Hi,
I'm writing an preoperation authentication plugin for OpenLDAP, but I have trouble finding any documentation whatsoever on this. So most of what I know comes from tutorials like this one from Oracle: http://docs.oracle.com/cd/E19099-01/nscp.dirsvr416/816-6683-10/custauth.htm
But since this is not official documentation and I find the execution paths hard to trace, I have two questions stemming from above guide:
1) The guide says that for an authentication preop plugin,
Your pre-operation plug-in function is responsible for sending the result code to the client and for setting the DN and authentication method for the connection.
Okay, so I do that. Like in the code example, I set the connection's DN to the value I got from the 'pb' in the first place:
slapi_pblock_set(pb, SLAPI_CONN_DN, slapi_ch_strdup(dn));
But setting the authentication type fails:
slapi_pblock_set(pb, SLAPI_CONN_AUTHTYPE, SLAPD_AUTH_SIMPLE);
This is no real error though, it's simply not implemented: See http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/sla...
case SLAPI_CONN_AUTHMETHOD: ... /* These parameters cannot be set */ rc = PBLOCK_ERROR; break;
(This was noted in 2006 already, with no reply on this list: http://www.openldap.org/lists/openldap-software/200601/msg00044.html )
So basically it boils down to: Do I have to do *any* other stuff except for sending back the result code? Like this:
slapi_send_ldap_result(pb, rc, NULL, NULL, 0, NULL);
2) What is the preferred return value for a plugin function? Most (other) documentations and the code hints at this:
i) return 0 if you handled the authentication ii) return 1 if you want successive plugins/backends/... to handle the authentication
Is this correct? Or should I use the more suggestive SLAPI_BIND_SUCCESS and SLAPI_BIND_FAIL?
Thanks!
Julius
P.S.: What I'm actually trying to achieve is to do RADIUS authentification via an external library. But I want to send the client's IP in a Calling-Station-Id attribute, so I cannot simply write a password check function, right? If you got any ideas that are better than a preop module, please tell me...