[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN



-----Original Message-----
From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of dbroady@lexmark.com

Hello all,

I am doing some preliminary testing of v2.2.2beta, specifically looking at the SLAPI interface dealing with post-binding function calls.  The source file involved is servers/slapd/bind.c.

For both SASL & non-SASL binding, it looks as if the post-bind functions are called after the invocation of an send_ldap_result() (and friends).  This will work if all post-bind functions just do some kind of logging or informing other systems that someone has bound.  However, if the post-bind functions wish to place further restrictions on the binding (for instance, time of day restrictions for this id, password correct even though it has expired, etc), then it is impossible to inform the client of these changes because the result of the binding operation has already been sent back to the client.

The functionality that I'm specifically thinking of is an OpenLDAP implementation of Netscape's/Iplanet's/SunOne's global_password_policy, where if the account being referenced has objectclass=shadowAccount, and the password has expired, return to the client with a server control of LDAP_CONTROL_PWEXPIRED (2.16.840.1.113730.3.4.4), indicating that the user must change their password immediately.

Am I misunderstanding the requirements/expectations of the post-binding functions?  Can someone clarify this situation for me?  Thanks.

Darin Broady
dbroady@lexmark.com
Lexmark International, Inc. 
A post-operation function executes after the operation is completed. You want to use a PRE_RESULT plugin if you're going to change the result sent back to the client.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
 
http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support