[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about writing custom backends for openldap

To: Michael Torrie <torriem@chem.byu.edu>
Subject: Re: Question about writing custom backends for openldap
From: Howard Chu <hyc@symas.com>
Date: Thu, 02 Jun 2005 22:03:09 -0700
Cc: OpenLDAP software list <openldap-software@OpenLDAP.org>
In-reply-to: <1117762349.26721.6.camel@enterprise.local.lan>
References: <1117762349.26721.6.camel@enterprise.local.lan>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050522

Michael Torrie wrote:

Browsing the source code for various backends for openldap, I see that most of the backends define a type of global structure that they use to store things like the database handle (for sql) etc. This is usually stored in the private field of the BackendDB structure (if I recall correctly). My question is a question of scope:
1. where is the correct place to store global information and

Since there can be multiple instances of a backend active at the same time in a slapd configuration, there are very few valid uses for truly global information. However, if it really is global, you can hang it off the BackendInfo's bi_private pointer, or just declare it as global variables in your backend code. I don't think the latter is a great idea.

2. what should be used to store information across just one connection
or session?
For example, when a bind event occurs that is deemed successful by backend's handler, where can I store information about that bind that will only persist across that connection. Subsequent calls to search, for example, need to know that the user is properly authenticated. In the perl and shell backends I can only see where a global information structure is used.

Bind is a special case, as it is expected to return the authenticated user's DN upon success. The slapd frontend stores this DN in the connection structure. On a particular operation, the connection's DN is also made available in the Operation structure. As such, any operation only needs to look at the Operation DN to determine if the current operation is authenticated or not.

Finally, is it up to the backend to enforce ACLs or does OpenLDAP enforce the ACLS above backend somehow?

The frontend provides functions for checking ACLs; the backend must call these functions at the appropriate points. The back-bdb code is probably the best example. Most of the answers you're looking for are self-evident in the back-bdb and back-ldbm code. The perl and shell backends are not good models for new backend code; they omit quite a lot of functionality that the embedded database backends exercise.

In general, you should think very carefully about the reasons that are motivating you to write a custom backend. In many cases it's more efficient to write an overlay that runs on top of an existing backend instead. As a specific case in point, the password policy overlay demonstrates how to maintain per-session information in the overlay's private data.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: Question about writing custom backends for openldap
  - From: Michael L Torrie <torriem@chem.byu.edu>

References:
- Question about writing custom backends for openldap
  - From: Michael Torrie <torriem@chem.byu.edu>

Prev by Date: Question about writing custom backends for openldap
Next by Date: Re: slapd/bdb stability problem
Index(es):
- Chronological
- Thread