mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
207 lines
6.9 KiB
Plaintext
207 lines
6.9 KiB
Plaintext
Tcl Backend Interface for OpenLDAP
|
|
|
|
|
|
----------------------------
|
|
Synopsis of slapd.conf setup
|
|
----------------------------
|
|
|
|
database tcl
|
|
suffix o=Suffix
|
|
|
|
# The full path to the tcl script used for this database
|
|
scriptpath /usr/lib/ldap/database.tcl
|
|
|
|
# The procs for each ldap function. This similar to how
|
|
# the shell backend setup works, but these refer to
|
|
# the tcl procs in the 'scriptpath' script that handle them
|
|
search <proc>
|
|
add <proc>
|
|
delete <proc>
|
|
modify <proc>
|
|
bind <proc>
|
|
unbind <proc>
|
|
modrdn <proc>
|
|
compare <proc>
|
|
abandon <proc>
|
|
|
|
# This is one of the biggest pluses of using the tcl backend.
|
|
# The realm let's you group several databases to the same interpretor.
|
|
# This basically means they share the same global variables and proc
|
|
# space. So global variables, as well as all the procs are callable
|
|
# between databases. If no tclrealm is specified, it is put into the
|
|
# "default" realm.
|
|
tclrealm <interpretor name>
|
|
|
|
|
|
-----------------------------------------
|
|
Synopsis of variables passed to the procs
|
|
-----------------------------------------
|
|
|
|
abandon { action msgid suffix }
|
|
|
|
action - Always equal to ABANDON
|
|
msgid - The msgid of this ldap session
|
|
suffix - List of suffix(es) associated with the call. Each one is
|
|
and entry in a tcl formatted list (surrounded by {}'s)
|
|
|
|
add { action msgid suffix entry }
|
|
|
|
action - Always equal to ADD
|
|
msgid - The msgid of this ldap session
|
|
suffix - List of suffix(es) associated with the call. Each one is
|
|
and entry in a tcl formatted list (surrounded by {}'s)
|
|
entry - Full entry to add. Each "type: val" is an element in a
|
|
tcl formatted list.
|
|
|
|
bind { action msgid suffix dn method cred_len cred }
|
|
|
|
action - Always equal to BIND
|
|
msgid - The msgid of this ldap session
|
|
suffix - List of suffix(es) associated with the call. Each one
|
|
is and entry in a tcl formatted list (surrounded by {}'s)
|
|
dn - DN being bound to
|
|
method - One of the ldap authentication methods
|
|
cred_len - Length of cred
|
|
cred - Credentials being used to authenticate, according to
|
|
RFC, if this value is empty, then it should be
|
|
considered an anonomous bind (??)
|
|
|
|
compare { action msgid suffix dn ava_type ava_value }
|
|
|
|
action - Always equal to COMPARE
|
|
msgid - The msgid of this ldap session
|
|
suffix - List of suffix(es) associated with the call. Each one
|
|
is and entry in a tcl formatted list (surrounded by {}'s)
|
|
dn - DN for compare
|
|
ava_type - Type for comparison
|
|
ava_value - Value to compare
|
|
|
|
delete { action msgid suffix dn }
|
|
|
|
action - Always equal to DELETE
|
|
msgid - The msgid of this ldap session
|
|
suffix - List of suffix(es) associated with the call. Each one
|
|
is and entry in a tcl formatted list (surrounded by {}'s)
|
|
dn - DN to delete
|
|
|
|
modify { action msgid suffix dn mods }
|
|
|
|
action - Always equal to MODIFY
|
|
msgid - The msgid of this ldap session
|
|
suffix - List of suffix(es) associated with the call. Each one
|
|
is and entry in a tcl formatted list (surrounded by {}'s)
|
|
dn - DN to modify
|
|
mods - Tcl list of modifications. List is formatted in this way:
|
|
|
|
{
|
|
{ {op: type} {type: val} }
|
|
{ {op: type} {type: val} {type: val} }
|
|
...
|
|
}
|
|
|
|
Newlines are not present in the actual var, they are
|
|
present here for clarification. "op" is the type of
|
|
modification (add, delete, replace).
|
|
|
|
modrdn { action msgid suffix dn newrdn deleteoldrdn }
|
|
|
|
action - Always equal to MODRDN
|
|
msgid - The msgid of this ldap session
|
|
suffix - List of suffix(es) associated with the call. Each one
|
|
is and entry in a tcl formatted list (surrounded by {}'s)
|
|
dn - DN who's RDN is being renamed
|
|
newrdn - New RDN
|
|
deleteoldrdn - Boolean stating whether or not the old RDN should
|
|
be removed after being renamed
|
|
|
|
search { action msgid suffix base scope deref sizelimit timelimit
|
|
filterstr attrsonly attrlist }
|
|
|
|
action - Always equal to SEARCH
|
|
msgid - The msgid of this ldap session
|
|
suffix - List of suffix(es) associated with the call. Each one
|
|
is and entry in a tcl formatted list (surrounded by {}'s)
|
|
base - Base for this search
|
|
scope - Scope of search, ( 0 | 1 | 2 )
|
|
deref - Alias dereferencing ( 0 | 1 | 2 | 3 )
|
|
sizelimit - Script should try not to return more data that this
|
|
timelimit - Time limit for search
|
|
filterstr - Filter string as sent by the requestor.
|
|
attrsonly - Boolean for whether to list only the attributes
|
|
instead of attributes and their values.
|
|
attrlist - Tcl list if to retrieve.
|
|
|
|
unbind { action msgid suffix dn }
|
|
|
|
action - Always equal to UNBIND
|
|
msgid - The msgid of this ldap session
|
|
suffix - List of suffix(es) associated with the call. Each one
|
|
is and entry in a tcl formatted list (surrounded by {}'s)
|
|
dn - DN to unbind
|
|
|
|
|
|
------------------------------------
|
|
Synopsis of Return Method and Syntax
|
|
------------------------------------
|
|
|
|
There are only 2 return types. All procs must return a result to show
|
|
status of the operation. The result is in this form:
|
|
|
|
{ RESULT {code: <integer>} {matched: <partialdn>} {info: <string>} {} }
|
|
|
|
This is best accomplished with this type of tcl code
|
|
|
|
lappend ret_val "RESULT"
|
|
lappend ret_val "code: 0"
|
|
lappend ret_val ""
|
|
return $ret_val
|
|
|
|
The final empty string (item in list) is neccesary to point to the end of
|
|
list. The 'code', 'matched', and 'info' values are not neccesary, and
|
|
default values are given if not specified. The 'code' value is usually an
|
|
LDAP error in decimal notation from ldap.h. The 'info', may be sent back
|
|
to the client, depending on the function. LDAP uses the value of 'code' to
|
|
indicate whether or not the authentication is acceptible in the bind proc.
|
|
|
|
The other type of return is for searches. It is similar format to the
|
|
shell backend return (as is most of the syntax here). It's format follows:
|
|
|
|
{dn: o=Company, c=US} {attr: val} {objectclass: val} {}
|
|
{dn: o=CompanyB, c=US} {attr: val} {objectclass: val} {}
|
|
|
|
Again, newlines are for visual purposes here. Also note the {} marking the
|
|
end of the entry (same affect as a newline in ldif format). Here is some
|
|
example code again, showing a full search proc example.
|
|
|
|
# Note that 'args' let's you lump all possible args into one var, used
|
|
# here for simplicity of exmaple
|
|
proc ldap:search { args } {
|
|
# perform some operations
|
|
|
|
lappend ret_val "dn: $rdn,$base"
|
|
lappend ret_val "objectclass: $objcl"
|
|
lappend ret_val "sn: $rdn"
|
|
lappend ret_val "mail: $email"
|
|
lappend ret_val ""
|
|
# Now setup the result
|
|
lappend ret_val "RESULT"
|
|
lappend ret_val "code: 0"
|
|
lappend ret_val ""
|
|
|
|
return $ret_val
|
|
}
|
|
|
|
NOTE: Newlines in the return value is acceptible in search entries (ie.
|
|
when returning base64 encoded binary entries).
|
|
|
|
|
|
-------------------------------------
|
|
Synopsis of Builtin Commands and Vars
|
|
-------------------------------------
|
|
|
|
ldap:debug <msg>
|
|
|
|
Allows you to send debug messages through OpenLDAP's native debuging
|
|
system, this is sent as a LDAP_DEBUG_ANY and will be logged. Useful for
|
|
debugging scripts or logging bind failures.
|