[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: passwd extop backend selection (ITS#2851)

To: ando@sys-net.it
Subject: Re: passwd extop backend selection (ITS#2851)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 01 Dec 2003 07:40:49 -0800
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <200312010647.hB16lipT002637@boole.openldap.org>
References: <200312010647.hB16lipT002637@boole.openldap.org>

Ando,

I think this patch should not be applied.  (redirected discussion to -devel)

The problem you are trying to solve is internal to slapd(8) and hence shouldn't
be addressed without regard to what's on the wire.   That is, the problem here
is purely with slapd(8) management of which backend(s) is associated with the
current LDAP association.  

While we could change slapd(8) to support changing of selected (by userIdentity)
passwords, then that's what slapd(8) has to do when a userIdentity is provided.
That is, it must change the password associated with userIdentity.  That cannot
be assumed to be the same user as that of the current LDAP association.

Kurt

At 10:47 PM 11/30/2003, ando@sys-net.it wrote:
>Full_Name: Pierangelo Masarati
>Version: HEAD
>OS: Linux RH
>URL: http://www.sys-net.it/~ando/Download/slap-passwd-extop-2003-11-30.patch
>Submission from: (NULL) (81.72.89.40)
>Submitted by: ando
>
>
>passwd_extop() in servers/slapd/passwd.c uses op->o_conn->c_authz_backend 
>(the authorizing backend) to operate the password change.  This patch uses
>the ID field in reqdata, if any, to select the appropriate backend, in
>view of using passwd_extop across backends in glued backend pools.
>
>Any drawback or security issue?
>
>Ando.

Follow-Ups:
- Re: passwd extop backend selection (ITS#2851)
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: FW: passwd extop backend selection (ITS#2851)
Next by Date: Re: passwd extop backend selection (ITS#2851)
Index(es):
- Chronological
- Thread