Re: Preoperation Plugin Questions

[Howard Chu <hyc@symas.com>]

Dan White wrote:
> On 01/23/13 17:00 +0100, Julius Plenz wrote:
> > Hi,
> >
> > I'm writing an preoperation authentication plugin for OpenLDAP, but I
> > have trouble finding any documentation whatsoever on this. So most of
> > what I know comes from tutorials like this one from Oracle:
> > http://docs.oracle.com/cd/E19099-01/nscp.dirsvr416/816-6683-10/custauth.htm
>
> > P.S.: What I'm actually trying to achieve is to do RADIUS
> > authentification via an external library. But I want to send the
> > client's IP in a Calling-Station-Id attribute, so I cannot simply
> > write a password check function, right? If you got any ideas that are
> > better than a preop module, please tell me...
>
> You should be able to accomplish this via a SASL mechanism (and possibly an
> existing one), which would not require any code changes within slapd or
> client libraries. See sasl_server_new(3) and its ipremoteport parameter.

That would require the client to perform a SASL Bind instead of a Simple Bind. 
Not unreasonable, but it's obvious the OP is doing Simple Bind.

I would just take the current radius.c checker and modify it to stash the 
Operation pointer somewhere it can be retrieved, then grab it in the password 
check function and pull the client IP address out of there. The smbk5pwd 
module already uses this trick so it should be trivial to copy/paste that code 
into radius.c.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/