I'm having a look (again) at writing a couple of plugins, the aspects I'm interested in are: 1) Updating samba hashes when an entries userpassword is updated (both through the password extop and LDAP replace/add) 2) Automatically generating posixGroup memberUid attributes from an entry of objectclass groupOfUniquenames and the DNs refered to by the uniqueName attributes of the entry. For the password updating, I've looked at the passwd_exop plugin (out of curiosity, why is it not in the plugin directory heirarchy?), and it'd be nice to piggyback on it, allowing the passwd_extop plugin to deal with determining whether or not the connection is secure, generating a new password if required, and for my plugin not to change the samba hash until the userPassword has been succesfully changed. Obviously, I'd need to also implement a postop plugin to catch straight modifies as well. With some experimentation, it appears possible to have two plugins for the same extop OID, but is there a way for the extop plugins to specify order of operation (the PDF plugin manual suggests not on page 50, but then later suggest alphabetical ordering may be possible, and later says that SLAPI_PLUGIN_(START|CLOSE)_FN functions are ordered)? Or, is it better to implement as a entry store plugin and look modifications to the userpassword attribute (assuming that at that point the etxop must have worked and the password isn't hashed at this point)? The post op plugins don't seem to see operations of extops, is this designed behaviour? Assuming there is a way of wrapping the existing password-exop plugin, to generate the hashes I was thinking of taking the SMB hashing algorithims from samba and wrapping them in a shamelessly stolen pwdstorage type plugin and then using slapi_encode(). Is this sane? For the posixGroup generation, I've prototyped the idea with a postop computed attribute - which appears to work okay, but means that searches for entries containing a particular memberUid doesn't work, i.e.: $ ldapsearch -b "cn=test,o=base" memberuid dn: cn=test,o=base memberuid: foo $ ldapsearch -b "cn=test,o=base" "(memberuid=foo)" $ Looking at the cos plugin, it seems to use virtual attributes, and this looks like a better approach. If so, is there any documentation on virtual attributes and their interface apart from the code and the vattrsp_template plugin (and the cos/roles/presence plugins)? What are good methods for triggering virtual attributes on an entry (assuming that you don't want to apply it to all the entries): tag the entries with a particular objectclass? Provide search filters in the plugin config that define the objects? Thanks for your assistance. -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 -- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
