[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: writing a "passthrough" backend

To: Roland Bauerschmidt <rb@debian.org>
Subject: Re: writing a "passthrough" backend
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 29 Oct 2002 16:12:07 -0800
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <20021028201004.GA14961@work.office.univention.de>

I suggest you look at the glue backend... it "layers"
functionality on top of other backends using backend
callbacks.  There are a number of other uses of these
callbacks in the code, so you might browse about a bit.

At 12:10 PM 2002-10-28, Roland Bauerschmidt wrote:
>In order to be able to run scripts at modifications, I'm trying to
>write a dummy backend which passes all requests through to another
>real backend (say ldbm). Let's call it back-passthrough. How I want the
>passthrough backend to behave is like this:
>
>passthrough_back_modify:
>        1. script for modify defined?
>           - run it with the modlist piped into stdin like back-shell does
>           - script returned error? return LDAP_OPERATIONS_ERROR to
>            client
>        2. call ldbm_back_modify
>        3. ldbm_back_modify returned error and script
>           defined?
>           - run it to do a rollback
>
>What I'm currently having trouble with are ACLs. (1) should only be
>executed if the user has sufficient permissions to do so. As far as I
>understand, those can only be correctly checked within the backend
>(which would be ldbm here) itself. Consequently, the above scenario
>wouldn't work for my purpose since ldbm_back_modify would have to be run
>before in order to find out whether the user has permissions. Is there
>any way to check the permissions before? Or do a dry-run
>ldbm_back_modify in a general way, not restricting to ldbm?
>
>For a second approach, I came up with would be the following:
>
>passthrough_back_modify:
>        1. somehow receive the current version of the entry to be
>           modified. Is there any way to do this by calling one of the
>           BackendDB members (be_search?) of an ldbm instance? Would I
>           basically need to emulate a complete LDAP connection/request
>           in order to do that? Has anybody done something like that?
>        2. call ldbm_back_modify
>           - error: return
>        3. run script if defined with old version of the entry piped
>           into stdin
>           - successful: return
>        4. if the script fails, we would need to go back to the old
>           entry in the database. Would it be possible to call be_modify
>           to do this? Basically the same questions I had in (1) for
>           be_search apply here...
>
>Is any of the above approaches doable? I would greatly appreciate any
>comments on this, since I'm somehow stuck here.
>
>Roland

Follow-Ups:
- Re: writing a "passthrough" backend
  - From: Roland Bauerschmidt <rb@debian.org>

References:
- writing a "passthrough" backend
  - From: Roland Bauerschmidt <rb@debian.org>

Prev by Date: writing a "passthrough" backend
Next by Date: Re: writing a "passthrough" backend
Index(es):
- Chronological
- Thread