
293 | modify -add <attribute> | |
294 | .LP | |
295 | or | |
296 | .IP | |
297 | modify -remove <attribute> | |
298 | ||
299 | .NH | |
300 | Secure searching. | |
301 | .LP | |
302 | In Quipu-6.1 it was only possible to search a | |
303 | part of the DIT if it was publicly readable, and only public readable | |
304 | attributes | |
305 | were searched. This restriction is now lifted IF the DSA performing | |
306 | the search holds the entire subtree being searched. | |
307 | ||
308 | ||
309 | .NH | |
310 | User Friendly Naming | |
311 | .LP | |
312 | The concept of UFN - User Friendly Naming has been introduced to some | |
313 | of the interfaces, and an example tool (others/quipu/uips/ufn) has | |
314 | been written to demonstrate the capabilities. | |
315 | ||
316 | .LP | |
317 | A UFN is a concise representation used to identify a DN. | |
318 | For example "C Robbins, X-Tel, GB" is sufficient to identify | |
319 | the long winded "c=GB@o=X-Tel Services Ltd@cn=Colin Robbins". | |
320 | A UFN is also context sensitive, so if I was already located in the GB part | |
321 | of the DIT "C Robbins, X-Tel" would be sufficient, or if under the | |
322 | X-Tel part of the DIT "C Robbins" would be enough. | |
323 | .LP | |
324 | A paper `Using the OSI Directory to achieve User Friendly Naming' by | |
325 | S.Kille describes the approach in full. | |
326 | ||
327 | .NH | |
328 | isoentity & isoservice replacement | |
329 | .LP | |
330 | The directory can now be used as a replacement for isoentities and | |
331 | isoservices. The isode-gen(8) manual page describes how to set things | |
332 | up, and describes a | |
333 | .B | |
334 | bootsvc | |
335 | .R | |
336 | script to load the DSA with the relevant | |
337 | data. There are some scripts in others/quipu/tools/scripts to help | |
338 | manage such entries once created. | |
339 | You are strongly encouraged to register your OSI application in the | |
340 | directory then using UFN, operations such as | |
341 | .IP | |
342 | ftam "cs, ucl, GB" | |
343 | .sp 0 | |
344 | vt "x-tel, gb" | |
345 | .sp 0 | |
346 | imisc "psi, us" | |
347 | .LP | |
348 | will start to work. | |
349 | ||
350 | .LP | |
351 | If the DSA fails to find a entity, the old isoentities file is used as a back up. | |
352 | ||
353 | .NH | |
354 | IXI | |
355 | .LP | |
356 | IXI has become part of the standard macro definitions. If you have | |
357 | the line | |
358 | .IP | |
359 | ts_interim: IXI | |
360 | .LP | |
361 | in your isotailor file, it should be removed. If you do not | |
362 | remove the line, you will get a harmless warning about | |
363 | .IP | |
364 | duplicate prefixes for communities "IXI" and "IXI" | |
365 | .LP | |
366 | for some processes. | |
367 | .LP | |
368 | You should make sure you | |
369 | have re-installed ALL applications that read the isotailor | |
370 | before removing this IXI definition. Once is is removed old applications | |
371 | WILL fail. | |
372 | ||
373 | .NH | |
374 | Asynch DUA | |
375 | .LP | |
376 | There is an (undocumented) asynchronous interface to the dsap library. | |
377 | ||
378 | .NH | |
379 | Alias management | |
380 | .LP | |
381 | A management version of dish can be found in others/quipu/uips/manage. | |
382 | This has additional command to add/delete and check alias entries in | |
383 | to DIT. | |
384 | ||
385 | .NH | |
386 | DSA statistics tools | |
387 | .LP | |
388 | There is a script in others/quipu/tools/dsastats which can process the | |
389 | quipu.log file produced by a DSA and provide some statistics on the | |
390 | DSA usage. | |
391 | ||
392 | .NH | |
393 | DSC | |
394 | .LP | |
395 | others/quipu/uips/dsc provides a simple DUA that prompts fom certain | |
396 | information such as name and organisation, and return with full name, | |
397 | phone number and email address. | |
398 | ||
399 | .NH | |
400 | X-Windows DUA | |
401 | .LP | |
402 | The two X-Window DUA's released by Brunel University shortly after | |
403 | ISODE-6.0 have been integrated into this release, together with `sd' | |
404 | an enhanced version of the `widget' interfaces. | |
405 | ||
406 | .NH | |
407 | T.61 strings. | |
408 | .LP | |
409 | T.61 strings can be represented by mapping them onto an ISO 8859-1 | |
410 | character set (e.g as supported by some X-Window fonts). | |
411 | .LP | |
412 | Accented characters are represented by two octets, the first indicating the | |
413 | accent and the second the base character to be accented. Note that some | |
414 | combinations of accent and character do not have an equivalent in ISO 8859-1, | |
415 | and hence cannot be displayed on an ISO 8859-1 device. | |
416 | .LP | |
417 | A few example mappings... | |
418 | .LP | |
419 | .PS | |
420 | T.61 Character EDB file code | |
421 | .sp 1 | |
422 | n tilde \\c4n | |
423 | .sp 0 | |
424 | e circumflex \\c3e | |
425 | .sp 0 | |
426 | a grave \\c1a | |
427 | .sp 0 | |
428 | a acute \\c2a | |
429 | .PE | |
430 | ||
431 | .LP | |
432 | You need to tell the DUA that you have the ability to display the | |
433 | correct characters, this can be acheived in one of two ways: | |
434 | .IP 1) | |
435 | In the dsaptailor file, you can add | |
436 | ch_set ISO8859 | |
437 | .LP | |
438 | or | |
439 | ||
440 | .IP 2) | |
441 | set the environment variable CH_SET to "ISO8859", e.g., using `csh' | |
442 | setenv CH_SET ISO8859 | |
443 | ||
444 | .LP | |
445 | Some EDB files currently have the wrong T.61 codes for some national | |
446 | characters. These should now be replaced with the correct T.61 code. | |
447 | ||
448 | ||
449 | .NH | |
450 | Photos | |
451 | .LP | |
452 | ||
453 | Kevin Jordan has given the old g3fax code a major, and much needed | |
454 | overhaul. This release provides the framework for better handling of | |
455 | photo attributes in future releases. Until ISODE-7.0 if you use | |
456 | the `pbmtofax' tool to encode any new photographs, you should use | |
457 | the `-old' flag to ensure that other people can display the pictures using | |
458 | their 6.0/6.1 based code. This options has not been hard wired, as | |
459 | you may wish to experiment with the new tools. | |
460 | ||
461 | .LP | |
462 | There is tool to convert the g3fax pictures to postscript. | |
463 | ||
464 | .NH | |
465 | Authentication | |
466 | .LP | |
467 | Your DSA can now insist on various levels of authentication. | |
468 | For example, it can be made to reject bind operations that do not supply a DN. | |
469 | This is set via the `authentication' quiputailor variable. The value | |
470 | `DN' tells to reject bind's unless a DN is supplied, and `simple' | |
471 | insists that simple authentication at the very least is used. | |
472 | ||
473 | .NH | |
474 | Address Selectors | |
475 | .LP | |
476 | Quipu now checks that the PSEL, SSEL and TSEL supplied by a calling | |
477 | entity match the selectors defined in the DSAs presentationAddress | |
478 | attribute. If they do not, the association is rejected with a message | |
479 | of the form: | |
480 | .IP | |
481 | Session entity not attached to TSAP | |
482 | ||
483 | .NH | |
484 | libdsap changes | |
485 | .LP | |
486 | There are a few changes to the dsap library programmers should be | |
487 | aware of. | |
488 | .IP a) | |
489 | Calls to the *_decode() routine such as dn_decode() and as_decode() | |
490 | are no longer needed. | |
491 | .IP b) | |
492 | The AttributeType structure is now just a pointer into the OID tables, | |
493 | thus `at_table' struct reference is no longer needed. | |
494 | So code of the form | |
495 | .B | |
496 | at->at_table.oa_syntax | |
497 | .R | |
498 | should be replaced with | |
499 | .B | |
500 | at->oa_syntax | |
501 | .R | |
502 | and | |
503 | .B | |
504 | at->at_oid | |
505 | .R | |
506 | replaced with | |
507 | .B | |
508 | at->oa_at.ot_oid | |
509 | .R | |
510 | \. | |
511 | ||
512 | .IP c) | |
513 | A few other routines have had their parameters changed slightly, so | |
514 | you should run your programs through lint (making sure you | |
515 | bring in the dsap and isode | |
516 | lint libraries) to check your procedure calls. | |
517 | ||
518 | ||
519 | .NH | |
520 | Manual | |
521 | .LP | |
522 | The Quipu Manual has been updated to reflect all these new features. | |
523 | ||
524 | .NH | |
525 | Thanks... | |
526 | .LP | |
527 | The Quipu team would like to thank Tim Howes, George Michaelson, | |
528 | Andrew Worsley, Andrew Findlay, Piete Brooks, Kevin Jordan, | |
529 | Gier Pederson, Juha Heinanen, Petri Jokela, Peter Yee and many | |
530 | others people for enhancing, bug reporting and fixing, and testing | |
531 | this and the many other versions of Quipu since ISODE-6.1 to | |
532 | destruction. | |
533 | ||
534 | ||
535 | Colin | |
536 | ||
537 |