h.b.furuseth@usit.uio.no wrote:
Backends are quite inconsistent about how Bind treats rootdn/rootpw. After a quick browse of the HEAD code, it looks like this - I'll investigate closer if needed:
rootpw supported: Yes: config, bdb, meta, monitor, ldif, HEAD:null, sql, overlay retcode. No: dnssrv, ldap?, RE23:null, perl, relay, shell.
back-ldap doesn't care about rootdn/rootpw; back-meta does mostly for historical reasons (could be removed with some work).
(Bind not supported: passwd).Rootpw vs. normal Bind as rootdn (typically when rootdn names an entry): config, bdb, null, sql, overlay retcode (I think): Try rootpw first, then if failure try normal Bind (even if rootpw exists but the Bind password does not match it). ldif: Do not try rootpw if rootdn names an existing entry. meta: Fail if rootpw is missing or does not match, more complicated otherwise. monitor: Fine - there are no entries with passwords.
(yet :)
I discovered that back-monitor may benefit from having a rootdn because this provides a means to easily workaround any ACLs. The availability of rootpw is also important because I ran into few cases where no other means to authenticate were available, and all in all this feature (I mean: rootdn w/ rootpw comes for free from the database infrastructure).
The manpage is (fortunately:-) unclear on what happens in this case.
}-)
Check if op->orb_method == LDAP_AUTH_SIMPLE: Yes: config, bdb, meta, monitor. No: ldif, null, sql, overlay retcode.
I don't think we can get to calling bi_op_bind() otherwise... could even be an assertion.
Set op->orb_edn (op->oq_bind.rb_edn) from be_root_dn() on success: config, bdb, monitor, sql.
Set op->orb_edn on failure: bdb: Sometimes, from &e->e_name. sql: Always, from op->o_req_ndn.
Not sure what does this mean: op->orb_edn should only be set in case of success, AFAIK.
Set rs->sr_err = LDAP_SUCCESS on success: ldif, meta
For consistency, I presume. The caller will just check the response code.
Reset rs->sr_text: meta
Which behavior is right? I'm wondering if Bind should fail if rootpw exists but the Bind password does not match it.
In any case, methinks we need a be_rootpw_bind(op, rs) function which takes care of this consistently, so bi_op_bind in most cases can just do if (be_rootpw_bind(op, rs)) return rs->sr_err; If needed it could accept rs==NULL to just check the password - like be_isroot_pw() but with more return codes to distinguish different cases.
At this point, it might be worth moving this check outside bi_op_bind(). Wait a moment: we need to do something else at least in back-meta if rootdn bind succeeds... but I think that could be changed.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------