#5946 Enable password change extop to apply on virtual entry like the entry in compat tree
Closed: Fixed None by tbordaz. Opened 2 years ago by tbordaz.

ipapwd_extop allows to update the password on a specific entry, identified by its DN.
It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry.

To achieve this ipapwd_extop need to call pre extop callbacks, where a plugin (like schema compat) would be able to translate the virtual DN into the real one.

This relies on https://fedorahosted.org/389/ticket/48880

The attachment is an example. If a pre-extop callback would change the SLAPI_ORIGINAL_TARGET, we would use it rather than the one in the ber request.

The pre-extop callback (SLAPI_PLUGIN_PRE_EXTOP_FN), for example in schema compat, would set SLAPI_ORIGINAL_TARGET.

That means the pre-extop need to decode the ber to find the rawdn and translate it into the real DN

This second attachment was tested without regression with freeipa tests and without regression regarding the ability to set a password (+krbkeys) (when no plugin sets TARGET_DN) => ready for a review


  • 1ce8d32 ipapwd_extop should use TARGET_DN defined by a pre-extop plugin

Metadata Update from @tbordaz:
- Issue assigned to tbordaz
- Issue set to the milestone: FreeIPA 4.4

2 years ago

Login to comment on this ticket.