[Freeipa-devel] ipapwd_extop vs password_extop

thierry bordaz tbordaz at redhat.com
Tue Jun 7 13:40:57 UTC 2016 


On 06/07/2016 01:20 PM, Alexander Bokovoy wrote:
> On Tue, 07 Jun 2016, thierry bordaz wrote:
>>
>>
>> On 06/06/2016 07:12 PM, Alexander Bokovoy wrote:
>>> On Mon, 06 Jun 2016, thierry bordaz wrote:
>>>>
>>>>
>>>> On 06/06/2016 11:07 AM, Alexander Bokovoy wrote:
>>>>> On Mon, 06 Jun 2016, thierry bordaz wrote:
>>>>>> Hello,
>>>>>>
>>>>>> In DS it is possible to register callbacks for extended op.
>>>>>> For https://www.ietf.org/rfc/rfc3062.txt (password modify extop),
>>>>>> there is a default callback that is implemented in DS core server.
>>>>>> Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config'
>>>>>> that also register a callback ipapwd_extop/ipapwd_chpwop, for that
>>>>>> same extop.
>>>>>>
>>>>>> The server calls the callbacks until it can find one that can handle
>>>>>> the OID. But the order is not guaranty.
>>>>>> So the extop can be handled either by password_extop or either by
>>>>>> ipapwd_chpwop.
>>>>>>
>>>>>> Those two functions are not doing the same checking/updates.
>>>>>>
>>>>>> I would like to confirm if in Freeipa context, if only
>>>>>> ipapwd_extop/ipapwd_chpwop should be called
>>>>> Correct. I think we have also added plugin priority to allow handling
>>>>> this type of conflicts gracefully.
>>>>>
>>>>
>>>>
>>>> The order of the plugins, is based on nsslapd-pluginprecedence.
>>>> (The lower precedence is called first)
>>>>
>>>> The problem is that ipapw_extop and password_extop have the same 
>>>> precedence: 50. So the order they are selected basically rely on 
>>>> order they were registered.
>>>> "Password Modify extended operation plugin" (core server) is 
>>>> registered before "IPA Password Extended Operation plugin".
>>>> I think we need  to add a precedence of "IPA Password Extended 
>>>> Operation plugin" to be sure it will be selected over "Password 
>>>> Modify extended operation plugin"
>>>>
>>>> In addition https://fedorahosted.org/389/ticket/48770 changed the 
>>>> way plugins are selected so even setting a precedence is currently 
>>>> not a solution (I opened https://fedorahosted.org/389/ticket/48870)
>>>>
>>>> In short we need to fix https://fedorahosted.org/389/ticket/48870
>>>>
>>>>
>>>> Regarding item 5.4, replacing a compat entry with its related real 
>>>> entry.
>>>> I think there is something missing.  In fact the extop is doing an 
>>>> internal MOD but before calling the MOD it checks the entry exists. 
>>>> And if called against a 'compat' entry the extop fails before 
>>>> calling the MOD.
>>>> But even if it was successfull it may be not be a good idea to make 
>>>> 'Schema Compat' preop-mod doing the mapping 'compat' -> real for 
>>>> all MODS.
>>> given that schema compat is read-only (always), you can do remapping 
>>> all
>>> the time. We have this mapping already for password checks, how is this
>>> different?
>> It should be similar to mapping done for password check. When is it 
>> triggered or where is the code for this mapping ?
> See slapi-nis/src/back-sch.c:backend_bind_cb() for details.
>
>>>> A option is to change "IPA Password Extended Operation plugin" to 
>>>> do this mapping 'compat' -> 'real' but it is looking like a hack.
>>> Yes, it is unacceptable.
>>>
>> Well here we have IPA password extop that receives a 'compat' entry. 
>> This compat entry does not exist except in slapi-nis that can do the 
>> mapping to the real entry. What I was thinking of was some kind of 
>> call from IPA password extop to slapi-nis that for a given entry DN 
>> return the real entryDN. But the tranformation of the extop('compat') 
>> -> extop('real') would be done in IPA password extop
> no, just look at slapi-nis code to see how we rewrite DN of the request.
> You'd need to do a similar trick.
>

Thanks for the pointer. What differs is that slapi-nis is doing the 
mapping in an operation (here bind) preop.
But with extop there is no preop call. Mapping looks to be done in 
backend_locate, my understanding is that we need to find a way to call 
something like backend_locate from extop and it can not be done with an 
internal search because slapi-nis ignores them.

More information about the Freeipa-devel mailing list