Password sync plugin, and questions about plugin criticality
Luke Howard
lukeh at padl.com
Mon Jun 26 02:00:36 EDT 2006
Ken,
This looks fine to me in principle (although the initialization
should be able to return a value indicating failure).
That said, I don't mind the approach Netscape took with the SLAPI
plugin API for their directory server (Sun, OpenLDAP, IBM all use
the same interface). If we are looking for a plugin API we can
generalize to other interfaces and is extensible without breaking
ABI compatability, something similar might we worth looking into.
In this case it might look something like:
/* kapi-plugin.h */
typedef struct kapi_pblock Kapi_PBlock;
int kapi_pblock_get(Kapi_PBlock *, int, void *);
int kapi_pblock_set(Kapi_PBlock *, int, void *);
/* in plugin */
static int pwupdate_precommit_password(Kapi_PBlock *pb)
{
krb5_data *password;
krb5_data *error_msg;
kapi_pblock_get(pb, KAPI_PWUPDATE_PASSWORD, &password);
kapi_pblock_get(pb, KAPI_PWUPDATE_ERROR_MSG, &error_msg);
...
/*
* Non-zero on pre-op causes frontend to return, no
* further plugins are called
*/
}
static int pwupdate_postcommit_password(Kapi_PBlock *pb)
{
/* All post-op plugins get called regardless of return code */
}
int pwupdate_init(Kapi_PBlock *pb)
{
void *context; /* per-plugin stuff */
kapi_pblock_set(pb, KAPI_PLUGIN_PRE_PWUPDATE_FN, pwupdate_precommit_password);
kapi_pblock_set(pb, KAPI_PLUGIN_POST_PWUPDATE_FN, pwupdate_postcommit_password);
kapi_pblock_set(pb, KAPI_PLUGIN_CLOSE_FN, pwupdate_close);
kapi_pblock_set(pb, KAPI_PLUGIN_PRIVATE, context);
return 0; /* any other error will cause KDC not to start */
}
(The name of the initialization function would be specified in the
configuration.)
-- Luke
--
More information about the krbdev
mailing list