[Freeipa-devel] ipapwd_extop vs password_extop

thierry bordaz tbordaz at redhat.com
Tue Jun 7 11:05:03 UTC 2016 


On 06/06/2016 07:12 PM, Alexander Bokovoy wrote:
> On Mon, 06 Jun 2016, thierry bordaz wrote:
>>
>>
>> On 06/06/2016 11:07 AM, Alexander Bokovoy wrote:
>>> On Mon, 06 Jun 2016, thierry bordaz wrote:
>>>> Hello,
>>>>
>>>>  In DS it is possible to register callbacks for extended op.
>>>>  For https://www.ietf.org/rfc/rfc3062.txt (password modify extop),
>>>>  there is a default callback that is implemented in DS core server.
>>>>  Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config'
>>>>  that also register a callback ipapwd_extop/ipapwd_chpwop, for that
>>>>  same extop.
>>>>
>>>>  The server calls the callbacks until it can find one that can handle
>>>>  the OID. But the order is not guaranty.
>>>>  So the extop can be handled either by password_extop or either by
>>>>  ipapwd_chpwop.
>>>>
>>>>  Those two functions are not doing the same checking/updates.
>>>>
>>>>  I would like to confirm if in Freeipa context, if only
>>>>  ipapwd_extop/ipapwd_chpwop should be called
>>> Correct. I think we have also added plugin priority to allow handling
>>> this type of conflicts gracefully.
>>>
>>
>>
>> The order of the plugins, is based on nsslapd-pluginprecedence.
>> (The lower precedence is called first)
>>
>> The problem is that ipapw_extop and password_extop have the same 
>> precedence: 50. So the order they are selected basically rely on 
>> order they were registered.
>> "Password Modify extended operation plugin" (core server) is 
>> registered before "IPA Password Extended Operation plugin".
>> I think we need  to add a precedence of "IPA Password Extended 
>> Operation plugin" to be sure it will be selected over "Password 
>> Modify extended operation plugin"
>>
>> In addition https://fedorahosted.org/389/ticket/48770 changed the way 
>> plugins are selected so even setting a precedence is currently not a 
>> solution (I opened https://fedorahosted.org/389/ticket/48870)
>>
>> In short we need to fix https://fedorahosted.org/389/ticket/48870
>>
>>
>> Regarding item 5.4, replacing a compat entry with its related real 
>> entry.
>> I think there is something missing.  In fact the extop is doing an 
>> internal MOD but before calling the MOD it checks the entry exists. 
>> And if called against a 'compat' entry the extop fails before calling 
>> the MOD.
>> But even if it was successfull it may be not be a good idea to make 
>> 'Schema Compat' preop-mod doing the mapping 'compat' -> real for all 
>> MODS.
> given that schema compat is read-only (always), you can do remapping all
> the time. We have this mapping already for password checks, how is this
> different?
It should be similar to mapping done for password check. When is it 
triggered or where is the code for this mapping ?
>
>> A option is to change "IPA Password Extended Operation plugin" to do 
>> this mapping 'compat' -> 'real' but it is looking like a hack.
> Yes, it is unacceptable.
>
Well here we have IPA password extop that receives a 'compat' entry. 
This compat entry does not exist except in slapi-nis that can do the 
mapping to the real entry. What I was thinking of was some kind of call 
from IPA password extop to slapi-nis that for a given entry DN return 
the real entryDN. But the tranformation of the extop('compat') -> 
extop('real') would be done in IPA password extop

More information about the Freeipa-devel mailing list