[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: olcPasswordHash scheme not available

To: Howard Chu <hyc@symas.com>
Subject: Re: olcPasswordHash scheme not available
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 09 Aug 2007 10:59:04 +0200
Cc: openldap-software@openldap.org
In-reply-to: <46BACCEF.2020207@symas.com>
References: <5f636a2f0708080342w389bac17of723371efc14ee6c@mail.gmail.com> <46BAC695.1060801@sys-net.it> <46BACCEF.2020207@symas.com>
User-agent: Thunderbird 1.5.0.8 (X11/20061025)

Howard Chu wrote:

Pierangelo Masarati wrote:
That sounds like a bug.  In fact, {K5KEY} is loaded by smbk5pwd, so if
in slapd.conf you correctly load the module __before__ using
password-hash things work as expected.  However, when the configuration
is loaded from the back-config database, modules are loaded __after__
the global entry, which contains password-hash.  Apparently, checking
the value of the password-hash attribute must be deferred to __after__
loading the entire configuration.  This might be true in general.  I
suggest you file an ITS for this issue <http://www.openldap.org/its/>.
If it's a general problem, then we're going to need to re-shuffle the layout of the cn=config tree so that global directives are processed after any modules are loaded. But I think password mechs are the only item that can be registered at runtime that currently have a problem.


It seems to be so.  I'm considering different approaches:

* force some sequentiality in parsing config entries; for example:
	- schema first
	- then modules (modules may rely on presence of schema)
	- then the rest
  but this is not ensuring the right ordering of thngs

* turn failed config parsing into a list of modifications
  to be recursively reapplied later until either success
  or a complete run thru the list results in no success
  This also does not ensure the right ordering

* change the layout so that config database parsing from LDIF
  is treated differently from slapd.conf, in two phases:
	- read-in
	- validation

In all the above cases there's no guarantee the original ordering is preserved, so the safest solution would be to keep a changelog of configuration to be rolled-in again at startup instead of relying on the configuration stored on disk.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: olcPasswordHash scheme not available
  - From: "Mustafa A. Hashmi" <mahashmi@gmail.com>
- Re: olcPasswordHash scheme not available
  - From: Howard Chu <hyc@symas.com>

References:
- olcPasswordHash scheme not available
  - From: "Mustafa A. Hashmi" <mahashmi@gmail.com>
- Re: olcPasswordHash scheme not available
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: olcPasswordHash scheme not available
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: olcPasswordHash scheme not available
Next by Date: Can't add Organizational Unit
Index(es):
- Chronological
- Thread