Introduction to server plug-ins

Edit online

Use the IBM® Security Directory Server plug-ins reference to help you create plug-ins that extend the capabilities of your IBM Security Directory Server. Server plug-ins extend the capabilities of your directory server. They are dynamically loaded into the LDAP server's address space when it is started. Once the plug-ins are loaded, the server calls the functions in a shared library by using function pointers.

A server front end listens to the wire, receives and parses requests from clients, and then processes the requests by calling an appropriate database back-end function.

A server back-end reads and writes data to the database that contains the directory entries. In addition to the default database operations, the LDAP server's DB2® back-end also provides functions for supporting replication and dynamic schema updates.

If the front end fails to process a request it returns an error message to the client; otherwise, the back-end is called. After the back-end is called, it must return a message to the client. Either the front end or the back-end, but not both can return a message to the client.

Note: This differs from the iPlanet server plug-in in that only the front-end of the iPlanet plug-in can send a message back to the client.

In this IBM Security Directory Server release the following types of server plug-ins are supported:

Database plug-ins: The database plug-in is used to integrate database as a back-end to the server. For example, the rdbm database back-end is a database plug-in. It provides functions that enable the server to interact with the DB2 database. In IBM Security Directory Server, customized database plug-in is not supported.
Pre-operation plug-ins: Functions that are executed before an LDAP operation are performed. For example, you can write a plug-in that checks new entries before they are added to the directory.
Post-operation plug-ins: Functions that are executed after an LDAP operation is performed. For example, you can write a post operation plug-in to perform group referential integrity check after a delete or modrdn operation.
Extended operation plug-ins: Are used to handle extended operations protocol that is defined in the LDAP V3 protocol. For example, a plug-in that clears a server log file.
Audit plug-ins: Are used to improve the security of the directory server. A default audit plug-in is provided with the server. Depending on the audit configuration parameters, this plug-in might log an audit entry in the default or specified audit log for each LDAP operation the server processed. The IBM Security Directory Server administrator can use the activities that are stored in the audit log to check for suspicious patterns of activity in an attempt to detect security violations. If security is violated, the audit log can be used to determine how and when the problem occurred and perhaps the amount of damage done. This information is useful, both for recovery from the violation and, possibly, in the development of better security measures to prevent future problems. You can also write your own audit plug-ins to either replace, or add more processing to, the default audit plug-in.
DN partitioning plug-ins: IBM Security Directory Server Proxy Server provides an option to users to dynamically load customer written DN partitioning function during server run time. With DN partitioning function implemented as a plug-in, the existing hash algorithm can be easily replaced with the customer written DN partitioning plug-in resulting in the directory server being more flexible and adaptive. The existing hash algorithm however remains as the default DN partitioning plug-in, which is loaded during server startup if no customized code is available.

A server plug-in can return a message to the client as well. However, make sure that the server returns only one message.