3:16 p.m.
Hi Everyone,
There is an issue with the PAM plugin, that when it performs a
successful bind we actually return error 1 to plugins_call_func(), which
essentially causes the abort of the all plugin processing: the rest of
pre-op, the backend call, and all of post-op. PAM has completed the
bind and already returned the result, so it returns 1 to stop the DS
from doing the rest of bind op. Makes sense...
However, with the Account Policy plugin, when tracking the "last bind
time", binding thru PAM won't update the entry, even though the bind was
successful. This is because the successful PAM bind essentially aborted
all the pre-op and post-op plugins. I feel that we should still call
the post op plugins in this scenario. The pre-op plugins should still
be aborted, because the operation was already completed - there's
nothing to reject at that point.
So to get around plugins like this, I am proposing a new plugin pre-op
return code(either use 1, or -2). This return code implies that the
operation was fully completed, and that we should also process the post
op plugins - but do not send the operation to the backend.
So to the recap, the new return code says the operation was fully
completed by the plugin, but we still want to process just the post-op
plugins.
I know this will impact documentation, there might be unforeseen issues,
and this is also a rare situation(only PAM plugin seems to behave like
this). Saying that, I still think its the valid solution to this type
of problem. It could also allow future plugins for be more
versatile/robust.
Please let me know your thoughts.
Thanks,
Mark
3:28 p.m.
On 02/01/2012 02:16 PM, Mark Reynolds wrote:
Hi Everyone,
There is an issue with the PAM plugin, that when it performs a
successful bind we actually return error 1 to plugins_call_func(),
which essentially causes the abort of the all plugin processing: the
rest of pre-op, the backend call, and all of post-op. PAM has
completed the bind and already returned the result, so it returns 1 to
stop the DS from doing the rest of bind op. Makes sense...
Where is the code that
calls the preop?
However, with the Account Policy plugin, when tracking the "last bind
time", binding thru PAM won't update the entry, even though the bind
was successful. This is because the successful PAM bind essentially
aborted all the pre-op and post-op plugins. I feel that we should
still call the post op plugins in this scenario. The pre-op plugins
should still be aborted, because the operation was already completed -
there's nothing to reject at that point.
So to get around plugins like this, I am proposing a new plugin pre-op
return code(either use 1, or -2). This return code implies that the
operation was fully completed, and that we should also process the
post op plugins - but do not send the operation to the backend.
So to the recap, the new return code says the operation was fully
completed by the plugin, but we still want to process just the post-op
plugins.
I know this will impact documentation, there might be unforeseen
issues, and this is also a rare situation(only PAM plugin seems to
behave like this). Saying that, I still think its the valid solution
to this type of problem. It could also allow future plugins for be
more versatile/robust.
Please let me know your thoughts.
I don't think we need a new return code - I
just think we need to
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 1d860b6..bd7df3d 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -796,6 +796,10 @@ do_bind( Slapi_PBlock *pb )
slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, &rc );
plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
+ } else {
+ /* even if the pre-op plugins returned an error, we still need
+ to call the post-op plugins */
+ plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
}
} else {
send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
Looking at bind.c - there is a lot of special case code that makes sure
to call the POST_BIND plugins in various error cases. This seems like
just another error case that we should handle by calling the POST_BIND
plugins.
Thanks,
Mark
--
389-devel mailing list
389-devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-devel
3:48 p.m.
On 02/01/2012 04:28 PM, Rich Megginson wrote:
On 02/01/2012 02:16 PM, Mark Reynolds wrote:
> Hi Everyone,
>
> There is an issue with the PAM plugin, that when it performs a
> successful bind we actually return error 1 to plugins_call_func(),
> which essentially causes the abort of the all plugin processing: the
> rest of pre-op, the backend call, and all of post-op. PAM has
> completed the bind and already returned the result, so it returns 1
> to stop the DS from doing the rest of bind op. Makes sense...
Where is the code that calls the preop?
>
> However, with the Account Policy plugin, when tracking the "last bind
> time", binding thru PAM won't update the entry, even though the bind
> was successful. This is because the successful PAM bind essentially
> aborted all the pre-op and post-op plugins. I feel that we should
> still call the post op plugins in this scenario. The pre-op plugins
> should still be aborted, because the operation was already completed
> - there's nothing to reject at that point.
>
> So to get around plugins like this, I am proposing a new plugin
> pre-op return code(either use 1, or -2). This return code implies
> that the operation was fully completed, and that we should also
> process the post op plugins - but do not send the operation to the
> backend.
>
> So to the recap, the new return code says the operation was fully
> completed by the plugin, but we still want to process just the
> post-op plugins.
>
> I know this will impact documentation, there might be unforeseen
> issues, and this is also a rare situation(only PAM plugin seems to
> behave like this). Saying that, I still think its the valid solution
> to this type of problem. It could also allow future plugins for be
> more versatile/robust.
>
> Please let me know your thoughts.
I don't think we need a new return code - I just think we need to
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 1d860b6..bd7df3d 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -796,6 +796,10 @@ do_bind( Slapi_PBlock *pb )
slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, &rc );
plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
+ } else {
+ /* even if the pre-op plugins returned an error, we still
need
+ to call the post-op plugins */
+ plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
}
} else {
send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
I thought about
this, but I thought we needed a new code because isn't
it by design: if pre-op fails, it should all fail? PAM really isn't
failing, it just doesn't have a better mechanism to handle its behaviour.
The above code would work fine, so maybe this could be a discussion for
a later time. I was just looking for a more "global" solution. So, I
will use this approach for now so I can get the bug resolved. If
there's time in the future maybe we can come back to this. Like I said
it's not something that is needed, but it would allow for more creative
plugins :-)
Thanks,
Mark
Looking at bind.c - there is a lot of special case code that makes
sure to call the POST_BIND plugins in various error cases. This seems
like just another error case that we should handle by calling the
POST_BIND plugins.
>
> Thanks,
> Mark
>
>
>
>
>
> --
> 389-devel mailing list
> 389-devel(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-devel
3:58 p.m.
On 02/01/2012 02:48 PM, Mark Reynolds wrote:
On 02/01/2012 04:28 PM, Rich Megginson wrote:
> On 02/01/2012 02:16 PM, Mark Reynolds wrote:
>> Hi Everyone,
>>
>> There is an issue with the PAM plugin, that when it performs a
>> successful bind we actually return error 1 to plugins_call_func(),
>> which essentially causes the abort of the all plugin processing:
>> the rest of pre-op, the backend call, and all of post-op. PAM has
>> completed the bind and already returned the result, so it returns 1
>> to stop the DS from doing the rest of bind op. Makes sense...
> Where is the code that calls the preop?
>>
>> However, with the Account Policy plugin, when tracking the "last
>> bind time", binding thru PAM won't update the entry, even though the
>> bind was successful. This is because the successful PAM bind
>> essentially aborted all the pre-op and post-op plugins. I feel that
>> we should still call the post op plugins in this scenario. The
>> pre-op plugins should still be aborted, because the operation was
>> already completed - there's nothing to reject at that point.
>>
>> So to get around plugins like this, I am proposing a new plugin
>> pre-op return code(either use 1, or -2). This return code implies
>> that the operation was fully completed, and that we should also
>> process the post op plugins - but do not send the operation to the
>> backend.
>>
>> So to the recap, the new return code says the operation was fully
>> completed by the plugin, but we still want to process just the
>> post-op plugins.
>>
>> I know this will impact documentation, there might be unforeseen
>> issues, and this is also a rare situation(only PAM plugin seems to
>> behave like this). Saying that, I still think its the valid
>> solution to this type of problem. It could also allow future
>> plugins for be more versatile/robust.
>>
>> Please let me know your thoughts.
> I don't think we need a new return code - I just think we need to
>
> diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
> index 1d860b6..bd7df3d 100644
> --- a/ldap/servers/slapd/bind.c
> +++ b/ldap/servers/slapd/bind.c
> @@ -796,6 +796,10 @@ do_bind( Slapi_PBlock *pb )
>
> slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, &rc );
> plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
> + } else {
> + /* even if the pre-op plugins returned an error, we
> still need
> + to call the post-op plugins */
> + plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
> }
> } else {
> send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
I thought about this, but I thought we needed a new code because isn't
it by design: if pre-op fails, it should all fail?
I don't think so. In every
other case in bind.c, when something fails,
the POST_BIND functions are called. I don't see why this particular
case should be any different. IMHO a POST_BIND plugin will always want
to know if the bind succeeded or failed for any reason. Note that IPA
has a POST_BIND plugin - ipa_lockout - which will want to be called in
this case.
PAM really isn't failing, it just doesn't have a better
mechanism to
handle its behaviour.
The above code would work fine, so maybe this could be a discussion
for a later time. I was just looking for a more "global" solution.
So, I will use this approach for now so I can get the bug resolved.
If there's time in the future maybe we can come back to this. Like I
said it's not something that is needed, but it would allow for more
creative plugins :-)
Thanks,
Mark
>
> Looking at bind.c - there is a lot of special case code that makes
> sure to call the POST_BIND plugins in various error cases. This
> seems like just another error case that we should handle by calling
> the POST_BIND plugins.
>>
>> Thanks,
>> Mark
>>
>>
>>
>>
>>
>> --
>> 389-devel mailing list
>> 389-devel(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-devel
>
4466
days inactive
4466
days old
389-devel@lists.fedoraproject.org
3 comments
2 participants
participants (2)
-
Mark Reynolds -
Rich Megginson