From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of email@example.com
I am doing some preliminary testing of v2.2.2beta, specifically looking at the SLAPI interface dealing with post-binding function calls. The source file involved is servers/slapd/bind.c.
For both SASL & non-SASL binding, it looks as if the post-bind functions are called after the invocation of an send_ldap_result() (and friends). This will work if all post-bind functions just do some kind of logging or informing other systems that someone has bound. However, if the post-bind functions wish to place further restrictions on the binding (for instance, time of day restrictions for this id, password correct even though it has expired, etc), then it is impossible to inform the client of these changes because the result of the binding operation has already been sent back to the client.
The functionality that I'm specifically thinking of is an OpenLDAP implementation of Netscape's/Iplanet's/SunOne's global_password_policy, where if the account being referenced has objectclass=shadowAccount, and the password has expired, return to the client with a server control of LDAP_CONTROL_PWEXPIRED (2.16.840.1.1137220.127.116.11), indicating that the user must change their password immediately.
Am I misunderstanding the requirements/expectations of the post-binding functions? Can someone clarify this situation for me? Thanks.
Lexmark International, Inc.