[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN

To: openldap-software@OpenLDAP.org
Subject: RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN
From: dbroady@lexmark.com
Date: Thu, 23 Oct 2003 14:56:26 -0400
Sensitivity:

Does the pre-result plugin allow me to add a control to send back to the client? I have looked through the code a bit (servers/slapd/result.c), and once the code hits slap_send_ldap_result, it doesn't seem like my pre-result plugin can add a control that will be sent to the client. Does this sound correct?

Darin Broady
dbroady@lexmark.com
Lexmark International, Inc.

To: <dbroady@lexmark.com>
cc:
Subject: RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN

Why would you write a pre-bind plugin if you can just write a pre-result plugin instead?
-- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support

-----Original Message----- From: dbroady@lexmark.com [mailto:dbroady@lexmark.com] Sent: Thursday, October 23, 2003 7:58 AM To: Howard Chu Subject: RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN

Howard,
Thanks for your response. I have a couple of extra questions about this. Let's assume that I do write a pre-bind plugin.
1. Would I have to write the code to check the password myself? Is there some standard function call I can make that would do the backend bind operation for me, and then I can add my extra checks in, assuming that the backend bind op returns correctly?
2. Secondly, it appears in the code that if the bind is an SASL bind, a different code path is taken, bypassing the pre-bind plugin stuff. Can you verify this?

Darin Broady dbroady@lexmark.com Lexmark International, Inc.

Sent by: owner-openldap-software@OpenLDAP.org
To: <dbroady@lexmark.com>, <openldap-software@OpenLDAP.org> cc: Subject: RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN

-----Original Message----- From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
dbroady@lexmark.com
Hello all,
I am doing some preliminary testing of v2.2.2beta, specifically looking at the SLAPI interface dealing with post-binding function calls. The source file involved is servers/slapd/bind.c.

For both SASL & non-SASL binding, it looks as if the post-bind functions are called after the invocation of an send_ldap_result() (and friends).
This will work if all post-bind functions just do some kind of logging or informing other systems that someone has bound. However, if the post-bind functions wish to place further restrictions on the binding (for instance, time of day restrictions for this id, password correct even though it has expired, etc), then it is impossible to inform the client of these changes because the result of the binding operation has already been sent back to
the client.

The functionality that I'm specifically thinking of is an OpenLDAP implementation of Netscape's/Iplanet's/SunOne's global_password_policy,
where if the account being referenced has objectclass=shadowAccount, and the password has expired, return to the client with a server control of LDAP_CONTROL_PWEXPIRED (2.16.840.1.113730.3.4.4), indicating that the user must change their password immediately.

Am I misunderstanding the requirements/expectations of the post-binding functions? Can someone clarify this situation for me? Thanks.

Darin Broady dbroady@lexmark.com Lexmark International, Inc. A post-operation function executes after the operation is completed. You
want to use a PRE_RESULT plugin if you're going to change the result sent back
to the client. -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support

Why would you write a pre-bind plugin if you can just write a pre-result plugin instead?

Please keep discussion on the list. Since my time is limited I generally only answer direct emails from my paying clients.

-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support

-----Original Message-----
From: dbroady@lexmark.com [mailto:dbroady@lexmark.com]
Sent: Thursday, October 23, 2003 7:58 AM
To: Howard Chu
Subject: RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN

Howard,

Thanks for your response. I have a couple of extra questions about this. Let's assume that I do write a pre-bind plugin.

1. Would I have to write the code to check the password myself? Is there some standard function call I can make that would do the backend bind operation for me, and then I can add my extra checks in, assuming that the backend bind op returns correctly?

2. Secondly, it appears in the code that if the bind is an SASL bind, a different code path is taken, bypassing the pre-bind plugin stuff. Can you verify this?

Darin Broady
dbroady@lexmark.com
Lexmark International, Inc.

Sent by: owner-openldap-software@OpenLDAP.org
To: <dbroady@lexmark.com>, <openldap-software@OpenLDAP.org>
cc:
Subject: RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN

-----Original Message----- From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of dbroady@lexmark.com
Hello all,
I am doing some preliminary testing of v2.2.2beta, specifically looking at the SLAPI interface dealing with post-binding function calls. The source file involved is servers/slapd/bind.c.
For both SASL & non-SASL binding, it looks as if the post-bind functions are called after the invocation of an send_ldap_result() (and friends). This will work if all post-bind functions just do some kind of logging or informing other systems that someone has bound. However, if the post-bind functions wish to place further restrictions on the binding (for instance, time of day restrictions for this id, password correct even though it has expired, etc), then it is impossible to inform the client of these changes because the result of the binding operation has already been sent back to the client.
The functionality that I'm specifically thinking of is an OpenLDAP implementation of Netscape's/Iplanet's/SunOne's global_password_policy, where if the account being referenced has objectclass=shadowAccount, and the password has expired, return to the client with a server control of LDAP_CONTROL_PWEXPIRED (2.16.840.1.113730.3.4.4), indicating that the user must change their password immediately.
Am I misunderstanding the requirements/expectations of the post-binding functions? Can someone clarify this situation for me? Thanks.
Darin Broady dbroady@lexmark.com Lexmark International, Inc.
A post-operation function executes after the operation is completed. You want to use a PRE_RESULT plugin if you're going to change the result sent back to the client.
-- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support

Prev by Date: Re: setting up a slapd.pid
Next by Date: Re: objectClass inheritance
Index(es):
- Chronological
- Thread