Page MenuHomePhorge
Create Task
Maniphest T30

Redesign of Hosted Kolab
Closed, ResolvedPublic
Actions

Description

In a hosted deployment, using the original design for multi-domain Kolab, each registered (parent) domain is assigned a separate root dn / database for its LDAP hierarchy.

This means that with thousands of domains being registered, the LDAP server spends a lot of time maintaining way too many databases, for otherwise separate legal entities that are not at all sufficiently large to justify the overhead.

A new structure for this would be to:

  • in the domain base dn for the management domain:
dn: associatedDomain=%s,ou=Domains,dc=hoster,dc=com
(...)
inetdomainbasedn: ou=%s,dc=hosted,dc=com

should result in *@%s being resolved to use ou=%s,dc=hosted,dc=com.

Additional domains (aka. alias domains) should be considered child domains -- the parent domain is the boss over it, but the child domains are aliases that can separately be given a status of active (means ownership confirmed);

  • in the domain base dn for the management domain:
dn: associatedDomain=%s,ou=Domains,dc=hoster,dc=com
(...)
objectclass: extensibleObject
inetdomainbasedn: ou=%s,dc=hosted,dc=com
inetdomainstatus: active

dn: associatedDomain=%s2,associatedDomain=%s1,ou=Domains,dc=hoster,dc=com
(...)
inetdomainbasedn: ou=%s1,dc=hosted,dc=com
inetdomainstatus: new

This structure could ultimately also allow resellers (tenants) to specify the child domain is to be administered separately:

  • in the domain base dn for the management domain:
dn: associatedDomain=%s,ou=Domains,dc=hoster,dc=com
(...)
objectclass: extensibleObject
inetdomainbasedn: ou=%s,dc=hosted,dc=com
inetdomainstatus: active

dn: associatedDomain=%s2,associatedDomain=%s1,ou=Domains,dc=hoster,dc=com
(...)
inetdomainbasedn: ou=%s2,dc=hosted,dc=com
inetdomainstatus: active

The question is how various pieces of infrastructure need to be modified in order to be able to address this new structure.

Details

Ticket Type
Epic

Revisions and Commits

rWAP webadmin
ClosedD26 Update inserted hosted user types

Related Objects
Search...

StatusAssignedTask
 ResolvedvanmeeuwenT30 Redesign of Hosted Kolab
 ResolvedvanmeeuwenT33 Consider the database root dn for synchronization
 ResolvedbruederliT34 DirectoryLDAP should resolve the base dn using Net_LDAP3
 ResolvedbruederliT35 Use Net::LDAP3::domain_root_dn() if available
 ResolvedbruederliT134 Use Net_LDAP3::domain_root_dn() for domain lookups in kolab_auth
 ResolvedbruederliT135 Support %s variables in `domain_filter` config option.
 ResolvedvanmeeuwenT444 Register users with a realmed UID attribute value
 ResolvedmachniakT445 Register domains with an initial user account to become the administrative account
 WontfixvanmeeuwenT435 Domain validation: Consider child domains by comparing base DNs
Restricted Maniphest Task
 OpenNoneT462 Create/make available development for HKCCP testing
Restricted Maniphest Task
 WontfixvanmeeuwenT446 Allow to distinguish between admin accounts and billing accounts
 WontfixvanmeeuwenT436 HKCCP: Verification of child domain name spaces
 InvalidNoneT486 bin/backend.php adduser does not handle existing subscriptions
 ResolvedmachniakT496 Scoring adjustment needed for similar but not the same object types
 ResolvedvanmeeuwenT501 Quota tracked wrongly in subscriptions
 SpitevanmeeuwenT502 Check the results of function calls before continuing as if everything only ever happens successfully.
 ResolvedvanmeeuwenT503 Distinguish between management domain root dn and hosted domain root dn
 ResolvedvanmeeuwenT514 Configuration Option "disable" has no effect for Mutually Exclusive Options
 ResolvedvanmeeuwenT515 Consistently refer to a userid / username
Restricted Maniphest Task
Restricted Maniphest Task

Event Timeline

vanmeeuwen created this task.Apr 20 2015, 5:00 AM
vanmeeuwen raised the priority of this task from to 60.
vanmeeuwen updated the task description. (Show Details)
vanmeeuwen added projects: Product Owners, Architecture & Design.
vanmeeuwen changed Ticket Type from Task to Epic.
vanmeeuwen subscribed.
grote moved this task from Incoming to In Triage on the Product Owners board.Apr 21 2015, 5:39 AM
pokorra subscribed.Apr 22 2015, 3:48 PM

This topic is interesting to TBits.net, since we have our own DomainAdmin patches, which has probably the same goal to support resellers/tenants.

grote subscribed.Apr 23 2015, 1:14 AM
vanmeeuwen moved this task from Backlog to Elaboration on the Architecture & Design board.Apr 27 2015, 2:59 AM
bruederli added a subtask: T134: Use Net_LDAP3::domain_root_dn() for domain lookups in kolab_auth.Apr 29 2015, 2:23 PM
bruederli closed subtask T35: Use Net::LDAP3::domain_root_dn() if available as Resolved.
bruederli closed subtask T134: Use Net_LDAP3::domain_root_dn() for domain lookups in kolab_auth as Resolved.Apr 29 2015, 3:04 PM
bruederli closed subtask T34: DirectoryLDAP should resolve the base dn using Net_LDAP3 as Resolved.Apr 30 2015, 11:45 AM
vanmeeuwen removed a subtask: T446: Allow to distinguish between admin accounts and billing accounts.Jun 5 2015, 3:24 PM
vanmeeuwen raised the priority of this task from 60 to Unbreak Now!.Jun 5 2015, 3:28 PM

This has been established to be of critical importance.

grote moved this task from In Triage to In Sprint on the Product Owners board.Jun 15 2015, 4:10 PM
vanmeeuwen added subtasks: T435: Domain validation: Consider child domains by comparing base DNs, Restricted Maniphest Task, T446: Allow to distinguish between admin accounts and billing accounts, T436: HKCCP: Verification of child domain name spaces.Jun 16 2015, 1:10 PM
vanmeeuwen added a subtask: T514: Configuration Option "disable" has no effect for Mutually Exclusive Options.Jun 18 2015, 3:36 PM
vanmeeuwen mentioned this in D26: Update inserted hosted user types.Jun 18 2015, 4:59 PM
vanmeeuwen added a revision: D26: Update inserted hosted user types.Jun 18 2015, 4:59 PM
vanmeeuwen closed subtask T486: bin/backend.php adduser does not handle existing subscriptions as Invalid.Jun 18 2015, 5:05 PM
matik subscribed.Jun 19 2015, 12:04 AM
vanmeeuwen closed subtask T514: Configuration Option "disable" has no effect for Mutually Exclusive Options as Resolved.Jun 23 2015, 4:33 PM
vanmeeuwen closed subtask T501: Quota tracked wrongly in subscriptions as Resolved.Jun 24 2015, 12:48 PM
vanmeeuwen closed subtask T444: Register users with a realmed UID attribute value as Resolved.Jun 24 2015, 4:00 PM
vanmeeuwen mentioned this in rWAPb864c7e4c9de: Update inserted hosted user types.Jun 25 2015, 9:04 AM
machniak closed subtask T496: Scoring adjustment needed for similar but not the same object types as Resolved.Jun 25 2015, 9:05 AM
vanmeeuwen closed subtask T445: Register domains with an initial user account to become the administrative account as Resolved.Jun 26 2015, 11:03 AM
vanmeeuwen closed subtask T503: Distinguish between management domain root dn and hosted domain root dn as Resolved.
grote added a parent task: Restricted Maniphest Task.Jul 15 2015, 4:29 PM
grote removed a parent task: Restricted Maniphest Task.
grote added subtasks: Restricted Maniphest Task, Restricted Maniphest Task.Jul 15 2015, 4:33 PM
machniak closed subtask Restricted Maniphest Task as Resolved.Jul 24 2015, 2:02 PM
machniak closed subtask Restricted Maniphest Task as Resolved.Jul 27 2015, 2:40 PM
vanmeeuwen closed subtask T33: Consider the database root dn for synchronization as Resolved.Aug 17 2015, 10:51 AM
grote moved this task from In Sprint to Ready for Sprint on the Product Owners board.Aug 19 2015, 2:04 PM
vanmeeuwen closed this task as Resolved.Nov 25 2015, 3:11 PM
vanmeeuwen claimed this task.
vanmeeuwen closed subtask T502: Check the results of function calls before continuing as if everything only ever happens successfully. as Spite.
vanmeeuwen closed subtask T436: HKCCP: Verification of child domain name spaces as Wontfix.
vanmeeuwen closed subtask T435: Domain validation: Consider child domains by comparing base DNs as Wontfix.
vanmeeuwen closed subtask Restricted Maniphest Task as Wontfix.
vanmeeuwen closed subtask T515: Consistently refer to a userid / username as Resolved.
vanmeeuwen closed subtask T446: Allow to distinguish between admin accounts and billing accounts as Wontfix.
vanmeeuwen removed a project: Architecture & Design.Dec 8 2015, 9:28 AM