[Date Prev][Date Next] [Chronological] [Thread] [Top]

Preoperation Plugin Questions

To: openldap-technical@openldap.org
Subject: Preoperation Plugin Questions
From: Julius Plenz <plenz@cis.fu-berlin.de>
Date: Wed, 23 Jan 2013 17:00:27 +0100
Content-disposition: inline
User-agent: Mutt/1.5.21 (2010-09-15)

Hi,

I'm writing an preoperation authentication plugin for OpenLDAP, but I
have trouble finding any documentation whatsoever on this. So most of
what I know comes from tutorials like this one from Oracle:
http://docs.oracle.com/cd/E19099-01/nscp.dirsvr416/816-6683-10/custauth.htm

But since this is not official documentation and I find the execution
paths hard to trace, I have two questions stemming from above guide:

1) The guide says that for an authentication preop plugin,

    Your pre-operation plug-in function is responsible for sending the
    result code to the client and for setting the DN and
    authentication method for the connection.

  Okay, so I do that. Like in the code example, I set the connection's
  DN to the value I got from the 'pb' in the first place:

   slapi_pblock_set(pb, SLAPI_CONN_DN, slapi_ch_strdup(dn));

  But setting the authentication type fails:

   slapi_pblock_set(pb, SLAPI_CONN_AUTHTYPE, SLAPD_AUTH_SIMPLE);

  This is no real error though, it's simply not implemented: See
  http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/slapd/slapi/slapi_pblock.c;h=2c9fc202#l1267

    case SLAPI_CONN_AUTHMETHOD:
        ...
        /* These parameters cannot be set */
        rc = PBLOCK_ERROR;
        break;

  (This was noted in 2006 already, with no reply on this list:
  http://www.openldap.org/lists/openldap-software/200601/msg00044.html )

  So basically it boils down to: Do I have to do *any* other stuff
  except for sending back the result code? Like this:

    slapi_send_ldap_result(pb, rc, NULL, NULL, 0, NULL);

2) What is the preferred return value for a plugin function? Most
   (other) documentations and the code hints at this:

        i)  return 0 if you handled the authentication
        ii) return 1 if you want successive plugins/backends/... to
            handle the authentication

   Is this correct? Or should I use the more suggestive
   SLAPI_BIND_SUCCESS and SLAPI_BIND_FAIL?

Thanks!

Julius

P.S.: What I'm actually trying to achieve is to do RADIUS
authentification via an external library. But I want to send the
client's IP in a Calling-Station-Id attribute, so I cannot simply
write a password check function, right? If you got any ideas that are
better than a preop module, please tell me...

Follow-Ups:
- Re: Preoperation Plugin Questions
  - From: Dan White <dwhite@olp.net>

Prev by Date: RE: (ITS#7498) Openldap syncrepl issue
Next by Date: slapd-ldap: second search operation always generates error LdapErr: DSID-0C0906E8
Index(es):
- Chronological
- Thread