directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: Access LDAPmessage
Date Sun, 06 Aug 2017 02:04:51 GMT
Now, that's better :-)

Although &.5 and 2.0.0-M24 are very different, the interceptor
architecture hasn't change so much (hopefully). Ok, the doc is totally
otdated, and we don't use the server.xml fila anymore.

Interceptors are all extending the BaseIntercapor abstract class which
itself implements the Interceptor interface. There is not that much you
need to implement in your ow interceptor :

- the init() method if you need to initialize some things when the
interceptor is added to the system (it's called once at startup)

- the destroy() method that is called when teh server is shutdown, would
you need to cleanup things (AFAICT, no interceptor implements this method)

- and a method for each LDAP operation : add, bind, compare, delete,
getRootDse (SEARCH), hasEntry (SEARCH), lookup (SEARCH), modify, move
(MODRDN), moveAndRename(MODRDN), rename (MODRDN),search and unbind. As
you can see, some of those methods are a specific version of a base
method - like lookup/hasEntry/getRootDSE which could be done using teh
search method-, for convenience.

Eachof the Operation methods use a special Context parameter, which
itself gives you access to various elements :

- the specific operations parameters (like the base DN or the filter for
the search operation (check each of the Context classes and interfaces)

- the Session (and here, the CoreSession).

When an LdapMessage is received, the protocol handlers passes it to the
CoreSession instance, which creates an operation context from it,
extracting all the required pieces that are going to be processed by
interceptors. At this point, the initial LdapMessage is not anymorz
available from inside interceptors, bt can be rebuilt from the content
of the operation context - including the controls -.

The Session is also where you'll find information about each current
operation, and the executing LDAP session. Typically, it gives you
access to the caller's ID - the principal -, it's IP address,

Now, once you have implemented your interceptor, there are two things
that need to be done in the configuration :

- each interceptor is declared in the configuration file

- each one has an order in the chain

- each one is either enabled or disabled

- each interceptor is associated with a class implementing it

The order is critical, and you must add yours at the right place,
dependning on what you want to do. Usuammy, you want to add your
inteceptor at the very end of the chain, so with the highest order. The
order is stored in the ads-interceptororder attribute (see later for an
example). The class implementing the interceptor is stored using its
FQDN in the ads-interceptorclassname attribute.

The interceptor will be called only if it's enabled, something that has
to be set using the ads-enabled attribute.

Here are two examples for two different interceptors :

- The Normalization interceptor :

objectclass: top
objectclass: ads-base
objectclass: ads-interceptor
ads-interceptororder: 1
ads-interceptorid: normalizationInterceptor
ads-enabled: TRUE

Its order is 1, it's the very first interceptor being called. The FCQN
for this interceptor is stored in the ads-interceptorclassname
attribute, and this interceptor is enabled.

- The KeyDerivation interceptor :

objectclass: top
objectclass: ads-base
objectclass: ads-interceptor
ads-enabled: FALSE
ads-interceptororder: 8
ads-interceptorid: keyDerivationInterceptor

This interceptor is used when Kerberos is enabled, to compute the
derived kerberos keys when a user changes its password.

It's position is 8, becuase it has to be executed before the
passwordHashing Interceptor, but here, as yu can see, it's disabled : it
won't be executed at all.

It's enough to set your configuration file with your interceptor for
this interceptor to be automaticaly called at the right place in teh
chain of interceptors : the server uses reflection at startup to know
where to set it - if it's enabled -  and for which operation it will be
called (if you don't have a delete() method in your interceptor, for
instance it will never be called when a user sends a Delete operation to
the server). The configuratio is processed at startup, btw, so you'll
need to restart the server if you change the configuration.

I hope it helps.

Le 05/08/2017 à 20:19, Dineth Chalitha Basnayaka a écrit :
> Hi !
> I am very new to apacheDS so forgive me if I am interrupting you. I tried
> with tutorial "Implementing a simple custom Interceptor for ApacheDS" (
> . It was nice explanation and it work for me. But it related apcheds-1.5.5.
> When its come to apacheds2.0.0-M24 I saw
> and more
> default interceptors are already implement there.
> So now I'am trying to implementing my own interceptor. In order to get the
> interceptor installed in a default installation of ApacheDS2.0.0-M24 little
> bit confused me. Because there have some different with  ApacheDS2.0.0-M24
> and apcheds-1.5.5 installation layouts.In ApacheDs2.0.0-M24 installation
> layout not showing the server.xml file. If you can give some information to
> install new Custom interceptors to apacheDS.2.0.0-M24 Its really helpful
> for me.
> Thanks for your consideration.
> [image: dinethr.PNG]
> Dineth Chalitha Basnayake.
> Undergraduate in Computer Science & Technology,
> Uva Wellassa University of Sri Lanka
> [image: facebook.png] <>[image:
> Linked in alt.png]
> <>[image:
> github.png] <>
> On Fri, Aug 4, 2017 at 10:22 AM, Emmanuel Lécharny <>
> wrote:
>> Le 04/08/2017 à 05:32, Dineth Chalitha Basnayaka a écrit :
>>> Can you give what are the possible places in ldap server I can access
>> that
>>> message.
>> In other word, ApacheDS is a 200 000 lines of code project. Im not going
>> to go throught it to show you how to get the information you need, it
>> would simply take me days. Either you tell me where in the code you want
>> to access LDAPMessage, or you are totally on your own.
>> Thanks.

Emmanuel Lecharny

View raw message