Netscape DIRECTORY SERVER 6.02 - PLUG-IN Manual

Also see for NETSCAPE DIRECTORY SERVER 6.02: Configuration guide Deployment guide Installation guide Reference Administrator's guide

Contents

Netscape DIRECTORY SERVER 6.02 - PLUG-IN Manual Manual pdf 98 page image

Writing a Pre-Operation Bind Plug-in98 Netscape Directory Server Plug-In Programmer’s Guide • May 2002• SLAPI_BIND_CREDENTIALS (a berval structure containing the credentials sentby the client)If you plan to support authentication through SASL mechanisms, you should alsoget the value of the SLAPI_BIND_SASLMECHANISM parameter (a string valuespecifying the name of the SASL mechanism to use for authentication).Make sure to check the following:• Determine if the client is requesting to bind as an anonymous user.If the SLAPI_BIND_METHOD parameter is LDAP_AUTH_SIMPLE and theSLAPI_BIND_CREDENTIALS parameter is empty or NULL, the client isattempting to bind anonymously.Call slapi_send_ldap_result() to send the LDAP result code LDAP_SUCCESSback to the client.• If the SLAPI_BIND_METHOD parameter specifies a method that you do notrecognize or support, call slapi_send_ldap_result() to send anLDAP_STRONG_AUTH_NOT_SUPPORTED result code back to the client.In both cases, return a non-zero value to prevent the server from calling the defaultbackend function for authentication.Getting the Entry and Checking the CredentialsGet the entry for the DN specified by the SLAPI_BIND_TARGET parameter andcompare the credentials in the SLAPI_BIND_CREDENTIALS parameter against theknown credentials for that entry.By default, Directory Server 4.x uses the userpassword attribute to store thecredentials for an entry. The server encodes the password using the schemespecified in the passwdhash directive of the slapd.conf configuration file. Thescheme can be crypt or sha or “ “ (for cleartext).By default, Directory Server 6.x uses the userpassword attribute to store thecredentials for an entry. The server encodes the password using the schemespecified in the nsslapd-rootpwstoragescheme or passwordStorageSchemeattributes of the cn=config entry contained in the dse.ldif file. The scheme canbe any of the following:• CLEAR (means no encryption and can be defined using theclear-password-storage-scheme plug-in)• CRYPT (means Unix crypt algorithm and can be defined using thecrypt-password-storage-scheme plug-in)