[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Same old problem: how to univoquely identify a database

To: OpenLDAP Devel <openldap-devel@OpenLDAP.org>
Subject: Re: Same old problem: how to univoquely identify a database
From: Pierangelo Masarati <ando@sys-net.it>
Date: Fri, 09 Sep 2005 08:14:08 +0200
In-reply-to: <4320D177.7010404@sys-net.it>
References: <4320D177.7010404@sys-net.it>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 CentOS/1.7.8-1.1.3.1.centos3

Pierangelo Masarati wrote:

I just ran into the same old problem of how to tell that two databases are the same given the BackendDB pointer. In back-ldap, a test
       op->o_bd->be_private == op->o_conn->c_authz_backend->be_private
is used; unfortunately it fails for me, because op->o_conn->c_authz_backend was set by do_bind() to the real database's pointer, while op->o_bd is pointing to an internal instance of back-ldap that a custm overlay is using for special operations. This destroys connection caching. I don't want to use temporaries all the way down to the connection structure just to set that pointer to the right database before calling the private instance of back-ldap; I'd rather use another field instead of be_private, which is quite likely to change when using internal databases in overlays. For instance, if I replace be_private with be_nsuffix in that test everything works fine, but this would be a bad hack, since there's no guarantee anybody else needs to change the suffix between the original and the internal databases, and this would impact back-ldap's code instead of being confined to the custom code. I think we should add a unique identifier to the BackendDB structure. Any suggestions, before I reinvent the wheel?

Right now I'm leaning towards adding a "void *c_authz_cookie" that modules can set at will, typically to a static pointer to their real be_private member, so that the authz_backend check could become something like

#define SLAP_IS_AUTHZ_BACKEND(op) \
   ((op)->o_conn \
   && (op)->o_bd->be_private \
   && (op)->o_conn->c_authz_backend \
   && ((op)->o_bd->be_private == (op)->o_conn->c_authz_backend \
      || ((op)->o_bd->be_private == (op)->o_conn->c_authz_cookie ))

I also played with adding a configurable be_is_authz_backend() hook to the BackendDB structure, but this may not be necessary if we stick with the be_private trick, extended to allow finer grain detection of the notion of authorizing backend when the c_authz_backend gets set to something that is not the actual layer that granted the authorization.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: Same old problem: how to univoquely identify a database
  - From: Howard Chu <hyc@symas.com>

References:
- Same old problem: how to univoquely identify a database
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Enough for a new release?
Next by Date: Re: Same old problem: how to univoquely identify a database
Index(es):
- Chronological
- Thread