set_rebind_proc

[Steffen R. <ste...@sy...>]

Hi,

I recently ran into a problem with a replicated iPlanet directory
server. My client was setup to write to the slave directory, which
answered with a REFERRAL. The client was trying to follow the
referral but could not authenticate with the master directory.

After looking into the code I found that the "set_rebind_proc" method
has been disabled "until made OpenLDAP2 compatible". Since I need this
functionality, I have implemented an openLDAP2 compatible version of
set_rebind_proc.

The old implementation had an IMHO very bad design flaw: only one
rebind_proc was allowed for the whole module. In other words, if you
try to open more than one directory connection, the rebind_proc could
only be set to one directory, rebinds to the other directory would
have fatal consequences (either python-fatal error or a segfault).

Since I need to support multiple connections to different directories
as well, I implemented a solution for this problem. My solution is not
ideal, but I think it is a reasonable compromise. Ideally I would
extend the LDAP object and store the rebind callback in the extended
version, but LDAP is an opaque object handled by the OpenLDAP
library. My alternative is to keep track of the allocated LDAPObjects
and map the LDAP object to the corresponding LDAPObject. For this
purpose I'm storing the LDAPObjects in a linked list. I don't expect a
big number of LDAPObjects to be allocated, so the overhead of doing a
linear search should be acceptable.

I kept the interface for the callback the same as it was for the old
implementation, i.e. the callback has to accept an LDAP object and
return a tuple (DN, CRED, METHOD). 

The second part of the patch is for the python wrapper. I added an
automatic rebind_procedure, which is installed when you call a version
of "bind()". This way referrals should normally be transparent to the
client. I am not sure whether this is a good idea or not (?).

/steffen
-- 
ste...@sy...	<> Gravity is a myth -- the Earth sucks!