[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7575) Fixed send_cli_cred on platforms that do not support such functions
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7575) Fixed send_cli_cred on platforms that do not support such functions
- From: tedcheng@symas.com
- Date: Tue, 23 Apr 2013 23:22:58 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
--Apple-Mail-2--242372278
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On Apr 14, 2013, at 6:39 AM, Hallvard Breien Furuseth wrote:
>=20
> You can instead look for a mechanism with built-in credential passing,
> apparently like Solaris "doors". =20
The sample client-server programs, see link below, show an experiment on =
Solaris 8 that server creates and listens to door calls, while client =
invokes them. When client invokes a door_call, server gets the euid and =
egid, among others, of the client:
https://dl.dropboxusercontent.com/u/94235048/door_call.tgz
http://docs.oracle.com/cd/E18752_01/html/816-5171/door-call-3door.html
# ./server
successfully created a door
euid (101) egid (1) ruid (101) rgid (1) pid (8947)
$ id
uid=3D101(tedcheng) gid=3D1(other)
$ ./client
pid (8947): door_call succeeded
There is the situation in which we are sending/getting client =
credentials from a door call through say /tmp/door, while service =
requests, such as nssov/nslcd (nss-pam-ldapd), through a separate Unix =
domain socket. There is therefore the need to tie client credentials =
with their respective (name) service requests; "doors" implements its =
own threading support. The work to integrate doors for client credential =
support into a server with threading support, such as slapd, may get =
complicated fast.
"Doors" does not seem to be a feasible solution for sending client =
credentials in a context such as nssov/slapd.
> Or look at what some other well-tested
> and portable package does and suggest we steal its code.=20
>=20
This may be the only option, if there exists one, for older-system =
support (Solaris 8).
Ted C. Cheng
Symas Corporation
--Apple-Mail-2--242372278
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div><div>On Apr 14, 2013, at 6:39 AM, Hallvard Breien Furuseth =
wrote:</div><blockquote type=3D"cite"><div><font =
class=3D"Apple-style-span" color=3D"#000000"><br></font>You can instead =
look for a mechanism with built-in credential passing,<br>apparently =
like Solaris "doors". =
</div></blockquote><div><br></div><div><div>The =
sample client-server programs, see link below, show an experiment =
on Solaris 8 that server creates and listens to door calls, while client =
invokes them. When client invokes a door_call, server gets the euid and =
egid, among others, of the client:</div><div><br></div><div><a =
href=3D"https://dl.dropboxusercontent.com/u/94235048/door_call.tgz";>https:=
//dl.dropboxusercontent.com/u/94235048/door_call.tgz</a></div><div><br></d=
iv><div><a =
href=3D"http://docs.oracle.com/cd/E18752_01/html/816-5171/door-call-3door.=
html">http://docs.oracle.com/cd/E18752_01/html/816-5171/door-call-3door.ht=
ml</a></div><div><br></div><div># ./server<br>successfully created a =
door<br>euid (101) egid (1) ruid (101) rgid (1) pid (8947)<br><br>$ =
id<br>uid=3D101(tedcheng) gid=3D1(other)<br>$ ./client<br>pid (8947): =
door_call succeeded</div><div><br></div><div>There is the situation =
in which we are sending/getting client credentials from a door call =
through say /tmp/door, while service requests, such as nssov/nslcd =
(nss-pam-ldapd), through a separate Unix domain socket. There is =
therefore the need to tie client credentials with their respective =
(name) service requests; "doors" implements its own threading =
support. The work to integrate doors for client credential support into =
a server with threading support, such as slapd, may get complicated =
fast.</div><div><br></div><div>"Doors" does not seem to be a feasible =
solution for sending client credentials in a context such as =
nssov/slapd.</div></div><br><blockquote type=3D"cite"><div>Or look at =
what some other well-tested<br>and portable package does and suggest we =
steal its code. <font class=3D"Apple-style-span" =
color=3D"#006312"><br></font></div></blockquote><blockquote =
type=3D"cite"><div><br></div></blockquote><br></div><div>This may be the =
only option, if there exists one, for older-system support (Solaris =
8).</div><div><br></div><div><br></div><div><div>Ted C. =
Cheng</div><div>Symas =
Corporation</div></div><div><br></div><div><br></div></body></html>=
--Apple-Mail-2--242372278--