[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HDB layer ideas

To: heimdal-discuss@sics.se
Subject: HDB layer ideas
From: Andrew Bartlett <abartlet@samba.org>
Date: Sun, 17 Jul 2005 19:42:46 +1000
Sender: owner-heimdal-discuss@sics.se

I've been chatting with lha on IRC about HDB, but I wanted to bring
these things to the list, for a more concrete discussion:

I've been thinking about how I would like (in my ideal world) the HDB
layer do develop, in support of Samba4's use of Heimdal.

The particular feature I'm after in extending HDB is a private pointer,
based on an encapsulation of the existing asn.1 hdb_entry:

struct hdb_container {
	hdb_entry *entry;
	void *private;
}

I would then add a new hdb_free_entry() method, to free hdb_container
(and the backend-specific private).

The reason I'm after the private structure is to store extra state
between hdb_fetch() and hdb_modify().  This state would be backend-
specific, but the intention is for it to be a handle onto the user's
record.

This is to allow something similar to what we have in Samba 3.0, where
our passdb abstraction layer uses a strategy for minimal LDAP
modifications:  We record changes to the Samba side of the record, and
using the DN from the original fetch for the modify.  This helps avoid
extra (potentially ambiguous) searches, and can even allow some
'transaction safety' in the LDAP operation.

My other reason for proposing this structure is that I want to extend
the hdb functions, to go beyond just a database layer.  To match AD
behaviour, I am going to need to extend Heimdal's access control layer,
adding something like hdb_access_check(entry, ip, ...).  

It would be good if the entry here were a reference to the search
results from hdb_fetch(), so I don't have to find the user again.  A
similar problem applies for the PAC fetch and password set:
hdb_fetch_pac(entry, &pac), and hdb_set_password(entry, password) would
likewise need to handle things in a backend specific manner.

My hope is that with these hooks, we can integrate Samba and Heimdal
closely, in the hope of avoiding logic duplication in this critical
area.

Thoughts?  Flames?  Experiences?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part

Follow-Ups:
- Re: HDB layer ideas
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: you won`t believe your eyes Nathaniel
Next by Date: Re: HDB layer ideas
Prev by thread: you won`t believe your eyes Nathaniel
Next by thread: Re: HDB layer ideas
Index(es):
- Date
- Thread