OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Contrib/4092
Full headers

From: b.candler@pobox.com
Subject: PATCH: back-shell additional connection information
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Sun, 16 Oct 2005 13:57:52 GMT
From: b.candler@pobox.com
To: openldap-its@OpenLDAP.org
Subject: PATCH: back-shell additional connection information
Full_Name: Brian Candler
Version: HEAD
OS: FreeBSD 5.4-RELEASE
URL: http://psg.com/~brian/software/openldap-backshell-conn.patch
Submission from: (NULL) (212.74.113.67)


This is an enhancement to add extra meta-attributes to requests sent to
back-shell modules. They are:

binddn: <currect connection bound DN>
peername: <connection peer IP address>
ssf: <connection SSF value>

Note: the UNBIND command now sends the current bind DN twice, as 'binddn:' and
'dn:'
Dropping the 'dn:' line would make things cleaner, at the slight risk of not
being backwards-compatible (is there anything useful you can do in back-shell
for an UNBIND request though??)


Followup 1

Download message
Date: Mon, 17 Oct 2005 10:20:13 -0700
To: b.candler@pobox.com
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: (ITS#4092) PATCH: back-shell additional connection
  information
Cc: openldap-its@OpenLDAP.org
I note that patch does not contain a IPR statement as required
by our contributing guidelines.  Please add an appropriate
statement to the top of the patch file.  See
<http://www.openldap.org/devel/contributing.html>
for details.

The changes would likely break some existing uses of back-shell.
I think it would be good to only send additional fields when
configured to do so.  I would suggest adding an extensible
configuration option so that if someone else desires to further
extend back-shell with additional fields, they can share the
same configuration mechanism.  Something like:

  extensions binddn peername ssf

would do.

Regards, Kurt

At 06:57 AM 10/16/2005, b.candler@pobox.com wrote:
>Full_Name: Brian Candler
>Version: HEAD
>OS: FreeBSD 5.4-RELEASE
>URL: http://psg.com/~brian/software/openldap-backshell-conn.patch
>Submission from: (NULL) (212.74.113.67)
>
>
>This is an enhancement to add extra meta-attributes to requests sent to
>back-shell modules. They are:
>
>binddn: <currect connection bound DN>
>peername: <connection peer IP address>
>ssf: <connection SSF value>
>
>Note: the UNBIND command now sends the current bind DN twice, as 'binddn:'
and
>'dn:'
>Dropping the 'dn:' line would make things cleaner, at the slight risk of not
>being backwards-compatible (is there anything useful you can do in
back-shell
>for an UNBIND request though??)



Followup 2

Download message
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 17 Oct 2005 20:15:32 +0200
To: openldap-its@openldap.org
Cc: Brian Candler <B.Candler@pobox.com>
Subject: Re: (ITS#4092) PATCH: back-shell additional connection information
Kurt@OpenLDAP.org writes:
> The changes would likely break some existing uses of back-shell.
> I think it would be good to only send additional fields when
> configured to do so.

After Brian's message about missing state info, I've been wondering if
some common API for back-sock, back-shell and maybe even back-perl would
be useful for "translating" between slapd info and backend info,
including how to configure what to send.  Would probably need some
callbacks to the backend-specific details.

-- 
Hallvard



Followup 3

Download message
Date: Wed, 19 Oct 2005 14:07:24 +0100
From: Brian Candler <B.Candler@pobox.com>
To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4092) PATCH: back-shell additional connection information
On Mon, Oct 17, 2005 at 10:20:13AM -0700, Kurt D. Zeilenga wrote:
> I note that patch does not contain a IPR statement as required
> by our contributing guidelines.  Please add an appropriate
> statement to the top of the patch file.  See
<http://www.openldap.org/devel/contributing.html>
> for details.
> 
> The changes would likely break some existing uses of back-shell.
> I think it would be good to only send additional fields when
> configured to do so.  I would suggest adding an extensible
> configuration option so that if someone else desires to further
> extend back-shell with additional fields, they can share the
> same configuration mechanism.  Something like:
> 
>   extensions binddn peername ssf
> 
> would do.

Patch updated to fix both points.
http://psg.com/~brian/software/openldap-backshell-conn.patch


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org