Hi Everyone,
There is an issue with the PAM plugin, that when it performs a
successful bind we actually return error 1 to plugins_call_func(), which
essentially causes the abort of the all plugin processing: the rest of
pre-op, the backend call, and all of post-op. PAM has completed the
bind and already returned the result, so it returns 1 to stop the DS
from doing the rest of bind op. Makes sense...
However, with the Account Policy plugin, when tracking the "last bind
time", binding thru PAM won't update the entry, even though the bind was
successful. This is because the successful PAM bind essentially aborted
all the pre-op and post-op plugins. I feel that we should still call
the post op plugins in this scenario. The pre-op plugins should still
be aborted, because the operation was already completed - there's
nothing to reject at that point.
So to get around plugins like this, I am proposing a new plugin pre-op
return code(either use 1, or -2). This return code implies that the
operation was fully completed, and that we should also process the post
op plugins - but do not send the operation to the backend.
So to the recap, the new return code says the operation was fully
completed by the plugin, but we still want to process just the post-op
plugins.
I know this will impact documentation, there might be unforeseen issues,
and this is also a rare situation(only PAM plugin seems to behave like
this). Saying that, I still think its the valid solution to this type
of problem. It could also allow future plugins for be more
versatile/robust.
Please let me know your thoughts.
Thanks,
Mark
--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel
