[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN




Does the pre-result plugin allow me to add a control to send back to the client?  I have looked through the code a bit (servers/slapd/result.c), and once the code hits slap_send_ldap_result, it doesn't seem like my pre-result plugin can add a control that will be sent to the client.  Does this sound correct?

Darin Broady
dbroady@lexmark.com
Lexmark International, Inc.



To:        <dbroady@lexmark.com>
cc:        
Subject:        RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN


Why would you write a pre-bind plugin if you can just write a pre-result
plugin instead?

-- Howard Chu
Chief Architect, Symas Corp.       Director, Highland Sun
http://www.symas.com               http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support


-----Original Message-----
From: dbroady@lexmark.com [mailto:dbroady@lexmark.com]
Sent: Thursday, October 23, 2003 7:58 AM
To: Howard Chu
Subject: RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN




Howard,

Thanks for your response.  I have a couple of extra questions about this.
Let's assume that I do write a pre-bind plugin.

1.  Would I have to write the code to check the password myself?  Is there
some standard function call I can make that would do the backend bind
operation for me, and then I can add my extra checks in, assuming that the
backend bind op returns correctly?

2.  Secondly, it appears in the code that if the bind is an SASL bind, a
different code path is taken, bypassing the pre-bind plugin stuff.  Can you
verify this?


Darin Broady
dbroady@lexmark.com
Lexmark International, Inc.





Sent by:        owner-openldap-software@OpenLDAP.org

To:        <dbroady@lexmark.com>, <openldap-software@OpenLDAP.org>
cc:
Subject:        RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN



-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of

dbroady@lexmark.com

Hello all,

I am doing some preliminary testing of v2.2.2beta, specifically looking at
the SLAPI interface dealing with post-binding function calls.  The source
file involved is servers/slapd/bind.c.


For both SASL & non-SASL binding, it looks as if the post-bind functions
are called after the invocation of an send_ldap_result() (and friends).

This
will work if all post-bind functions just do some kind of logging or
informing other systems that someone has bound.  However, if the post-bind
functions wish to place further restrictions on the binding (for instance,
time of day restrictions for this id, password correct even though it has
expired, etc), then it is impossible to inform the client of these changes
because the result of the binding operation has already been sent back to

the
client.


The functionality that I'm specifically thinking of is an OpenLDAP
implementation of Netscape's/Iplanet's/SunOne's global_password_policy,

where
if the account being referenced has objectclass=shadowAccount, and the
password has expired, return to the client with a server control of
LDAP_CONTROL_PWEXPIRED (2.16.840.1.113730.3.4.4), indicating that the user
must change their password immediately.


Am I misunderstanding the requirements/expectations of the post-binding
functions?  Can someone clarify this situation for me?  Thanks.


Darin Broady
dbroady@lexmark.com
Lexmark International, Inc.
A post-operation function executes after the operation is completed. You

want
to use a PRE_RESULT plugin if you're going to change the result sent back

to
the client.
-- Howard Chu
Chief Architect, Symas Corp.       Director, Highland Sun
http://www.symas.com               http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support











Why would you write a pre-bind plugin if you can just write a pre-result plugin instead?
 
Please keep discussion on the list. Since my time is limited I generally only answer direct emails from my paying clients.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
From: dbroady@lexmark.com [mailto:dbroady@lexmark.com]
Sent: Thursday, October 23, 2003 7:58 AM
To: Howard Chu
Subject: RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN


Howard,

Thanks for your response.  I have a couple of extra questions about this.  Let's assume that I do write a pre-bind plugin.

1.  Would I have to write the code to check the password myself?  Is there some standard function call I can make that would do the backend bind operation for me, and then I can add my extra checks in, assuming that the backend bind op returns correctly?

2.  Secondly, it appears in the code that if the bind is an SASL bind, a different code path is taken, bypassing the pre-bind plugin stuff.  Can you verify this?


Darin Broady
dbroady@lexmark.com
Lexmark International, Inc.




Sent by:        owner-openldap-software@OpenLDAP.org

To:        <dbroady@lexmark.com>, <openldap-software@OpenLDAP.org>
cc:        
Subject:        RE: Question about v2.2.2beta & SLAPI_PLUGIN_POST_BIND_FN


-----Original Message-----
From: owner-openldap-software@OpenLDAP.org

[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of dbroady@lexmark.com

Hello all,

I am doing some preliminary testing of v2.2.2beta, specifically looking at
the SLAPI interface dealing with post-binding function calls.  The source
file involved is servers/slapd/bind.c.

For both SASL & non-SASL binding, it looks as if the post-bind functions
are called after the invocation of an send_ldap_result() (and friends).  This
will work if all post-bind functions just do some kind of logging or
informing other systems that someone has bound.  However, if the post-bind
functions wish to place further restrictions on the binding (for instance,
time of day restrictions for this id, password correct even though it has
expired, etc), then it is impossible to inform the client of these changes
because the result of the binding operation has already been sent back to the
client.

The functionality that I'm specifically thinking of is an OpenLDAP
implementation of Netscape's/Iplanet's/SunOne's global_password_policy, where
if the account being referenced has objectclass=shadowAccount, and the
password has expired, return to the client with a server control of
LDAP_CONTROL_PWEXPIRED (2.16.840.1.113730.3.4.4), indicating that the user
must change their password immediately.

Am I misunderstanding the requirements/expectations of the post-binding
functions?  Can someone clarify this situation for me?  Thanks.

Darin Broady
dbroady@lexmark.com
Lexmark International, Inc.

A post-operation function executes after the operation is completed. You want
to use a PRE_RESULT plugin if you're going to change the result sent back to
the client.

-- Howard Chu
Chief Architect, Symas Corp.       Director, Highland Sun
http://www.symas.com               http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support