Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Developer's Guide 11 g Release 1 (11.1.1.5.0) |
Part I Directory Server Plug-In API Guide
1. Before You Start Writing Plug-Ins
2. Changes to the Plug-In API Since Directory Server 5.2
3. Getting Started With Directory Server Plug-Ins
4. Working With Entries Using Plug-Ins
5. Extending Client Request Handling Using Plug-Ins
6. Handling Authentication Using Plug-Ins
7. Performing Internal Operations With Plug-Ins
8. Writing Entry Store and Entry Fetch Plug-Ins
Calling Entry Store and Entry Fetch Plug-Ins
Locating the Entry Store and Entry Fetch Examples
Writing a Plug-In to Encrypt Entries
Registering Entry Store and Entry Fetch Plug-Ins
Trying the Entry Store and Entry Fetch Examples
9. Writing Extended Operation Plug-Ins
10. Writing Matching Rule Plug-Ins
11. Writing Password Storage Scheme Plug-Ins
12. Writing Password Quality Check Plug-Ins
13. Writing Computed Attribute Plug-Ins
Part II Directory Server Plug-In API Reference
14. Data Type and Structure Reference
15. Function Reference, Part I
16. Function Reference, Part II
This section shows how to register entry stored entry fetch plug-ins. It demonstrates how to write a plug-in that scrambles directory entries that are written to the directory database. It also demonstrates how to unscramble directory entries that are read from the directory database.
Caution - The examples in this chapter do not constitute a secure entry storage scheme. |
The following example demonstrates how entry store and entry fetch plug-ins are registered with Directory Server.
The following example demonstrates how entry store and entry fetch plug-ins are registered with Directory Server.
Example 8-3 Registering Entry Store and Entry Fetch Plug-Ins (testentry.c)
#include "slapi-plugin.h" Slapi_PluginDesc entrypdesc = { "test-entry", /* plug-in identifier */ "Oracle Corporation (test)", /* vendor name */ "11.1.1.3.0", /* plug-in revision number */ "Sample entry store/fetch plug-in" /* plug-in description */ }; int testentry_init(Slapi_PBlock *pb) { int rc = 0; /* 0 means success */ rc |= slapi_pblock_set( /* Plug-in API version */ pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_CURRENT_VERSION ); rc |= slapi_pblock_set( /* Plug-in description */ pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &entrypdesc ); rc |= slapi_pblock_set( /* Entry store function */ pb, SLAPI_PLUGIN_ENTRY_STORE_FUNC, (void *) testentry_scramble ); rc |= slapi_pblock_set( /* Entry fetch function */ pb, SLAPI_PLUGIN_ENTRY_FETCH_FUNC, (void *) testentry_unscramble ); return rc; }
You demonstrate the plug-in by showing the difference between scrambled and unscrambled data in the database. You therefore do not enable the plug-in immediately. Instead, you add an entry to a new directory suffix before scrambling. You then observe the results in the database on disk. Next, you remove the entry and enable the scrambling plug-in. Then you add the same entry again. Finally, you observe the results after the entry has been scrambled.
If you have not done so already, set up a directory instance with a suffix, dc=example,dc=com, containing data loaded from a sample LDIF file, install-path/resources/ldif/Example.ldif.
For example:
$ dsadm create -h localhost -p 1389 /local/ds Choose the Directory Manager password: Confirm the Directory Manager password: $
For example:
$ dsadm start /local/ds Server started: pid=4705 $
For example, with long lines folded for the printed page:
$ dsconf create-suffix -h localhost -p 1389 dc=example,dc=com Enter "cn=directory manager" password: Certificate "CN=defaultCert, CN=hostname:1636" presented by the server is not trusted. Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y $
For example, with long lines folded for the printed page:
$ dsconf import -h localhost -p 1389 \ install-path/resources/ldif/Example.ldif dc=example,dc=com Enter "cn=directory manager" password: New data will override existing data of the suffix "dc=example,dc=com". Initialization will have to be performed on replicated suffixes. Do you want to continue [y/n] ? y ## Index buffering enabled with bucket size 16 ## Beginning import job... ## Processing file "install-path/resources/ldif/Example.ldif" ## Finished scanning file "install-path/resources/ldif/Example.ldif" (160 entries) ## Workers finished; cleaning up... ## Workers cleaned up. ## Cleaning up producer thread... ## Indexing complete. ## Starting numsubordinates attribute generation. This may take a while, please wait for further activity reports. ## Numsubordinates attribute generation complete. Flushing caches... ## Closing files... ## Import complete. Processed 160 entries in 5 seconds. (32.00 entries/sec) Task completed (slapd exit code: 0). $
See Also
You can use Directory Service Control Center to perform this task. For more information, see the Directory Service Control Center online help.
Here, you add an entry for Quentin Cubbins to the example suffix before registering the entry store and fetch plug-in with Directory Server. You see that Quentin’s mail address is visible in the database that holds mail address attribute values. Quentin’s entry, quentin.ldif, appears as shown in the following example.
Example 8-4 LDIF Representation of an Entry
dn: uid=qcubbins,ou=People,dc=example,dc=com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: qcubbins givenName: Quentin sn: Cubbins cn: Quentin Cubbins mail: qcubbins@example.com userPassword: qcubbins secretary: uid=bjensen,ou=People,dc=example,dc=com
Add Quentin’s entry to the directory. For example, if the entry is in quentin.ldif, add the following:
$ ldapmodify -a -h localhost -p 1389 -f quentin.ldif \ -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
Now look for strings in the directory database file for the mail attribute values.
Example 8-5 Attribute Values in a Database File Before Scrambling
$ cd instance-path/db/example/ $ strings example_mail.db3 | grep example.com =qcubbins@example.com =agodiva@example.com =hfuddnud@example.com =pblinn@example.com =scooper@example.com =bcubbins@example.com =yyorgens@example.com
Notice that Quentin’s mail address is clearly visible if a user gains access to the database files. If the value was a credit card number, security would have been an issue.
Here, you add an entry for Quentin Cubbins to the example suffix after registering the entry store and fetch plug-in with Directory Server. You see that Quentin’s mail address is no longer visible in the database that holds mail address attribute values.
Before loading the plug-in, delete Quentin’s entry:
$ ldapdelete -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery uid=qcubbins,ou=People,dc=example,dc=com
Next, configure Directory Server to load the plug-in as shown in the comments at the beginning of testentry.c, and then restart the server.
With the entry store-fetch plug-in active, add Quentin’s entry back into the directory:
$ ldapmodify -a -h localhost -p 1389 -f quentin.ldif \ -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
Now search again for strings in the directory database file for the mail attribute values.
Example 8-6 Attribute Values in a Database File After Scrambling
$ cd instance-path/db/example/ $ strings example_mail.db3 | grep example.com =agodiva@example.com =hfuddnud@example.com =pblinn@example.com =scooper@example.com =bcubbins@example.com =yyorgens@example.com
Notice that Quentin’s mail address value is now not visible in the directory database. Directory users who have appropriate access rights, anonymous in this simple example case, can still view the attribute during a search. The attribute and its value are emphasized in the following example.
Example 8-7 Unscrambled Search Results
$ ldapsearch -h localhost -p 1389 -b dc=example,dc=com uid=qcubbins dn: uid=qcubbins,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: qcubbins givenName: Quentin sn: Cubbins cn: Quentin Cubbins mail: qcubbins@example.com secretary: uid=bcubbins,ou=People,dc=example,dc=com
In this way, you see that entry store and entry fetch plug-ins affect only the way entries are stored, not the directory front end.