[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HDB layer ideas

I've been chatting with lha on IRC about HDB, but I wanted to bring
these things to the list, for a more concrete discussion:

I've been thinking about how I would like (in my ideal world) the HDB
layer do develop, in support of Samba4's use of Heimdal.

The particular feature I'm after in extending HDB is a private pointer,
based on an encapsulation of the existing asn.1 hdb_entry:

struct hdb_container {
	hdb_entry *entry;
	void *private;

I would then add a new hdb_free_entry() method, to free hdb_container
(and the backend-specific private).

The reason I'm after the private structure is to store extra state
between hdb_fetch() and hdb_modify().  This state would be backend-
specific, but the intention is for it to be a handle onto the user's

This is to allow something similar to what we have in Samba 3.0, where
our passdb abstraction layer uses a strategy for minimal LDAP
modifications:  We record changes to the Samba side of the record, and
using the DN from the original fetch for the modify.  This helps avoid
extra (potentially ambiguous) searches, and can even allow some
'transaction safety' in the LDAP operation.

My other reason for proposing this structure is that I want to extend
the hdb functions, to go beyond just a database layer.  To match AD
behaviour, I am going to need to extend Heimdal's access control layer,
adding something like hdb_access_check(entry, ip, ...).  

It would be good if the entry here were a reference to the search
results from hdb_fetch(), so I don't have to find the user again.  A
similar problem applies for the PAC fetch and password set:
hdb_fetch_pac(entry, &pac), and hdb_set_password(entry, password) would
likewise need to handle things in a backend specific manner.

My hope is that with these hooks, we can integrate Samba and Heimdal
closely, in the hope of avoiding logic duplication in this critical

Thoughts?  Flames?  Experiences?

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part