[Date Prev][Date Next] [Chronological] [Thread] [Top]

writing a "passthrough" backend

In order to be able to run scripts at modifications, I'm trying to
write a dummy backend which passes all requests through to another
real backend (say ldbm). Let's call it back-passthrough. How I want the
passthrough backend to behave is like this:

	1. script for modify defined?
	   - run it with the modlist piped into stdin like back-shell does
	   - script returned error? return LDAP_OPERATIONS_ERROR to
	2. call ldbm_back_modify
	3. ldbm_back_modify returned error and script
	   - run it to do a rollback

What I'm currently having trouble with are ACLs. (1) should only be
executed if the user has sufficient permissions to do so. As far as I
understand, those can only be correctly checked within the backend
(which would be ldbm here) itself. Consequently, the above scenario
wouldn't work for my purpose since ldbm_back_modify would have to be run
before in order to find out whether the user has permissions. Is there
any way to check the permissions before? Or do a dry-run
ldbm_back_modify in a general way, not restricting to ldbm?

For a second approach, I came up with would be the following:

	1. somehow receive the current version of the entry to be
	   modified. Is there any way to do this by calling one of the
	   BackendDB members (be_search?) of an ldbm instance? Would I
	   basically need to emulate a complete LDAP connection/request
	   in order to do that? Has anybody done something like that?
	2. call ldbm_back_modify
	   - error: return
	3. run script if defined with old version of the entry piped
	   into stdin
	   - successful: return
	4. if the script fails, we would need to go back to the old
	   entry in the database. Would it be possible to call be_modify
	   to do this? Basically the same questions I had in (1) for
	   be_search apply here...

Is any of the above approaches doable? I would greatly appreciate any
comments on this, since I'm somehow stuck here.