I'm having a look (again) at writing a couple of plugins, the aspects
I'm interested in are:
1) Updating samba hashes when an entries userpassword is updated (both
through the password extop and LDAP replace/add)
2) Automatically generating posixGroup memberUid attributes from
an entry of objectclass groupOfUniquenames and the DNs refered to
by the uniqueName attributes of the entry.
For the password updating, I've looked at the passwd_exop plugin
(out of curiosity, why is it not in the plugin directory heirarchy?),
and it'd be nice to piggyback on it, allowing the passwd_extop plugin to
deal with determining whether or not the connection is secure,
generating a new password if required, and for my plugin not to change
the samba hash until the userPassword has been succesfully changed.
Obviously, I'd need to also implement a postop plugin to catch straight
modifies as well.
With some experimentation, it appears possible to have two plugins for
the same extop OID, but is there a way for the extop plugins to specify
order of operation (the PDF plugin manual suggests not on page 50, but
then later suggest alphabetical ordering may be possible, and later says
that SLAPI_PLUGIN_(START|CLOSE)_FN functions are ordered)?
Or, is it better to implement as a entry store plugin and look
modifications to the userpassword attribute (assuming that at that point
the etxop must have worked and the password isn't hashed at this point)?
The post op plugins don't seem to see operations of extops, is this
designed behaviour?
Assuming there is a way of wrapping the existing password-exop plugin,
to generate the hashes I was thinking of taking the SMB hashing
algorithims from samba and wrapping them in a shamelessly stolen
pwdstorage type plugin and then using slapi_encode(). Is this sane?
For the posixGroup generation, I've prototyped the idea with a postop
computed attribute - which appears to work okay, but means that searches
for entries containing a particular memberUid doesn't work, i.e.:
$ ldapsearch -b "cn=test,o=base" memberuid
dn: cn=test,o=base
memberuid: foo
$ ldapsearch -b "cn=test,o=base" "(memberuid=foo)"
$
Looking at the cos plugin, it seems to use virtual attributes, and this
looks like a better approach. If so, is there any documentation on
virtual attributes and their interface apart from the code and the
vattrsp_template plugin (and the cos/roles/presence plugins)?
What are good methods for triggering virtual attributes on an entry
(assuming that you don't want to apply it to all the entries): tag the
entries with a particular objectclass? Provide search filters in the
plugin config that define the objects?
Thanks for your assistance.
--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389