[Freeipa-devel] ipapwd_extop vs password_extop

Alexander Bokovoy abokovoy at redhat.com
Mon Jun 6 17:12:58 UTC 2016 

On Mon, 06 Jun 2016, thierry bordaz wrote:
>
>
>On 06/06/2016 11:07 AM, Alexander Bokovoy wrote:
>>On Mon, 06 Jun 2016, thierry bordaz wrote:
>>>Hello,
>>>
>>>  In DS it is possible to register callbacks for extended op.
>>>  For https://www.ietf.org/rfc/rfc3062.txt (password modify extop),
>>>  there is a default callback that is implemented in DS core server.
>>>  Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config'
>>>  that also register a callback ipapwd_extop/ipapwd_chpwop, for that
>>>  same extop.
>>>
>>>  The server calls the callbacks until it can find one that can handle
>>>  the OID. But the order is not guaranty.
>>>  So the extop can be handled either by password_extop or either by
>>>  ipapwd_chpwop.
>>>
>>>  Those two functions are not doing the same checking/updates.
>>>
>>>  I would like to confirm if in Freeipa context, if only
>>>  ipapwd_extop/ipapwd_chpwop should be called
>>Correct. I think we have also added plugin priority to allow handling
>>this type of conflicts gracefully.
>>
>
>
>The order of the plugins, is based on nsslapd-pluginprecedence.
>(The lower precedence is called first)
>
>The problem is that ipapw_extop and password_extop have the same 
>precedence: 50. So the order they are selected basically rely on order 
>they were registered.
>"Password Modify extended operation plugin" (core server) is 
>registered before "IPA Password Extended Operation plugin".
>I think we need  to add a precedence of "IPA Password Extended 
>Operation plugin" to be sure it will be selected over "Password Modify 
>extended operation plugin"
>
>In addition https://fedorahosted.org/389/ticket/48770 changed the way 
>plugins are selected so even setting a precedence is currently not a 
>solution (I opened https://fedorahosted.org/389/ticket/48870)
>
>In short we need to fix https://fedorahosted.org/389/ticket/48870
>
>
>Regarding item 5.4, replacing a compat entry with its related real entry.
>I think there is something missing.  In fact the extop is doing an 
>internal MOD but before calling the MOD it checks the entry exists. 
>And if called against a 'compat' entry the extop fails before calling 
>the MOD.
>But even if it was successfull it may be not be a good idea to make 
>'Schema Compat' preop-mod doing the mapping 'compat' -> real for all 
>MODS.
given that schema compat is read-only (always), you can do remapping all
the time. We have this mapping already for password checks, how is this
different?

>A option is to change "IPA Password Extended Operation plugin" to do 
>this mapping 'compat' -> 'real' but it is looking like a hack.
Yes, it is unacceptable.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list