[
https://issues.apache.org/jira/browse/DIRSERVER-1844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16915795#comment-16915795
]
Emmanuel Lecharny commented on DIRSERVER-1844:
----------------------------------------------
Hi Daan,
the first step is to create an interceptor. A good start would be to create a
stub based on, say,
[https://github.com/apache/directory-server/blob/master/interceptors/logger/src/main/java/org/apache/directory/server/core/logger/TimerInterceptor.java.]
You just need to keep the *search* and *lookup* methods, removing all the
others. Then in these methods, you'll need to do a check on the *memberof*
attribute in the returned attributes (_SearchContext.getReturningAttributes()_
which returns a *Set*** of attributes). If it's present, then we need to
process the returned entries. For each on of them, we need to search for any
entry that has a *member* attribute which value is the entry's *DN*.
This is where it gets complicated. There are two ways to do that :
* do an internal search for each entry
* directly use the *member* index.
In the interceptor, we can't have access to indexes, so it leaves this option
to a later implementation, where we offer an access to indexes to interceptors.
So we are down to use the slower other option : do a search for each entry.
This search filter will look like : _(member=<entry DN>)_. It has to be run
from the root, and with SUBTREE scope.
The thing is that you don't have access to entries when the interceptor process
the operation for *search* (but you do for *lookup*). Let's focus on *lookup*
atm. You will get back the entry when the next interceptor is called :
{noformat}
public Entry lookup( LookupOperationContext lookupContext ) throws
LdapException
{
Entry entry = next( lookupContext );
...
{noformat}
and this is teh entry what you want to modify.
But first, you need to do a search. You need to add some code like this one :
{noformat}
...
CoreSession adminSession = directoryService.getAdminSession();
Value dnValue = new Value(
directoryService.getAtProvider().getMember(), entry.getDn().getNormName() );
ExprNode filter = new PresenceNode(
directoryService.getAtProvider().getAdministrativeRole() , dnValue );
SearchOperationContext searchOperationContext = new
SearchOperationContext( adminSession, Dn.ROOT_DSE, SearchScope.SUBTREE, filter,
"1.1" );
Partition partition = nexus.getPartition( Dn.ROOT_DSE );
searchOperationContext.setAliasDerefMode(
AliasDerefMode.NEVER_DEREF_ALIASES );
searchOperationContext.setPartition( partition );
try ( PartitionTxn partitionTxn = partition.beginReadTransaction() )
{
searchOperationContext.setTransaction( partitionTxn );
EntryFilteringCursor results = nexus.search( searchOperationContext
);
try
{
while ( results.next() )
{
Entry memberEntry = results.get();
<add the memberEntry's DN into the entry's memberof
attribute>
}
results.close();
}
catch ( Exception e )
{
throw new LdapOperationException( e.getMessage(), e );
}
}
catch ( Exception e )
{
throw new LdapOtherException( e.getMessage(), e );
}
{noformat}
Ok, it's a bit cryptic, but enough said that we search for every entry that
have a *member* attribute with the entry's DN value. For each one of them, we
add it's DN to the resulting entry's *memberof* attribute, which need to have
been created beforehand.
That should do the trick for *lookup*. I suggested that you try to make that
work before processing the *search* operation, which is a bit more complex.
> Add support for memberOf virtual attribute
> ------------------------------------------
>
> Key: DIRSERVER-1844
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1844
> Project: Directory ApacheDS
> Issue Type: New Feature
> Components: ldap
> Affects Versions: 2.0.0.AM25
> Reporter: Jay Danielsen
> Priority: Major
>
> Several ldap servers support a reverse group membership lookup capability for
> access control.
> using the rfc4519 groupOfNames objectclass/member attribute, and/or
> groupOfUniqueNames objectclass/uniqueMember attribute.
> references:
> http://www.openldap.org/doc/admin24/overlays.html (Section 12.8. Reverse
> Group Membership Maintenance)
> http://opendj.forgerock.org/doc/admin-guide/index/chap-groups.html (Working
> with groups of entries)
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
