[Freeipa-devel] ipapwd_extop vs password_extop
Alexander Bokovoy
abokovoy at redhat.com
Mon Jun 6 17:12:58 UTC 2016
On Mon, 06 Jun 2016, thierry bordaz wrote:
>
>
>On 06/06/2016 11:07 AM, Alexander Bokovoy wrote:
>>On Mon, 06 Jun 2016, thierry bordaz wrote:
>>>Hello,
>>>
>>> In DS it is possible to register callbacks for extended op.
>>> For https://www.ietf.org/rfc/rfc3062.txt (password modify extop),
>>> there is a default callback that is implemented in DS core server.
>>> Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config'
>>> that also register a callback ipapwd_extop/ipapwd_chpwop, for that
>>> same extop.
>>>
>>> The server calls the callbacks until it can find one that can handle
>>> the OID. But the order is not guaranty.
>>> So the extop can be handled either by password_extop or either by
>>> ipapwd_chpwop.
>>>
>>> Those two functions are not doing the same checking/updates.
>>>
>>> I would like to confirm if in Freeipa context, if only
>>> ipapwd_extop/ipapwd_chpwop should be called
>>Correct. I think we have also added plugin priority to allow handling
>>this type of conflicts gracefully.
>>
>
>
>The order of the plugins, is based on nsslapd-pluginprecedence.
>(The lower precedence is called first)
>
>The problem is that ipapw_extop and password_extop have the same
>precedence: 50. So the order they are selected basically rely on order
>they were registered.
>"Password Modify extended operation plugin" (core server) is
>registered before "IPA Password Extended Operation plugin".
>I think we need to add a precedence of "IPA Password Extended
>Operation plugin" to be sure it will be selected over "Password Modify
>extended operation plugin"
>
>In addition https://fedorahosted.org/389/ticket/48770 changed the way
>plugins are selected so even setting a precedence is currently not a
>solution (I opened https://fedorahosted.org/389/ticket/48870)
>
>In short we need to fix https://fedorahosted.org/389/ticket/48870
>
>
>Regarding item 5.4, replacing a compat entry with its related real entry.
>I think there is something missing. In fact the extop is doing an
>internal MOD but before calling the MOD it checks the entry exists.
>And if called against a 'compat' entry the extop fails before calling
>the MOD.
>But even if it was successfull it may be not be a good idea to make
>'Schema Compat' preop-mod doing the mapping 'compat' -> real for all
>MODS.
given that schema compat is read-only (always), you can do remapping all
the time. We have this mapping already for password checks, how is this
different?
>A option is to change "IPA Password Extended Operation plugin" to do
>this mapping 'compat' -> 'real' but it is looking like a hack.
Yes, it is unacceptable.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list