[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: setting SLAPI_MODIFY_MODS in slapd

>You can get the MODS, add to them or modify them, and set them back. You 
>have to make sure that the memory is properly allocated because the mods 
>will be freed automatically at the end of the operation.

This would be expensive to implement in OpenLDAP: although a different
structure is used to represent modifications internally, most of the
copying can be avoided if we assume the LDAP_MODIFY_MODS data is
immutable by the plugin.

OTOH, it would be very useful for a plugin to change this precommit:
in one of our plugins, the cleartext password is received over an
LDAP Modify and some OWF hashes are generated; the original cleartext
is discarded. If the plugin cannot change the modifications, then 
we could only implement this as a postoperation plugin, which would
risk the cleartext password being flushed to the LDAP DB and potentially
even exposed by LDAP. (In fact, there's not even really a choice here
from a security perspective.)

-- Luke

Luke Howard | PADL Software Pty Ltd | www.padl.com