Roles

The roles used to be defined in LDAP using a special LDAP schema developed for this purpose. The drawback of this approach was that operating system security mechanism (PAM) could not access easily the roles information. The NIS netgroups defined in LDAP are used by several PAM modules (pam_access for example) and, in the same time, they have the aggregation ability which may be used to implement the roles hierarchy. In this TDAQ release the roles are defined using NIS netgroups in LDAP.

Policies

The Policy Access Point code has been reviewed and one of the changes is that the roles hierarchy is looked up in LDAP. Changes and additions:

Server

Client API (Java and C++)

The API accepts a list of AM servers to be contacted: the servers provided in the environment variables are checked one after the other until one of them responds with a valid answer. If a server responds with "server busy" message and provides a list of servers to be contacted, then this list is used before continuing to iterate through the client list of am servers.

Tools