ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry.
To achieve this ipapwd_extop need to call pre extop callbacks, where a plugin (like schema compat) would be able to translate the virtual DN into the real one.
This relies on https://fedorahosted.org/389/ticket/48880
attachment 0001-5946-Enable-password-change-extop-to-apply-on-virtua.patch
The attachment is an example. If a pre-extop callback would change the SLAPI_ORIGINAL_TARGET, we would use it rather than the one in the ber request.
The pre-extop callback (SLAPI_PLUGIN_PRE_EXTOP_FN), for example in schema compat, would set SLAPI_ORIGINAL_TARGET.
That means the pre-extop need to decode the ber to find the rawdn and translate it into the real DN
attachment 0001-ipapwd_extop-should-use-TARGET_DN-defined-by-a-pre-e.patch
This second attachment was tested without regression with freeipa tests and without regression regarding the ability to set a password (+krbkeys) (when no plugin sets TARGET_DN) => ready for a review
master:
Metadata Update from @tbordaz: - Issue assigned to tbordaz - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.