ipapwd_extop allows to update the password on a specific entry, identified by its DN.
It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry.
To achieve this ipapwd_extop need to call pre extop callbacks, where a plugin (like schema compat) would be able to translate the virtual DN into the real one.
This relies on https://fedorahosted.org/389/ticket/48880
The attachment is an example. If a pre-extop callback would change the SLAPI_ORIGINAL_TARGET, we would use it rather than the one in the ber request.
The pre-extop callback (SLAPI_PLUGIN_PRE_EXTOP_FN), for example in schema compat, would set SLAPI_ORIGINAL_TARGET.
That means the pre-extop need to decode the ber to find the rawdn and translate it into the real DN
This second attachment was tested without regression with freeipa tests and without regression regarding the ability to set a password (+krbkeys) (when no plugin sets TARGET_DN) => ready for a review
Metadata Update from @tbordaz:
- Issue assigned to tbordaz
- Issue set to the milestone: FreeIPA 4.4
to comment on this ticket.
Copyright © 2014-2018 Red Hat
4.0.4 — Documentation