[ https://issues.apache.org/jira/browse/DIRSERVER-1844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16915795#comment-16915795 ]
Emmanuel Lecharny commented on DIRSERVER-1844: ---------------------------------------------- Hi Daan, the first step is to create an interceptor. A good start would be to create a stub based on, say, [https://github.com/apache/directory-server/blob/master/interceptors/logger/src/main/java/org/apache/directory/server/core/logger/TimerInterceptor.java.] You just need to keep the *search* and *lookup* methods, removing all the others. Then in these methods, you'll need to do a check on the *memberof* attribute in the returned attributes (_SearchContext.getReturningAttributes()_ which returns a *Set*** of attributes). If it's present, then we need to process the returned entries. For each on of them, we need to search for any entry that has a *member* attribute which value is the entry's *DN*. This is where it gets complicated. There are two ways to do that : * do an internal search for each entry * directly use the *member* index. In the interceptor, we can't have access to indexes, so it leaves this option to a later implementation, where we offer an access to indexes to interceptors. So we are down to use the slower other option : do a search for each entry. This search filter will look like : _(member=<entry DN>)_. It has to be run from the root, and with SUBTREE scope. The thing is that you don't have access to entries when the interceptor process the operation for *search* (but you do for *lookup*). Let's focus on *lookup* atm. You will get back the entry when the next interceptor is called : {noformat} public Entry lookup( LookupOperationContext lookupContext ) throws LdapException { Entry entry = next( lookupContext ); ... {noformat} and this is teh entry what you want to modify. But first, you need to do a search. You need to add some code like this one : {noformat} ... CoreSession adminSession = directoryService.getAdminSession(); Value dnValue = new Value( directoryService.getAtProvider().getMember(), entry.getDn().getNormName() ); ExprNode filter = new PresenceNode( directoryService.getAtProvider().getAdministrativeRole() , dnValue ); SearchOperationContext searchOperationContext = new SearchOperationContext( adminSession, Dn.ROOT_DSE, SearchScope.SUBTREE, filter, "1.1" ); Partition partition = nexus.getPartition( Dn.ROOT_DSE ); searchOperationContext.setAliasDerefMode( AliasDerefMode.NEVER_DEREF_ALIASES ); searchOperationContext.setPartition( partition ); try ( PartitionTxn partitionTxn = partition.beginReadTransaction() ) { searchOperationContext.setTransaction( partitionTxn ); EntryFilteringCursor results = nexus.search( searchOperationContext ); try { while ( results.next() ) { Entry memberEntry = results.get(); <add the memberEntry's DN into the entry's memberof attribute> } results.close(); } catch ( Exception e ) { throw new LdapOperationException( e.getMessage(), e ); } } catch ( Exception e ) { throw new LdapOtherException( e.getMessage(), e ); } {noformat} Ok, it's a bit cryptic, but enough said that we search for every entry that have a *member* attribute with the entry's DN value. For each one of them, we add it's DN to the resulting entry's *memberof* attribute, which need to have been created beforehand. That should do the trick for *lookup*. I suggested that you try to make that work before processing the *search* operation, which is a bit more complex. > Add support for memberOf virtual attribute > ------------------------------------------ > > Key: DIRSERVER-1844 > URL: https://issues.apache.org/jira/browse/DIRSERVER-1844 > Project: Directory ApacheDS > Issue Type: New Feature > Components: ldap > Affects Versions: 2.0.0.AM25 > Reporter: Jay Danielsen > Priority: Major > > Several ldap servers support a reverse group membership lookup capability for > access control. > using the rfc4519 groupOfNames objectclass/member attribute, and/or > groupOfUniqueNames objectclass/uniqueMember attribute. > references: > http://www.openldap.org/doc/admin24/overlays.html (Section 12.8. Reverse > Group Membership Maintenance) > http://opendj.forgerock.org/doc/admin-guide/index/chap-groups.html (Working > with groups of entries) -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org