FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |

#5946 Enable password change extop to apply on virtual entry like the entry in compat tree

Created 2 years ago by tbordaz
Modified a year ago

ipapwd_extop allows to update the password on a specific entry, identified by its DN.
It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry.

To achieve this ipapwd_extop need to call pre extop callbacks, where a plugin (like schema compat) would be able to translate the virtual DN into the real one.

This relies on

The attachment is an example. If a pre-extop callback would change the SLAPI_ORIGINAL_TARGET, we would use it rather than the one in the ber request.

The pre-extop callback (SLAPI_PLUGIN_PRE_EXTOP_FN), for example in schema compat, would set SLAPI_ORIGINAL_TARGET.

That means the pre-extop need to decode the ber to find the rawdn and translate it into the real DN

This second attachment was tested without regression with freeipa tests and without regression regarding the ability to set a password (+krbkeys) (when no plugin sets TARGET_DN) => ready for a review


  • 1ce8d32 ipapwd_extop should use TARGET_DN defined by a pre-extop plugin
a year ago

Metadata Update from @tbordaz:
- Issue assigned to tbordaz
- Issue set to the milestone: FreeIPA 4.4

Login to comment on this ticket.


DS plugins