Hi,
Does anyone know of a bit of code I can look at that does an *internal* (completed inline) LDAP_MOD_REPLACE operation on one attribute without chaining (ie it does a return 0)?
I've found Sun docs for doing this in a slapi plugin but not an openldap slapd plugin.
Reason:
Basically, I've been hacking on smbkrb5pwd.c and discovered if I do a "return 0;" at the end, I can prevent chaining (not documented but found some openldap hacking - denyop.c - that demonstrated this).
At this point, smbkrb5pwd.c has changed our MIT Kerberos principal's password, and "return 0" prevenrs_modsts slapd from chaining onto the code that tries to set a local hash into userPassword. And it does it without causing a nasty client error.
I thought: would it not be nice to set userPassword: to {SASL}UID@KERB.REALM now... Each user's auth method gets switched upon the first successful password change that propagates to kerberos.
However, all the existing overlays seem to set extra attributes by setting up a request in ->rs_mods off the original request. I assume these get actioned after a "return SLAP_CB_CONTINUE".
So - how do set an attribute if we are halting the chain at our overlay?
Cheers :)
Tim
Tim Watts wrote:
Hi,
Does anyone know of a bit of code I can look at that does an *internal* (completed inline) LDAP_MOD_REPLACE operation on one attribute without chaining (ie it does a return 0)?
I've found Sun docs for doing this in a slapi plugin but not an openldap slapd plugin.
Reason:
Basically, I've been hacking on smbkrb5pwd.c and discovered if I do a "return 0;" at the end, I can prevent chaining (not documented but found some openldap hacking - denyop.c - that demonstrated this).
Documented. slapd/overlays/slapover.txt.
You should not be attempting to write code here without having actually read what's in front of you. If your first instinct is *not* naturally to read the source tree, your programming habits need sharpening.
On 28/02/13 14:56, Howard Chu wrote:
Tim Watts wrote:
Hi,
Does anyone know of a bit of code I can look at that does an *internal* (completed inline) LDAP_MOD_REPLACE operation on one attribute without chaining (ie it does a return 0)?
I've found Sun docs for doing this in a slapi plugin but not an openldap slapd plugin.
Reason:
Basically, I've been hacking on smbkrb5pwd.c and discovered if I do a "return 0;" at the end, I can prevent chaining (not documented but found some openldap hacking - denyop.c - that demonstrated this).
Documented. slapd/overlays/slapover.txt.
You should not be attempting to write code here without having actually read what's in front of you. If your first instinct is *not* naturally to read the source tree, your programming habits need sharpening.
Hi Howard,
Nope - had not noticed that - which is ironic as I've just been in that directory running grep over at the .c files ;-|
Yeah - I'm not really a programmer (except in perl) , I'm properly a sysadmin who very occasionally dabbles - and the openldap tree is not small, so I can be forgiven for not reading all of it ;-> Anyway, have to start somewhere!
And yes - I just found the bit in the txt file that says about calling frontend functions - also nice to have some confirmation about the return values of overlays.
I'll see if I can figure it out now based on a thorough reading of the document.
Cheers - and thanks for the pointer.
Tim
openldap-technical@openldap.org
-
Howard Chu -
Tim Watts