LDAP + quotas
To compare to a database concept, if the LDAP daemon had `triggers' and could execute code that made quotactl(2) calls on the relavent filesystems, on the relavent machines, when the quota values in the LDAP database changed that would be effective. To determine current usage the LDAP daemon would also have to use quotactl(2) to query the VFS though, unless current usage simply was not provided as part of your LDAP schema. - jsw -Original Message- From: Sami Haahtinen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 31, 2001 3:10 PM To: [EMAIL PROTECTED] Subject: Re: Re[2]: LDAP + quotas On Tue, Jul 31, 2001 at 02:52:55PM +0200, Russell Coker wrote: > > something like NSS for quota lookups would be nice, and to have a > > caching daemon (like nscd) to store the data for later lookups. > > nscd is only ever called by user-land code such as login, su, ls, etc. Quota > is handled by the kernel. Having the kernel call back to an application for > this isn't what you want. What happens if/when that application needs to > create a file? what i ment was something alike, a daemon that would monitor the activity in quota related system calls and update the quota file by itself.. i was not completely serious about the solution but it would be a nice idea, i know that quotas can not rely on any daemon as such, but a helper daemon would 'help' in many cases. Sami -- -< Sami Haahtinen >- -[ Is it still a bug, if we have learned to live with it? ]- -< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re[2]: LDAP + quotas
On Tue, Jul 31, 2001 at 02:52:55PM +0200, Russell Coker wrote: > > something like NSS for quota lookups would be nice, and to have a > > caching daemon (like nscd) to store the data for later lookups. > > nscd is only ever called by user-land code such as login, su, ls, etc. Quota > is handled by the kernel. Having the kernel call back to an application for > this isn't what you want. What happens if/when that application needs to > create a file? what i ment was something alike, a daemon that would monitor the activity in quota related system calls and update the quota file by itself.. i was not completely serious about the solution but it would be a nice idea, i know that quotas can not rely on any daemon as such, but a helper daemon would 'help' in many cases. Sami -- -< Sami Haahtinen >- -[ Is it still a bug, if we have learned to live with it? ]- -< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re[2]: LDAP + quotas
On Sat, 28 Jul 2001 23:35, Sami Haahtinen wrote: > On Sat, Jul 28, 2001 at 03:43:47AM +0200, Russell Coker wrote: > > > Thanks for the reply. This system could work. But I think the real > > > solution would be to devise a way to have system quotas read directly > > > from LDAP. Oh well. C'est la vie. > > > > No way! You want the kernel to issue something that results in an LDAP > > read on every file access? > > something like NSS for quota lookups would be nice, and to have a > caching daemon (like nscd) to store the data for later lookups. nscd is only ever called by user-land code such as login, su, ls, etc. Quota is handled by the kernel. Having the kernel call back to an application for this isn't what you want. What happens if/when that application needs to create a file? -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re[2]: LDAP + quotas
On Sat, Jul 28, 2001 at 03:43:47AM +0200, Russell Coker wrote: > > Thanks for the reply. This system could work. But I think the real > > solution would be to devise a way to have system quotas read directly from > > LDAP. Oh well. C'est la vie. > > No way! You want the kernel to issue something that results in an LDAP read > on every file access? something like NSS for quota lookups would be nice, and to have a caching daemon (like nscd) to store the data for later lookups. although it HAS TO HAVE an option to create a standard quota file on the fly.. Sami -- -< Sami Haahtinen >- -[ Is it still a bug, if we have learned to live with it? ]- -< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re[2]: LDAP + quotas
On Fri, 27 Jul 2001 21:04, Kevin J. Menard, Jr. wrote: > >> What I ideally want to be able to do is assign each virtual host a > >> group, and set that quota of that group to whatever their max > >> allowed disk space is (for instance, 50 MB), and then have their web > >> folder and all user mailboxes in that group be restricted to that 50 MB > >> limit. > >> > >> Anyone know if this is possible? And if so, how to do it? > > RC> I suggest using two unix groups, one for web and the other for mail. > > Any particular reason why? :) I only suggested on group because I wanted > the 50MB restriction imposed for mail + web combined. And if I do two > groups in LDAP, am I gonna notice any slow downs worth noting? (I don't No! I suggested two groups because having separate limits for web and mail makes more sense to me. But if you want a single limit that's your choice. > RC> Then store the quota in some suitable LDAP attribute (NB the standard > RC> schemas don't have a suitable attribute). > > Recommend anyone in particular? RoomNumber might work :-P Or do you have > some sort of schema you use on your own? I ended up using your services > schema within my own OID since there isn't an official debian one yet :-P I think that some type of quota attribute is needed. I suggest that you hack one yourself in the short term. Hopefully we'll have an official Debian schema that will satisfy your requirements before woody is released... > RC> Eventually I think I'll develop a debian package of scripts for doing > this RC> type of stuff, so if you write such a cron job then make sure you > send me a RC> copy. ;) > > Sure can do. How often do you figure such a cron job should run? I mean, > my quota values really don't change often. Actually, once they're set, > that's usually about it. So, a cron job of once a day could maybe suffice, > but if I'm creating a new virtual domain, and it doesn't have quotas til > the end of the day, that might not be cool :-/ It's your decision. For the type of things I do 30 minutes would be the largest amount of time that I'd want to wait. > RC> I've got user names much longer than 8 characters without any problems. > RC> After 31 characters the names can't be represented in utmp properly > (which RC> can cause some minor hassles for login accounts and will stuff > up Portslave RC> amoung other programs). But there's no problems for other > things. > > RC> I've done tests with user-names around 60 characters long in LDAP and > my RC> (admittedly basic) tests worked fine. > > Hmm . . . and they appear in ls fine? Maybe the period i'm using in the > uid as user.domain.com is being interpretted as a group or something? Not on 80 column displays!!! > Thanks for the reply. This system could work. But I think the real > solution would be to devise a way to have system quotas read directly from > LDAP. Oh well. C'est la vie. No way! You want the kernel to issue something that results in an LDAP read on every file access? -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: LDAP + quotas
Hey Russell, Friday, July 27, 2001, 10:17:42 AM, you wrote: RC> On Wed, 25 Jul 2001 17:44, Kevin J. Menard, Jr. wrote: >> What I ideally want to be able to do is assign each virtual host a >> group, and set that quota of that group to whatever their max allowed >> disk space is (for instance, 50 MB), and then have their web folder and >> all user mailboxes in that group be restricted to that 50 MB limit. >> >> Anyone know if this is possible? And if so, how to do it? RC> I suggest using two unix groups, one for web and the other for mail. Any particular reason why? :) I only suggested on group because I wanted the 50MB restriction imposed for mail + web combined. And if I do two groups in LDAP, am I gonna notice any slow downs worth noting? (I don't assume I would, but this would start to complicate a simple posixAccout posixGroup system). RC> Then store the quota in some suitable LDAP attribute (NB the standard RC> schemas don't have a suitable attribute). Recommend anyone in particular? RoomNumber might work :-P Or do you have some sort of schema you use on your own? I ended up using your services schema within my own OID since there isn't an official debian one yet :-P RC> Then write a cron job which calls the following LDAP query: RC> ldapsearch -x "(&(modifyTimestamp>>=20010531105821Z)(objectClass=posixAccount))" uidNumber RC> gidNumber quota | grep -v ^# | grep -v ^dn: RC> and then sets up quota entries from the "quota" attribute. The RC> modifyTimestamp attribute value should have the time of the last time the RC> cron job ran. RC> Eventually I think I'll develop a debian package of scripts for doing this RC> type of stuff, so if you write such a cron job then make sure you send me a RC> copy. ;) Sure can do. How often do you figure such a cron job should run? I mean, my quota values really don't change often. Actually, once they're set, that's usually about it. So, a cron job of once a day could maybe suffice, but if I'm creating a new virtual domain, and it doesn't have quotas til the end of the day, that might not be cool :-/ RC> I've got user names much longer than 8 characters without any problems. RC> After 31 characters the names can't be represented in utmp properly (which RC> can cause some minor hassles for login accounts and will stuff up Portslave RC> amoung other programs). But there's no problems for other things. RC> I've done tests with user-names around 60 characters long in LDAP and my RC> (admittedly basic) tests worked fine. Hmm . . . and they appear in ls fine? Maybe the period i'm using in the uid as user.domain.com is being interpretted as a group or something? Thanks for the reply. This system could work. But I think the real solution would be to devise a way to have system quotas read directly from LDAP. Oh well. C'est la vie. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: LDAP + quotas
On Wed, 25 Jul 2001 17:44, Kevin J. Menard, Jr. wrote: > What I ideally want to be able to do is assign each virtual host a > group, and set that quota of that group to whatever their max allowed > disk space is (for instance, 50 MB), and then have their web folder and > all user mailboxes in that group be restricted to that 50 MB limit. > > Anyone know if this is possible? And if so, how to do it? I suggest using two unix groups, one for web and the other for mail. Then store the quota in some suitable LDAP attribute (NB the standard schemas don't have a suitable attribute). Then write a cron job which calls the following LDAP query: ldapsearch -x "(&(modifyTimestamp>=20010531105821Z)(objectClass=posixAccount))" uidNumber gidNumber quota | grep -v ^# | grep -v ^dn: and then sets up quota entries from the "quota" attribute. The modifyTimestamp attribute value should have the time of the last time the cron job ran. Eventually I think I'll develop a debian package of scripts for doing this type of stuff, so if you write such a cron job then make sure you send me a copy. ;) > Also, anyway to get ls to output the full username? I think it > truncates at 8 characters by default, which is sort of a pain, since > all my uids are of the form user.domain.com. I mean, it's not that bad, > because the users are restricted to their web folder, so only seeing the > first 8 characters is usually good enough, but ideally, the other way would > be best. Or perhaps I have to roll my own with perl or something? I've got user names much longer than 8 characters without any problems. After 31 characters the names can't be represented in utmp properly (which can cause some minor hassles for login accounts and will stuff up Portslave amoung other programs). But there's no problems for other things. I've done tests with user-names around 60 characters long in LDAP and my (admittedly basic) tests worked fine. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
LDAP + quotas
Hey guys, Well, I think this was talked about a little before in the past, but I can't get the archive search to work. So, if it was, sorry for asking again. If not, I'd like to see some nice responses :) I'm trying to build a complete web hosting solution. All accounts are stored in LDAP. I just set up NSS LDAP today figuring I might need that (apt-get install libnss-ldap didn't give me the problems most people building by source were having ;)). All mailboxes are created in cyrus imapd 2.0.15-HIERSEP, with lookups done through SASL through LDAP. Now, I know cyrus-imapd has a system for mailbox quotas, but I want a system-wide policy. What I ideally want to be able to do is assign each virtual host a group, and set that quota of that group to whatever their max allowed disk space is (for instance, 50 MB), and then have their web folder and all user mailboxes in that group be restricted to that 50 MB limit. Anyone know if this is possible? And if so, how to do it? Also, anyway to get ls to output the full username? I think it truncates at 8 characters by default, which is sort of a pain, since all my uids are of the form user.domain.com. I mean, it's not that bad, because the users are restricted to their web folder, so only seeing the first 8 characters is usually good enough, but ideally, the other way would be best. Or perhaps I have to roll my own with perl or something? Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]