[Freeipa-devel] LDAP connections and the new ldap backend plugin

Rich Megginson rmeggins at redhat.com
Tue Mar 3 15:49:33 UTC 2009 

Jason Gerard DeRose wrote:
> As I already mentioned, Pavel is working on a new ldap backend plugin
> which will live at Backend.ldap2 till it supersedes the current ldap
> plugin.
>
> Each time a request is received by the server, a connection is made to
> LDAP on behalf of the requesting user, using the user's forwarded
> Kerberos credentials.  Currently this connection is an instance of the
> ipaserver.ipaldap.IPAdmin class, a subclass of SimpleLDAPObject.
>
> However, after giving it a lot of thought, I don't think we should take
> this approach with the new ldap plugin.  The reason is if someone wants
> to glue some existing code written against the python-ldap bindings into
> an IPA plugin, they likely need access to a raw SimpleLDAPObject
> instance.  Our custom SimpleLDAPObject subclass will no doubt break
> their code.
>
> Plus, any 3rd-party LDAP code *must* use the connection we create
> because we don't expose the Kerberos credentials in request.context
> (just the connection we create).  So although 3rd-party LDAP code could
> create their own connection to LDAP, they don't have access to the
> credentials needed to authenticate to LDAP on behalf of the requesting
> user.
>
> So we need the LDAP connection to be a least-common-denominator, a raw
> SimpleLDAPObject instance.  The new ldap backend plugin will still be
> the preferred way to talk to LDAP, and all our built-in plugins will do
> so, but this way the framework is more flexible and easy to integrate
> with.  Many potential users will have important home-grow code they need
> to continue to use, so if they can easily integrate it with IPA, IPA
> becomes a more viable solution for them.  So something like this:
>
>
> SimpleLDAPObject <=> Backend.ldap2 <=> typical IPA plugins
>       \
>        \<=> can also glue-in existing code written against python-ldap
>
>
> Until we transition to the new ldap plugin, we can simply create two
> LDAP connections (one SimpleLDAPObject, one IPAdmin) so none of the
> current code is broken in the meantime.
>
> What does everyone think?  Does this seem like a good approach?
>   
I'm not sure I understand.  If the connection object is 
ipaserver.ipaldap.IPAdmin which is a subclass of SimpleLDAPObject, can't 
the connection object be "cast" and used directly as a 
SimpleLDAPObject?  Or does the IPA code change/overload the methods such 
that it is not usable any more as a SimpleLDAPObject?
>
> Cheers,
> Jason
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090303/a9c8607b/attachment.bin>

More information about the Freeipa-devel mailing list