[jira] [Commented] (DIRSERVER-1844) Add support for memberOf virtual attribute

[Emmanuel Lecharny (Jira)]

    [ 
https://issues.apache.org/jira/browse/DIRSERVER-1844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16915795#comment-16915795
 ] 

Emmanuel Lecharny commented on DIRSERVER-1844:
----------------------------------------------

Hi Daan,

 

the first step is to create an interceptor. A good start would be to create a 
stub based on, say, 
[https://github.com/apache/directory-server/blob/master/interceptors/logger/src/main/java/org/apache/directory/server/core/logger/TimerInterceptor.java.]

You just need to keep the *search* and *lookup* methods, removing all the 
others. Then in these methods, you'll need to do a check on the *memberof* 
attribute in the returned attributes (_SearchContext.getReturningAttributes()_ 
which returns a *Set*** of attributes). If it's present, then we need to 
process the returned entries. For each on of them, we need to search for any 
entry that has a *member* attribute which value is the entry's *DN*. 

This is where it gets complicated. There are two ways to do that :
 * do an internal search for each entry
 * directly use the *member* index.

In the interceptor, we can't have access to indexes, so it leaves this option 
to a later implementation, where we offer an access to indexes to interceptors.

 

So we are down to use the slower other option : do a search for each entry. 
This search filter will look like : _(member=<entry DN>)_. It has to be run 
from the root, and with SUBTREE scope.

 

The thing is that you don't have access to entries when the interceptor process 
the operation for *search* (but you do for *lookup*). Let's focus on *lookup* 
atm. You will get back the entry when the next interceptor is called :

 
{noformat}
     public Entry lookup( LookupOperationContext lookupContext ) throws 
LdapException
     {
        Entry entry = next( lookupContext );
...

{noformat}

and this is teh entry what you want to modify.

But first, you need to do a search. You need to add some code like this one :

{noformat}
        ...

        CoreSession adminSession = directoryService.getAdminSession();
        Value dnValue = new Value( 
directoryService.getAtProvider().getMember(), entry.getDn().getNormName() );
        ExprNode filter = new PresenceNode( 
directoryService.getAtProvider().getAdministrativeRole() , dnValue );

        SearchOperationContext searchOperationContext = new 
SearchOperationContext( adminSession, Dn.ROOT_DSE, SearchScope.SUBTREE, filter, 
"1.1" );
        Partition partition = nexus.getPartition( Dn.ROOT_DSE );
        searchOperationContext.setAliasDerefMode( 
AliasDerefMode.NEVER_DEREF_ALIASES );
        searchOperationContext.setPartition( partition );
        
        try ( PartitionTxn partitionTxn = partition.beginReadTransaction() )
        {
            searchOperationContext.setTransaction( partitionTxn );
            EntryFilteringCursor results = nexus.search( searchOperationContext 
);
    
            try
            {
                while ( results.next() )
                {
                    Entry memberEntry = results.get();
    
                    <add the memberEntry's DN into the entry's memberof 
attribute>
                }
    
                results.close();
            }
            catch ( Exception e )
            {
                throw new LdapOperationException( e.getMessage(), e );
            }
        }
        catch ( Exception e )
        {
            throw new LdapOtherException( e.getMessage(), e );
        }
{noformat}

Ok, it's a bit cryptic, but enough said that we search for every entry that 
have a *member* attribute with the entry's DN value. For each one of them, we 
add it's DN to the resulting entry's *memberof* attribute, which need to have 
been created beforehand.

That should do the trick for *lookup*. I suggested that you try to make that 
work before processing the *search* operation, which is a bit more complex.

> Add support for memberOf virtual attribute
> ------------------------------------------
>
>                 Key: DIRSERVER-1844
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1844
>             Project: Directory ApacheDS
>          Issue Type: New Feature
>          Components: ldap
>    Affects Versions: 2.0.0.AM25
>            Reporter: Jay Danielsen
>            Priority: Major
>
> Several ldap servers support a reverse group membership lookup capability for 
> access control.
> using the rfc4519 groupOfNames objectclass/member attribute, and/or 
> groupOfUniqueNames objectclass/uniqueMember attribute.
> references:
> http://www.openldap.org/doc/admin24/overlays.html (Section 12.8. Reverse 
> Group Membership Maintenance)
> http://opendj.forgerock.org/doc/admin-guide/index/chap-groups.html (Working 
> with groups of entries)



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org