[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: passwd extop backend selection (ITS#2851)

To: <Kurt@OpenLDAP.org>
Subject: Re: passwd extop backend selection (ITS#2851)
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 1 Dec 2003 18:07:49 +0100 (CET)
Cc: <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <6.0.0.22.0.20031201073401.040fc3e0@127.0.0.1>
References: <200312010647.hB16lipT002637@boole.openldap.org> <6.0.0.22.0.20031201073401.040fc3e0@127.0.0.1>

> Ando,
>
> I think this patch should not be applied.  (redirected discussion to
> -devel)
>
> The problem you are trying to solve is internal to slapd(8) and hence
> shouldn't be addressed without regard to what's on the wire.   That is,
> the problem here is purely with slapd(8) management of which backend(s)
> is associated with the current LDAP association.
>
> While we could change slapd(8) to support changing of selected (by
> userIdentity) passwords, then that's what slapd(8) has to do when a
> userIdentity is provided. That is, it must change the password
> associated with userIdentity.  That cannot be assumed to be the same
> user as that of the current LDAP association.

I don't quite understand your comment.  Can you elaborate
on "LDAP association"?

Moreover, my point was quite "smooth": if slapd serves
"dc=a,dc=com" in one database and "dc=b,dc=com" in another
database, then if "uid=foo,dc=a,dc=com" tries to change
"uid=bar,dc=b,dc=com"'s password, which should be legal
as soon as "uid=foo,dc=a,dc=com" authenticated and has write
access to "uid=bar,dc=b,dc=com"'s password, then slapd
currently looks up "uid=bar,dc=b,dc=com" in "dc=a,dc=com",
which gives no such object.
My change uses "uid=bar,dc=b,dc=com"'s naming context to
select the appropriate backend.

The point I was concerned with is: is this acceptable?
I think it is, but dealing with secrets makes me think
twice before going straight down the path ;)

Ando.

>
> Kurt
>
> At 10:47 PM 11/30/2003, ando@sys-net.it wrote:
>>Full_Name: Pierangelo Masarati
>>Version: HEAD
>>OS: Linux RH
>>URL:
>> http://www.sys-net.it/~ando/Download/slap-passwd-extop-2003-11-30.patch
>> Submission from: (NULL) (81.72.89.40)
>>Submitted by: ando
>>
>>
>>passwd_extop() in servers/slapd/passwd.c uses
>> op->o_conn->c_authz_backend  (the authorizing backend) to operate the
>> password change.  This patch uses the ID field in reqdata, if any, to
>> select the appropriate backend, in view of using passwd_extop across
>> backends in glued backend pools.
>>
>>Any drawback or security issue?
>>
>>Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- Re: passwd extop backend selection (ITS#2851)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: passwd extop backend selection (ITS#2851)
Next by Date: Re: passwd extop backend selection (ITS#2851)
Index(es):
- Chronological
- Thread