[Date Prev][Date Next]
Re: Question about writing custom backends for openldap
Michael Torrie wrote:
Browsing the source code for various backends for openldap, I see thatSince there can be multiple instances of a backend active at the same
time in a slapd configuration, there are very few valid uses for truly
global information. However, if it really is global, you can hang it off
the BackendInfo's bi_private pointer, or just declare it as global
variables in your backend code. I don't think the latter is a great idea.
most of the backends define a type of global structure that they use to
store things like the database handle (for sql) etc. This is usually
stored in the private field of the BackendDB structure (if I recall
correctly). My question is a question of scope:
1. where is the correct place to store global information and
Bind is a special case, as it is expected to return the authenticated
user's DN upon success. The slapd frontend stores this DN in the
connection structure. On a particular operation, the connection's DN is
also made available in the Operation structure. As such, any operation
only needs to look at the Operation DN to determine if the current
operation is authenticated or not.
2. what should be used to store information across just one connection
For example, when a bind event occurs that is deemed successful by
backend's handler, where can I store information about that bind that
will only persist across that connection. Subsequent calls to search,
for example, need to know that the user is properly authenticated. In
the perl and shell backends I can only see where a global information
structure is used.
Finally, is it up to the backend to enforce ACLs or does OpenLDAPThe frontend provides functions for checking ACLs; the backend must call
these functions at the appropriate points. The back-bdb code is probably
the best example. Most of the answers you're looking for are
self-evident in the back-bdb and back-ldbm code. The perl and shell
backends are not good models for new backend code; they omit quite a lot
of functionality that the embedded database backends exercise.
enforce the ACLS above backend somehow?
In general, you should think very carefully about the reasons that are
motivating you to write a custom backend. In many cases it's more
efficient to write an overlay that runs on top of an existing backend
instead. As a specific case in point, the password policy overlay
demonstrates how to maintain per-session information in the overlay's
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support