[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: setting SLAPI_MODIFY_MODS in slapd

To: ludovic.poitou@noSpam.sun.com
Subject: Re: setting SLAPI_MODIFY_MODS in slapd
From: Luke Howard <lukeh@PADL.COM>
Date: Tue, 21 Jan 2003 09:58:00 +1100
Cc: ando@sys-net.it, openldap-devel@OpenLDAP.org, somrani@us.ibm.com
Organization: PADL Software Pty Ltd
References: <200301172343.KAA09724@au.padl.com> <62391.217.56.99.116.1042881856.squirrel@webmail.sys-net.it> <200301182316.KAA16611@au.padl.com> <200301191119.WAA19587@au.padl.com> <3E2C166F.2000708@noSpam.sun.com>
Versions: dmail (bsd44) 2.4c/makemail 2.9d

>You can get the MODS, add to them or modify them, and set them back. You 
>have to make sure that the memory is properly allocated because the mods 
>will be freed automatically at the end of the operation.

This would be expensive to implement in OpenLDAP: although a different
structure is used to represent modifications internally, most of the
copying can be avoided if we assume the LDAP_MODIFY_MODS data is
immutable by the plugin.

OTOH, it would be very useful for a plugin to change this precommit:
in one of our plugins, the cleartext password is received over an
LDAP Modify and some OWF hashes are generated; the original cleartext
is discarded. If the plugin cannot change the modifications, then 
we could only implement this as a postoperation plugin, which would
risk the cleartext password being flushed to the LDAP DB and potentially
even exposed by LDAP. (In fact, there's not even really a choice here
from a security perspective.)

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com

References:
- setting SLAPI_MODIFY_MODS in slapd
  - From: Luke Howard <lukeh@PADL.COM>
- Re: setting SLAPI_MODIFY_MODS in slapd
  - From: Luke Howard <lukeh@PADL.COM>

Prev by Date: Re: Operational attribute plugins
Next by Date: SLAPI and LDAP_OPERATIONS_ERROR
Index(es):
- Chronological
- Thread