[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: passwd extop backend selection (ITS#2851)


I think this patch should not be applied.  (redirected discussion to -devel)

The problem you are trying to solve is internal to slapd(8) and hence shouldn't
be addressed without regard to what's on the wire.   That is, the problem here
is purely with slapd(8) management of which backend(s) is associated with the
current LDAP association.  

While we could change slapd(8) to support changing of selected (by userIdentity)
passwords, then that's what slapd(8) has to do when a userIdentity is provided.
That is, it must change the password associated with userIdentity.  That cannot
be assumed to be the same user as that of the current LDAP association.


At 10:47 PM 11/30/2003, ando@sys-net.it wrote:
>Full_Name: Pierangelo Masarati
>Version: HEAD
>OS: Linux RH
>URL: http://www.sys-net.it/~ando/Download/slap-passwd-extop-2003-11-30.patch
>Submission from: (NULL) (
>Submitted by: ando
>passwd_extop() in servers/slapd/passwd.c uses op->o_conn->c_authz_backend 
>(the authorizing backend) to operate the password change.  This patch uses
>the ID field in reqdata, if any, to select the appropriate backend, in
>view of using passwd_extop across backends in glued backend pools.
>Any drawback or security issue?