[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: writing a 'passthrough' backend



Yes, it would probably work, slowly, as Pierangelo said.

Now that you've looked at the callback code, the answer should be obvious:
One solution is to write a backend that uses callbacks the same way
back-glue.c does, but with more steps:
	wrap a call to back-ldbm, with the NOOP control set, obtain result.
	wrap a call to back-shell
	wrap a call to back-ldbm

This will still be slow, but not as slow. The assumption here is that the
actual back-ldbm database has the ACLs defined, which you check thru the
NOOP'd modify.

Another solution is to write a backend that uses callbacks, but manages the
ACL checks on its own. This may be slightly faster than using NOOPs but most
likely is about the same:
	wrap a call to back-ldbm to search for the modify target
	perform ACL check
	wrap a call to back-shell
	wrap a call to back-ldbm

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Pierangelo Masarati

> > Kurt D. Zeilenga wrote:
> >> I suggest you look at the glue backend... it "layers"
> >> functionality on top of other backends using backend
> >> callbacks.  There are a number of other uses of these
> >> callbacks in the code, so you might browse about a bit.
> >
> > Thanks for your help first of all. I don't really get how those
> > callbacks are gonna help me solve my problem though. As far as I
> > understand, it is possible to register a function which is
> to be called
> > in ldap_send_response (and similarly for the search stuff). At that
> > point of time, the entry is already added to the database.
> It would be
> > possible to call a script or do whatever there. I'd like to run the
> > script *before* adding the entry to the database though, so
> that in case
> > the script fails, the entry wouldn't even be attempted to
> be added to
> > the database. But I only want the script to be run if the user has
> > enough permissions to fulfill the operation, which I
> currently only know
> > after the operation was done. Is there any way to know
> before? Or doing
> > a dry-run doing everything except really added the entry?
>
> In OpenLDAP 2.1, a few backends support the NOOP control, which does
> exactly a dry run for modify operations (back-ldbm and back-bdb should
> honor it).
>
> If I get your point, you would like to store data in, say, back-ldbm,
> but you need to do some hand-crafted data check BEFORE the data is
> actually presented to back-ldbm.  You think you could chain back-shell
> (or any other scripting backend, like back-perl or back-tcl) and the
> actual storage backend to do your checks in the scripts, but these
> backends do not allow extensive ACL checks (I'm not very familiar
> with these scripting backends, but it might be correct).  Then you
> can do something which gets realy involved, but may work (with awful
> performances, I'm afraid): chain back-ldap, back-shell and back-ldbm.
>
> back-ldap is the entry point; it pipes requests to a server
> that accepts
> them with back-shell, after applying ACLs (back-ldap supports
> and honors
> all the ACL checks)
>
> back-shell does your hand-crafted checks trusting back-ldap;
> if you run
> the two servers on the same box, you may use ldapi:// to easily secure
> communications;
>
> then in back-shell you use ldapsearch, ldapmodify to pipe operations
> to another server that stores/retrieves them from back-ldbm.
>
> Very cumbersome, but it might work.
>
> Pierangelo.
>
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it
>
>
>
>