Hi,
Following on from SASL/EXOP password related issues, I'd like to try something.
When an EXOP PASS MOD happens, I'd like to catch it before it updates userPassword: in the hdb backend and chance the data to
{SASL}<uid>@FIXED.REALM.NAME
I've been through the slapo-rwm man page several times and all over google and I'm more confused that I was to start with.
Could anyone give me a hint please?
2 problems:
What context does this update happen in? Is it a exopPasswdDN context or a modifyAttrDN context? Bearing in mind I want to catch where the Password Modify EXOP goes to write the userPassword entry.
How do I pull the uid of the current bind doing the password change? I'm guessing it is a $ parameter defref, but I do not see any examples?
Many thanks,
Tim
BTW, if there's a better mailing list for "user" questions I'll happily bugger off there :)
On 02/27/2013 12:28 PM, Tim Watts wrote:
Hi,
Following on from SASL/EXOP password related issues, I'd like to try something.
When an EXOP PASS MOD happens, I'd like to catch it before it updates userPassword: in the hdb backend and chance the data to
{SASL}<uid>@FIXED.REALM.NAME
I've been through the slapo-rwm man page several times and all over google and I'm more confused that I was to start with.
Could anyone give me a hint please?
2 problems:
What context does this update happen in? Is it a exopPasswdDN context or a modifyAttrDN context? Bearing in mind I want
"extendedDN" (I got this by looking at the code; it is not documented, as far as I can tell).
to catch where the Password Modify EXOP goes to write the userPassword entry.
slapo-rwm(5) does not allow to rewrite the password. It allows to rewrite the request DN (AFAIK).
How do I pull the uid of the current bind doing the password change? I'm guessing it is a $ parameter defref, but I do not see any examples?
You need to get it during bind using appropriate rules, and store it in a variable for reuse. Use a "slapd" map with "entryDN=<the bind dn>" as filter and "uid" as the attrs field to fetch the uid of the entry being bound. Examples for storing and retrieving variables within a session are given in slapo-rwm(5).
Many thanks,
Tim
BTW, if there's a better mailing list for "user" questions I'll happily bugger off there :)
This is the right list for questions like yours.
p.
On 27/02/13 12:20, Pierangelo Masarati wrote:
On 02/27/2013 12:28 PM, Tim Watts wrote:
Hi,
Following on from SASL/EXOP password related issues, I'd like to try something.
When an EXOP PASS MOD happens, I'd like to catch it before it updates userPassword: in the hdb backend and chance the data to
{SASL}<uid>@FIXED.REALM.NAME
I've been through the slapo-rwm man page several times and all over google and I'm more confused that I was to start with.
Could anyone give me a hint please?
2 problems:
What context does this update happen in? Is it a exopPasswdDN context or a modifyAttrDN context? Bearing in mind I want
"extendedDN" (I got this by looking at the code; it is not documented, as far as I can tell).
Hi Pierangelo,
Glad I did not miss something in the docs. I don;t have enough architectural familiarity to follow the code as it weaves between files (I have looked a a few bits in the region of passwd.c and friends). Thanks for checking :)
to catch where the Password Modify EXOP goes to write the userPassword entry.
slapo-rwm(5) does not allow to rewrite the password. It allows to rewrite the request DN (AFAIK).
OK - so you are saying that slapo-rwn *cannot* change data written to userPassword: but it can change other attributes?
How do I pull the uid of the current bind doing the password change? I'm guessing it is a $ parameter defref, but I do not see any examples?
You need to get it during bind using appropriate rules, and store it in a variable for reuse.
Thanks for the pointer. This is reminding me of Apache rules where sometimes you have to set a variable in a rule that executes in an earlier phase for use by a later phase's rule which cannot get directly at the data you want... I'll see if I can try something...
Use a "slapd" map with "entryDN=<the bind dn>" as filter and "uid" as the attrs field to fetch the uid of the entry being bound. Examples for storing and retrieving variables within a session are given in slapo-rwm(5).
Many thanks for that - let's experiment! :)
Cheers
Tim
Many thanks,
Tim
BTW, if there's a better mailing list for "user" questions I'll happily bugger off there :)
This is the right list for questions like yours.
p.
Tim Watts wrote:
On 27/02/13 12:20, Pierangelo Masarati wrote:
slapo-rwm(5) does not allow to rewrite the password. It allows to rewrite the request DN (AFAIK).
OK - so you are saying that slapo-rwn *cannot* change data written to userPassword: but it can change other attributes?
slapo-rwm only rewrites DNs.
On 27/02/13 13:05, Howard Chu wrote:
Tim Watts wrote:
On 27/02/13 12:20, Pierangelo Masarati wrote:
slapo-rwm(5) does not allow to rewrite the password. It allows to rewrite the request DN (AFAIK).
OK - so you are saying that slapo-rwn *cannot* change data written to userPassword: but it can change other attributes?
slapo-rwm only rewrites DNs.
Ah - I see. Thanks.
So there is no generic plugin to rewrite attributes - apart from slapo-translucent, that only rewrites them on the way out (AFAICS).
I will have a closer look at your smbk5pwd code - perhaps I might get some ideas...
Cheers,
Tim
openldap-technical@openldap.org
-
Howard Chu -
Pierangelo Masarati -
Tim Watts