[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preoperation Plugin Questions



Dan White wrote:
On 01/23/13 17:00 +0100, Julius Plenz wrote:
Hi,

I'm writing an preoperation authentication plugin for OpenLDAP, but I
have trouble finding any documentation whatsoever on this. So most of
what I know comes from tutorials like this one from Oracle:
http://docs.oracle.com/cd/E19099-01/nscp.dirsvr416/816-6683-10/custauth.htm

P.S.: What I'm actually trying to achieve is to do RADIUS
authentification via an external library. But I want to send the
client's IP in a Calling-Station-Id attribute, so I cannot simply
write a password check function, right? If you got any ideas that are
better than a preop module, please tell me...

You should be able to accomplish this via a SASL mechanism (and possibly an
existing one), which would not require any code changes within slapd or
client libraries. See sasl_server_new(3) and its ipremoteport parameter.

That would require the client to perform a SASL Bind instead of a Simple Bind. Not unreasonable, but it's obvious the OP is doing Simple Bind.

I would just take the current radius.c checker and modify it to stash the Operation pointer somewhere it can be retrieved, then grab it in the password check function and pull the client IP address out of there. The smbk5pwd module already uses this trick so it should be trivial to copy/paste that code into radius.c.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/