Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Developer's Guide 11 g Release 1 (11.1.1.5.0) |
Part I Directory Server Plug-In API Guide
1. Before You Start Writing Plug-Ins
2. Changes to the Plug-In API Since Directory Server 5.2
3. Getting Started With Directory Server Plug-Ins
4. Working With Entries Using Plug-Ins
5. Extending Client Request Handling Using Plug-Ins
Preoperation and Postoperation Plug-Ins
Logging the Authentication Method
To Generate a Bind Log Message
Extending the Search Operation
Normal Directory Server Search Behavior
Extending the Compare Operation
Prepending a String to an Attribute
Extending the Modify Operation
Extending the Rename Operation
Extending the Delete Operation
Intercepting Information Sent to the Client
6. Handling Authentication Using Plug-Ins
7. Performing Internal Operations With Plug-Ins
8. Writing Entry Store and Entry Fetch Plug-Ins
9. Writing Extended Operation Plug-Ins
10. Writing Matching Rule Plug-Ins
11. Writing Password Storage Scheme Plug-Ins
12. Writing Password Quality Check Plug-Ins
13. Writing Computed Attribute Plug-Ins
Part II Directory Server Plug-In API Reference
14. Data Type and Structure Reference
15. Function Reference, Part I
16. Function Reference, Part II
This section shows how to develop functions called by Directory Server before client bind operations.
Note - Pre-bind plug-in functions are often used to handle extensions to authentication. Yet, you might have to account for special cases such as binds by the directory superuser and anonymous users. Sometimes, you have to account for multiple calls to the same preoperation or postoperation plug-in function.
If you have not done so already, set up a directory instance with a suffix, dc=example,dc=com, containing data loaded from a sample LDIF file, install-path/resources/ldif/Example.ldif.
For example:
$ dsadm create -h localhost -p 1389 /local/ds Choose the Directory Manager password: Confirm the Directory Manager password: $
For example:
$ dsadm start /local/ds Server started: pid=4705 $
For example, with long lines folded for the printed page:
$ dsconf create-suffix -h localhost -p 1389 dc=example,dc=com Enter "cn=directory manager" password: Certificate "CN=defaultCert, CN=hostname:1636" presented by the server is not trusted. Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y $
For example, with long lines folded for the printed page:
$ dsconf import -h localhost -p 1389 \ install-path/resources/ldif/Example.ldif dc=example,dc=com Enter "cn=directory manager" password: New data will override existing data of the suffix "dc=example,dc=com". Initialization will have to be performed on replicated suffixes. Do you want to continue [y/n] ? y ## Index buffering enabled with bucket size 16 ## Beginning import job... ## Processing file "install-path/resources/ldif/Example.ldif" ## Finished scanning file "install-path/resources/ldif/Example.ldif" (160 entries) ## Workers finished; cleaning up... ## Workers cleaned up. ## Cleaning up producer thread... ## Indexing complete. ## Starting numsubordinates attribute generation. This may take a while, please wait for further activity reports. ## Numsubordinates attribute generation complete. Flushing caches... ## Closing files... ## Import complete. Processed 160 entries in 5 seconds. (32.00 entries/sec) Task completed (slapd exit code: 0). $
See Also
You can use Directory Service Control Center to perform this task. For more information, see the Directory Service Control Center online help.
The following example logs the bind authentication method. Refer to install-path/examples/testpreop.c for complete example code.
Example 5-2 Logging the Authentication Method (testpreop.c)
#include "slapi-plugin.h" int testpreop_bind(Slapi_PBlock * pb) { char * auth; /* Authentication type */ char * dn; /* Target DN */ int method; /* Authentication method */ int connId, opId, rc = 0; long msgId; /* Get target DN for bind and authentication method used. */ rc |= slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn); rc |= slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method); rc |= slapi_pblock_get(pb, SLAPI_OPERATION_MSGID, &msgId); rc |= slapi_pblock_get(pb, SLAPI_CONN_ID, &connId); rc |= slapi_pblock_get(pb, SLAPI_OPERATION_ID, &opId); if (rc == 0) { switch (method) { case LDAP_AUTH_NONE: auth = "No authentication"; break; case LDAP_AUTH_SIMPLE: auth = "Simple authentication"; break; case LDAP_AUTH_SASL: auth = "SASL authentication"; break; default: auth = "Unknown authentication method"; break; } } else { return (rc); } /* Log target DN and authentication method info. */ slapi_log_info_ex( SLAPI_LOG_INFO_AREA_PLUGIN, SLAPI_LOG_INFO_LEVEL_DEFAULT, msgId, connId, opId, "testpreop_bind in test-preop plug-in", "Target DN: %s\tAuthentication method: %s\n", dn, auth ); return (rc); }
This plug-in function sets the auth message based on the authentication method. The function does nothing to affect the way Directory Server processes the bind.
If you have not already done so, build the example plug-in library and activate both plug-in informational logging and the example plug-in.
Hint Use install-path/examples/Makefile or install-path/examples/Makefile64.
$ dsconf create-plugin -F custom-plugin-init-function -G custom-plugin-argument -H lib-path \ -Y custom-plugin-type "Custom Plugin" $ dsconf enable-plugin "Custom Plugin"
Hint For more information, use the commands specified in the plug-in source file.
$ dsadm restart instance-path
$ ldapsearch -h localhost -p 1389 -b "dc=example,dc=com" \ -D "uid=kvaughan,ou=people,dc=example,dc=com" -w bribery "(uid=*)"
If you ignore housekeeping information for the entry, output similar to this appears:
Target DN: uid=kvaughan,ou=people,dc=example,dc=com Authentication method: Simple authentication
For a discussion of less trivial pre-bind plug-in functions, refer to Chapter 6, Handling Authentication Using Plug-Ins.
When the plug-in returns 0, Directory Server continues to process the bind. To bypass Directory Server bind processing, set SLAPI_CONN_DN in the parameter block, and return a positive value, such as 1.
Directory Server follows the LDAP bind model. At minimum, the server authenticates the client. The server also sends a bind response to indicate the status of authentication. Refer to RFC 1777, Lightweight Directory Access Protocol, and RFC 45111, Lightweight Directory Access Protocol (v3), for details.
Note - Lightweight Directory Access Protocol (v3) is the preferred protocol because Lightweight Directory Access Protocol (v2) is obsolete.