Hi,
I'm writing an preoperation authentication plugin for OpenLDAP, but I have trouble finding any documentation whatsoever on this. So most of what I know comes from tutorials like this one from Oracle: http://docs.oracle.com/cd/E19099-01/nscp.dirsvr416/816-6683-10/custauth.htm
But since this is not official documentation and I find the execution paths hard to trace, I have two questions stemming from above guide:
1) The guide says that for an authentication preop plugin,
Your pre-operation plug-in function is responsible for sending the result code to the client and for setting the DN and authentication method for the connection.
Okay, so I do that. Like in the code example, I set the connection's DN to the value I got from the 'pb' in the first place:
slapi_pblock_set(pb, SLAPI_CONN_DN, slapi_ch_strdup(dn));
But setting the authentication type fails:
slapi_pblock_set(pb, SLAPI_CONN_AUTHTYPE, SLAPD_AUTH_SIMPLE);
This is no real error though, it's simply not implemented: See http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/sla...
case SLAPI_CONN_AUTHMETHOD: ... /* These parameters cannot be set */ rc = PBLOCK_ERROR; break;
(This was noted in 2006 already, with no reply on this list: http://www.openldap.org/lists/openldap-software/200601/msg00044.html )
So basically it boils down to: Do I have to do *any* other stuff except for sending back the result code? Like this:
slapi_send_ldap_result(pb, rc, NULL, NULL, 0, NULL);
2) What is the preferred return value for a plugin function? Most (other) documentations and the code hints at this:
i) return 0 if you handled the authentication ii) return 1 if you want successive plugins/backends/... to handle the authentication
Is this correct? Or should I use the more suggestive SLAPI_BIND_SUCCESS and SLAPI_BIND_FAIL?
Thanks!
Julius
P.S.: What I'm actually trying to achieve is to do RADIUS authentification via an external library. But I want to send the client's IP in a Calling-Station-Id attribute, so I cannot simply write a password check function, right? If you got any ideas that are better than a preop module, please tell me...
On 01/23/13 17:00 +0100, Julius Plenz wrote:
Hi,
I'm writing an preoperation authentication plugin for OpenLDAP, but I have trouble finding any documentation whatsoever on this. So most of what I know comes from tutorials like this one from Oracle: http://docs.oracle.com/cd/E19099-01/nscp.dirsvr416/816-6683-10/custauth.htm
P.S.: What I'm actually trying to achieve is to do RADIUS authentification via an external library. But I want to send the client's IP in a Calling-Station-Id attribute, so I cannot simply write a password check function, right? If you got any ideas that are better than a preop module, please tell me...
You should be able to accomplish this via a SASL mechanism (and possibly an existing one), which would not require any code changes within slapd or client libraries. See sasl_server_new(3) and its ipremoteport parameter.
Dan White wrote:
On 01/23/13 17:00 +0100, Julius Plenz wrote:
Hi,
I'm writing an preoperation authentication plugin for OpenLDAP, but I have trouble finding any documentation whatsoever on this. So most of what I know comes from tutorials like this one from Oracle: http://docs.oracle.com/cd/E19099-01/nscp.dirsvr416/816-6683-10/custauth.htm
P.S.: What I'm actually trying to achieve is to do RADIUS authentification via an external library. But I want to send the client's IP in a Calling-Station-Id attribute, so I cannot simply write a password check function, right? If you got any ideas that are better than a preop module, please tell me...
You should be able to accomplish this via a SASL mechanism (and possibly an existing one), which would not require any code changes within slapd or client libraries. See sasl_server_new(3) and its ipremoteport parameter.
That would require the client to perform a SASL Bind instead of a Simple Bind. Not unreasonable, but it's obvious the OP is doing Simple Bind.
I would just take the current radius.c checker and modify it to stash the Operation pointer somewhere it can be retrieved, then grab it in the password check function and pull the client IP address out of there. The smbk5pwd module already uses this trick so it should be trivial to copy/paste that code into radius.c.
Hi Howard, hi Dan,
thanks for your reply.
* Howard Chu hyc@symas.com [2013-01-23 18:38]:
I would just take the current radius.c checker and modify it to stash the Operation pointer somewhere it can be retrieved, then grab it in the password check function and pull the client IP address out of there. The smbk5pwd module already uses this trick so it should be trivial to copy/paste that code into radius.c.
I'll take a look at that code tomorrow, thanks.
But the problem is not that I don't want to write the code: The module is working fine already, but since I found exactly *zero* documentation to warrant what I'm doing in the plugin, I thought it best to ask here. Considering the original (technical) questions, do you have an answer to that?
Cheers,
Julius
Julius Plenz wrote:
Hi Howard, hi Dan,
thanks for your reply.
- Howard Chu hyc@symas.com [2013-01-23 18:38]:
I would just take the current radius.c checker and modify it to stash the Operation pointer somewhere it can be retrieved, then grab it in the password check function and pull the client IP address out of there. The smbk5pwd module already uses this trick so it should be trivial to copy/paste that code into radius.c.
I'll take a look at that code tomorrow, thanks.
But the problem is not that I don't want to write the code: The module is working fine already, but since I found exactly *zero* documentation to warrant what I'm doing in the plugin, I thought it best to ask here. Considering the original (technical) questions, do you have an answer to that?
1) For developers, the source code is the authoritative documentation. Always.
2) SLAPI is a Sun/Netscape spec. There is no documentation for it in the OpenLDAP Project because it would be redundant. Whatever the official docs say a correct plugin must do, is what you should do.
3) However, if you find some aspect of SLAPI is unimplemented in OpenLDAP, then see (1). If what you're trying to do is not supported, you're welcome to contribute patches to implement whatever missing feature you need.
openldap-technical@openldap.org
-
Dan White -
Howard Chu -
Julius Plenz