[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
writing a "passthrough" backend
- To: openldap-devel@OpenLDAP.org
- Subject: writing a "passthrough" backend
- From: Roland Bauerschmidt <rb@debian.org>
- Date: Mon, 28 Oct 2002 21:10:04 +0100
- Content-disposition: inline
- User-agent: Mutt/1.3.28i
In order to be able to run scripts at modifications, I'm trying to
write a dummy backend which passes all requests through to another
real backend (say ldbm). Let's call it back-passthrough. How I want the
passthrough backend to behave is like this:
passthrough_back_modify:
1. script for modify defined?
- run it with the modlist piped into stdin like back-shell does
- script returned error? return LDAP_OPERATIONS_ERROR to
client
2. call ldbm_back_modify
3. ldbm_back_modify returned error and script
defined?
- run it to do a rollback
What I'm currently having trouble with are ACLs. (1) should only be
executed if the user has sufficient permissions to do so. As far as I
understand, those can only be correctly checked within the backend
(which would be ldbm here) itself. Consequently, the above scenario
wouldn't work for my purpose since ldbm_back_modify would have to be run
before in order to find out whether the user has permissions. Is there
any way to check the permissions before? Or do a dry-run
ldbm_back_modify in a general way, not restricting to ldbm?
For a second approach, I came up with would be the following:
passthrough_back_modify:
1. somehow receive the current version of the entry to be
modified. Is there any way to do this by calling one of the
BackendDB members (be_search?) of an ldbm instance? Would I
basically need to emulate a complete LDAP connection/request
in order to do that? Has anybody done something like that?
2. call ldbm_back_modify
- error: return
3. run script if defined with old version of the entry piped
into stdin
- successful: return
4. if the script fails, we would need to go back to the old
entry in the database. Would it be possible to call be_modify
to do this? Basically the same questions I had in (1) for
be_search apply here...
Is any of the above approaches doable? I would greatly appreciate any
comments on this, since I'm somehow stuck here.
Roland