[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: overlay question

> Pierangelo Masarati wrote:
>>>>You may be interested in the patch in ITS#3080 if you want your overlay
>>>>to have global effect.
>>>Hmm, global effect could be interesting,
>> The patch has been recently committed to HEAD; you may want to start
>> working with HEAD code and experiment with global overlays (should work
>> exactly as database overlays except in selected cases for selected data
>> in
>> the op->o_request structure for write operations.
> So what does it look like, in the slapd.conf file ?
> The same as before but with the command options outside the database
> definitions ?

BEFORE any "backend" or "database" directive, now you can use any
"overlay" directive to cause an instance of the desired overlay to be
stacked in front of the "frontend" calls; some appropriate portion of the
frontend handling for each operation, significantly including the database
selection and invocation of the database specific calls, has been stuffed
into hooks analogous to the bi_op_search(), bi_op_add(), ... members of
the BackendInfo structure, so the "global" overlays can manipulate the
operation data before the appropriate database is selected.  In your case,
all you need to do is intercept the calls and do the appropriate checks.

I don't think in current code there's any possibility to intercept the
sending of some search result, or of any type of response, yet, by means
of a global overlay; this is a work in progress, yet, so expect it to be
possible any soon.  Of course, this can be done already by means of the
response() hook in the database overlays.

I suggest you develop your overlay as a regular database level overlay,
and test it within a database instance; I'll keep improving the global
overlay stuff, and I'd be happy if you test it every now and then, to make
sure your access control overlay can be used as global as well.  This
should ease the development of both, and highlight what could be missing
yet in the overlay infrastructure.


> Could you be more specific as to the exceptions ?
>>>but a way of handling things
>>>that are connected with the base object ""(like anonymous bind, root
>>>DSE) would be more interesting.
>> Well, you can (actually I think you MUST) discriminate about the target
>> inside your calls anyway.
> That's a given, would be a poor access control system otherwise.
> -- Roland

Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497