[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: writing a 'passthrough' backend

> Kurt D. Zeilenga wrote:
>> I suggest you look at the glue backend... it "layers"
>> functionality on top of other backends using backend
>> callbacks.  There are a number of other uses of these
>> callbacks in the code, so you might browse about a bit.
> Thanks for your help first of all. I don't really get how those
> callbacks are gonna help me solve my problem though. As far as I
> understand, it is possible to register a function which is to be called
> in ldap_send_response (and similarly for the search stuff). At that
> point of time, the entry is already added to the database. It would be
> possible to call a script or do whatever there. I'd like to run the
> script *before* adding the entry to the database though, so that in case
> the script fails, the entry wouldn't even be attempted to be added to
> the database. But I only want the script to be run if the user has
> enough permissions to fulfill the operation, which I currently only know
> after the operation was done. Is there any way to know before? Or doing
> a dry-run doing everything except really added the entry?

In OpenLDAP 2.1, a few backends support the NOOP control, which does
exactly a dry run for modify operations (back-ldbm and back-bdb should
honor it).

If I get your point, you would like to store data in, say, back-ldbm,
but you need to do some hand-crafted data check BEFORE the data is
actually presented to back-ldbm.  You think you could chain back-shell
(or any other scripting backend, like back-perl or back-tcl) and the
actual storage backend to do your checks in the scripts, but these
backends do not allow extensive ACL checks (I'm not very familiar
with these scripting backends, but it might be correct).  Then you
can do something which gets realy involved, but may work (with awful
performances, I'm afraid): chain back-ldap, back-shell and back-ldbm.

back-ldap is the entry point; it pipes requests to a server that accepts
them with back-shell, after applying ACLs (back-ldap supports and honors
all the ACL checks)

back-shell does your hand-crafted checks trusting back-ldap; if you run
the two servers on the same box, you may use ldapi:// to easily secure

then in back-shell you use ldapsearch, ldapmodify to pipe operations
to another server that stores/retrieves them from back-ldbm.

Very cumbersome, but it might work.


Pierangelo Masarati