Hi,
Does anyone know of a bit of code I can look at that does an *internal* (completed inline) LDAP_MOD_REPLACE operation on one attribute without chaining (ie it does a return 0)?
I've found Sun docs for doing this in a slapi plugin but not an openldap slapd plugin.
Reason:
Basically, I've been hacking on smbkrb5pwd.c and discovered if I do a "return 0;" at the end, I can prevent chaining (not documented but found some openldap hacking - denyop.c - that demonstrated this).
At this point, smbkrb5pwd.c has changed our MIT Kerberos principal's password, and "return 0" prevenrs_modsts slapd from chaining onto the code that tries to set a local hash into userPassword. And it does it without causing a nasty client error.
I thought: would it not be nice to set userPassword: to {SASL}UID@KERB.REALM now... Each user's auth method gets switched upon the first successful password change that propagates to kerberos.
However, all the existing overlays seem to set extra attributes by setting up a request in ->rs_mods off the original request. I assume these get actioned after a "return SLAP_CB_CONTINUE".
So - how do set an attribute if we are halting the chain at our overlay?
Cheers :)
Tim