Drizzle

Merge lp:~zisis00/drizzle/ldap_policy into lp:drizzle

ldap_policy
Merge into 7.2

Proposed by Zisis Sialveras on 2012-08-09

Status:	Work in progress
Proposed branch:	lp:~zisis00/drizzle/ldap_policy
Merge into:	lp:drizzle
Diff against target:	1707 lines (+1673/-2) 5 files modified plugin/ldap_policy/docs/index.rst (+187/-0) plugin/ldap_policy/ldap_policy.cc (+1286/-0) plugin/ldap_policy/ldap_policy.hpp (+194/-0) plugin/ldap_policy/plugin.ini (+3/-0) tests/lib/server_mgmt/drizzled.py (+3/-2)
To merge this branch:	bzr merge lp:~zisis00/drizzle/ldap_policy
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Drizzle Trunk		2012-08-09	Pending
Review via email: mp+119016@code.launchpad.net

Description of the change

This branch introduce a new plugin named ldap policy. The plugin is an authentication system using LDAP. Each schema/table of Drizzle and user has a record in LDAP. The ldap_policy plugin search in LDAP and dictates if access to target schema/table from user should be granted or not. Also, it is capable to search for supplementaries groups and it has an implementation of a "per-user" cache system for better performance.

Note: Extending the testing suite to have some automated tests & writing detailed documentation are currently in progress.

Revision history for this message

Brian Aker (brianaker) wrote on 2012-08-11:

Thanks, this will be reviewed next.

lp:~zisis00/drizzle/ldap_policy updated on 2012-08-21

2556. By Zisis Sialveras on 2012-08-18: Fixed some errors in ldap_policy
2557. By Zisis Sialveras on 2012-08-21: Documentation for ldap-policy

Revision history for this message

Brian Aker (brianaker) wrote on 2012-08-22:

  CXX plugin/performance_dictionary/plugin_libperformance_dictionary_plugin_la-session_usage.lo
  CXX plugin/performance_dictionary/plugin_libperformance_dictionary_plugin_la-session_usage_logger.lo
plugin/ldap_policy/ldap_policy.cc: In member function 'virtual bool ldap_policy::LDAP_policy::restrictProcess(const drizzled::identifier::User&, const drizzled::identifier::User&)':
plugin/ldap_policy/ldap_policy.cc:331:32: error: 'uid' may be used uninitialized in this function [-Werror=uninitialized]
plugin/ldap_policy/ldap_policy.cc:152:28: error: 'gid' may be used uninitialized in this function [-Werror=uninitialized]
  CXX plugin/query_log/plugin_libquery_log_plugin_la-module.lo
cc1plus: all warnings being treated as errors
  CXX plugin/query_log/plugin_libquery_log_plugin_la-query_log.lo
make[2]: *** [plugin/ldap_policy/plugin_libldap_policy_plugin_la-ldap_policy.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory `/home/jenkins/workspace/drizzle-smoke-test/label/ubuntu-12.04'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/jenkins/workspace/drizzle-smoke-test/label/ubuntu-12.04'
make: *** [all] Error 2
Build step 'Use builders from another project' marked build as failure
[WARNINGS] Skipping publisher since build result is FAILURE
Notifying upstream projects of job completion
Finished: FAILURE

Unmerged revisions

2557. By Zisis Sialveras on 2012-08-21: Documentation for ldap-policy
2556. By Zisis Sialveras on 2012-08-18: Fixed some errors in ldap_policy
2555. By Zisis Sialveras on 2012-08-09: Some changes in ldap_policy
2554. By Zisis Sialveras on 2012-08-03: The LDAP policy plugin.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Drizzle Trunk

Zisis Sialveras

 === added directory 'plugin/ldap_policy'
 === added directory 'plugin/ldap_policy/docs'
 === added file 'plugin/ldap_policy/docs/index.rst'
 --- plugin/ldap_policy/docs/index.rst	1970-01-01 00:00:00 +0000
 +++ plugin/ldap_policy/docs/index.rst	2012-08-21 14:09:20 +0000
@@ -0,0 +1,187 @@
++.. _ldap_policy_plugin:
++
++LDAP Authorization
++==================
++
++:program: `ldap_policy` is an :doc:`/administration/authorization` plugin that uses LDAP (Lightweight Directory Access Protocol) records to match policies.
++Each schema and table has a record in LDAP with attributes that indicate which users and groups are authorized to the target schema and/or table.
++More specifically, users exists in an LDAP directory (etc. ou=users,dc=example,dc=com). So do groups, tables and schemata.
++Schemata and tables are defined with objectClass: drizzleItem, and they can have attributes like allowedUsers and allowedGroups.
++These two attributes are the uidNumber of user or the gidNumber of the groups that should be authorized to the schema or table.
++
++The plugin is also capable to search for permissions in the supplementaries groups.
++Under the group directory (etc. ou=groups,dc=example,dc=com), may exist the groups of the users. Each group may have memberUID attribute
++if it is defined with objectClass: posixGroup. Having these, allows the plugin to understand the supplementaries groups of the user.
++So if a user has a group in supplementaries groups, and this group is authorized, then the user is authorized too, although he belong in a non-authorized
++primary group.
++
++.. seealso:: :doc:`/administration/authorization`
++.. seealso:: :doc:`/plugins/auth_ldap/index`
++
++.. _ldap_policy_loading:
++
++Loading
++-------
++
++To load this plugin, start :program:`drizzled` with::
++
++   --plugin-add=ldap_policy
++
++Loading the plugin may not enable or configure it.  See the plugin's
++:ref:`ldap_policy_configuration` and :ref:`ldap_policy_variables`.
++
++.. seealso:: :ref:`drizzled_plugin_options` for more information about adding and removing plugins.
++
++.. _ldap_policy_configuration:
++
++Configuration
++-------------
++
++These command line options configure the plugin when :program:`drizzled`
++is started.  See :ref:`command_line_options` for more information about specifying
++command line options.
++
++.. program:: drizzled
++
++.. option:: --ldap-policy.uri ARG
++
++	:Default: ``ldap://localhost/``
++	:Variable: :ref:`ldap_policy_uri <ldap_policy_uri>`
++
++	URI of LDAP server to connect.
++
++.. option:: --ldap-policy.users-dir ARG
++
++	:Default: ``ou=users,dc=example,dc=com``
++	:Variable: :ref:`ldap_policy_users_dir <ldap_policy_users_dir>`
++
++	The LDAP DN (distinguished name) with the users records.
++
++	Users should be in this LDAP directory, and must be defined objectClass: posixAccount. uidNumber and gidNumber attributes are required.
++
++.. option:: --ldap-policy.groups-dir ARG
++
++	:Default: ``ou=groups,dc=example,dc=com``
++	:Variable: :ref:`ldap_policy_groups_dir <ldap_policy_groups_dir>`
++
++	The LDAP DN (distinguished name) with the groups records.
++
++	Groups should be in this LDAP directory, and must be defined with objectClass: posixGroups. Although this class has as optional attribute memberUID,
++	it is essential to be filled so plugin can understand the supplementaries groups of the users.
++
++
++.. option:: --ldap-policy.schemas-dir ARG
++
++	:Default: ``ou=schemas,dc=example,dc=com``
++	:Variable: :ref:`ldap_policy_schemas_dir <ldap_policy_schemas_dir>`
++
++	The LDAP DN (distinguished name) with the schemas records.
++
++	Schemata should be in this LDAP directory, and must be defined with objectClass: drizzleItem. allowedUsers and allowedGroups attributes indicate
++	which uidNumber and gidNumber should be authorized in the current schema.
++
++.. option:: --ldap-policy.tables-dir ARG
++
++	:Default: ``ou=tables,dc=example,dc=com``
++	:Variable: :ref:`ldap_policy_tables_dir <ldap_policy_tables_dir>`
++
++	The LDAP DN (distinguished name) with the tables records.
++
++	Tables should be in this LDAP directory, and must be defined with objectClass: drizzleItem. allowedUsers and allowedGroups attributes indicate
++	which uidNumber and gidNumber should be authorized in the current table.
++
++.. option:: --ldap-policy.cache-timeout ARG
++
++	:Default: ``500``
++	:Variable: :ref:`ldap_policy_cache_timeout <ldap_policy_cache_timeout>`
++
++	How much time is valid each cache entry. (NOT implemented yet)
++
++	After a successful authorization to a schema or a table, the user and the schema/table is added in cache memory in order to achive better performance
++	the next time he/she tries to access the same schema/table again. Each cache entry is valid for only specific number of seconds.
++
++.. _ldap_policy_variables:
++
++Variables
++---------
++
++These variables show the running configuration of the plugin.
++See `variables` for more information about querying and setting variables.
++
++
++.. _ldap_policy_uri:
++* ``ldap_policy_uri``
++
++	:Scope: Global
++	:Dynamic: No
++	:Option: :option:`--ldap_policy.uri`
++
++	URI of the LDAP server to contact.
++
++.. _ldap_policy_users_dir:
++* ``ldap_policy_users_dir``
++
++	:Scope: Global
++	:Dynamic: No
++	:Option: :option:`--ldap_policy.users-dir`
++
++	The LDAP DN (distinguished name) with the users records.
++
++.. _ldap_policy_groups_dir:
++* ``ldap_policy_groups_dir``
++
++	:Scope: Global
++	:Dynamic: No
++	:Option: :option:`--ldap_policy.groups-dir`
++
++	The LDAP DN (distinguished name) with the groups records.
++
++.. _ldap_policy_schemas_dir:
++* ``ldap_policy_schemas_dir``
++
++	:Scope: Global
++	:Dynamic: No
++	:Option: :option:`--ldap_policy.schemas-dir`
++
++	The LDAP DN (distinguished name) with the schemas records.
++
++.. _ldap_policy_tables_dir:
++* ``ldap_policy_tables_dir``
++
++	:Scope: Global
++	:Dynamic: No
++	:Option: :option:`--ldap_policy.tables-dir`
++
++	The LDAP DN (distinguished name) with the tables records.
++
++
++.. ldap_policy_authors:
++
++Authors
++-------
++
++Zisis Sialveras
++
++.. ldap_policy_version:
++
++Version
++-------
++
++This documentation applies to version **ldap_policy 0.1**.
++
++To see which version of the plugin a Drizzle server is running, execute:
++
++.. code-block:: mysql
++
++   SELECT MODULE_VERSION FROM DATA_DICTIONARY.MODULES WHERE MODULE_NAME='ldap_policy'
++
++
++.. ldap_policy_changelog
++
++Changelog
++---------
++
++v0.1
++*First release.
++
++
 === added file 'plugin/ldap_policy/ldap_policy.cc'
 --- plugin/ldap_policy/ldap_policy.cc	1970-01-01 00:00:00 +0000
 +++ plugin/ldap_policy/ldap_policy.cc	2012-08-21 14:09:20 +0000
@@ -0,0 +1,1286 @@
++/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
++ *  vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
++ *
++ *  Copyright (C) 2012 Zisis Sialveras
++ *
++ *  This program is free software; you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation; version 2 of the License.
++ *
++ *  This program is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with this program; if not, write to the Free Software
++ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
++ */
++
++#include "ldap_policy.hpp"
++#include <drizzled/module/option_map.h>
++
++
++namespace po= boost::program_options;
++
++using namespace std;
++using namespace drizzled;
++
++namespace ldap_policy
++{
++
++static int init(module::Context &context)
++{
++  LDAP_policy *ldap_policy= new LDAP_policy();
++
++  if(ldap_policy->connect() == false)
++  {
++    errmsg_printf(error::ERROR, _("Could not load ldap_policy\n"));
++    delete ldap_policy;
++    return 1;
++  }
++
++  context.registerVariable(new sys_var_const_string_val("uri", uri));
++  context.registerVariable(new sys_var_const_string_val("users-dir", users_dir));
++  context.registerVariable(new sys_var_const_string_val("schema-dir", schemas_dir));
++  context.registerVariable(new sys_var_const_string_val("groups-dir", groups_dir));
++  context.registerVariable(new sys_var_const_string_val("tables-dir", tables_dir));
++  ///Remember to register the Variable Cache-timeout
++
++  context.add(ldap_policy);
++  return 0;
++}
++
++static void init_options(drizzled::module::option_context &context)
++{
++  context("uri", po::value<string>(&uri)->default_value(DEFAULT_URI),
++          N_("URI of the LDAP server to contact"));
++  context("users-dir", po::value<string>(&users_dir)->default_value(DEFAULT_USERS_DIR),
++          N_("Users' LDAP directory"));
++  context("schemas-dir", po::value<string>(&schemas_dir)->default_value(DEFAULT_SCHEMAS_DIR),
++          N_("Schemas' LDAP directory"));
++  context("groups-dir", po::value<string>(&groups_dir)->default_value(DEFAULT_GROUPS_DIR),
++          N_("Groups' LDAP directory"));
++  context("tables-dir", po::value<string>(&tables_dir)->default_value(DEFAULT_TABLES_DIR),
++          N_("Tables' LDAP directory"));
++  context("cache-timeout", po::value<time_t>(&cache_timeout)->default_value(DEFAULT_CACHE_TIMEOUT),
++		  N_("Cache timeout"));
++}
++
++void LDAP_policy::printerror()
++{
++  errmsg_printf(error::ERROR, _(error.c_str()));
++}
++
++/**
++ * restrictProcess dictates if user A is allowed to see/kill user B connection.
++ *
++ * In the beginning, restrictProcess checks if user A and B has the same gidNumber
++ * attribute in their LDAP records. If they have not, restrictProcess checks
++ * if user's B group is one of the user's A supplementaries groups. This is done
++ * by searching in user's B group LDAP record and checking if its attributes is uid
++ * of user A.
++ */
++
++bool LDAP_policy::restrictProcess(const drizzled::identifier::User &user_ctx,
++                                  const drizzled::identifier::User &session_ctx)
++{
++
++  LDAPMessage *response;
++  const char *attrs[]= {"uidNumber",
++                        "gidNumber",
++                        NULL
++                        };
++  string filter= "(cn=" + user_ctx.username() + ")";
++
++
++  int return_code= ldap_search_ext_s(ldap,
++                                     users_dir.c_str(),
++                                     LDAP_SCOPE_ONELEVEL,
++                                     filter.c_str(),
++                                     const_cast<char**>(attrs),
++                                     0,
++                                     NULL,
++                                     NULL,
++                                     NULL,
++                                     1,
++                                     &response);
++
++  if( return_code != LDAP_SUCCESS )
++  {
++    error= "ldap_search_ext_s failed:";
++    error+= ldap_err2string(return_code);
++    printerror();
++
++    ldap_msgfree(response);
++    return true;
++  }
++
++  LDAPMessage *entry;
++  int ldap_entries= ldap_count_entries(ldap, response);
++
++  if( ldap_entries == 0 || ldap_entries == (-1))
++  {
++    ldap_msgfree(response);
++    return true;
++  }
++
++  entry= ldap_first_entry(ldap, response);
++  BerElement *berv;
++  char **gid, **uid, *attr;
++  for(attr= ldap_first_attribute(ldap, entry, &berv); //attr is gidNumber attribute
++      attr != NULL;
++      attr= ldap_next_attribute(ldap, entry, berv))
++  {
++
++    if(not strcmp(attr, "uidNumber"))
++    {
++      uid= ldap_get_values(ldap, entry, attr);
++    }
++    else if( not strcmp(attr, "gidNumber"))
++    {
++      gid= ldap_get_values(ldap, entry, attr);
++    }
++  } //we have uid and gid of user A
++
++  if(gid == NULL)
++  {
++    return true;
++  }
++
++  struct berval brv;
++  brv.bv_len= strlen(gid[0]);
++  brv.bv_val= gid[0];
++
++  string dn= "cn=" + session_ctx.username() + "," + users_dir.c_str();
++
++  return_code= ldap_compare_ext_s(ldap,
++                                  dn.c_str(),
++                                  "gidNumber",
++                                  &brv,
++                                  NULL,
++                                  NULL);
++
++  if(return_code == LDAP_COMPARE_TRUE)
++  {
++    if(berv != NULL)
++    {
++      ber_free(berv, 0);
++    }
++    ldap_memfree(attr);
++    ldap_msgfree(response);
++    ldap_value_free(gid);
++    ldap_value_free(uid);
++
++    return false;
++  }
++  else if (return_code != LDAP_COMPARE_FALSE)
++  {
++
++    error= "ldap_compare_ext_s failed";
++    error+= ldap_err2string(return_code);
++    printerror();
++
++    if(berv != NULL)
++    {
++      ber_free(berv, 0);
++    }
++    ldap_memfree(attr);
++    ldap_msgfree(response);
++    ldap_value_free(gid);
++    ldap_value_free(uid);
++    return true;
++  }
++
++  //If they are not in the same group, search for the supplementaries
++  ldap_msgfree(response);
++  ldap_memfree(attr);
++
++  if(berv != NULL)
++  {
++    ber_free(berv, 0);
++  }
++
++  filter= "(cn=" + session_ctx.username() + ")";
++
++  const char *attrs2[]= {"gidNumber", NULL};
++
++  return_code= ldap_search_ext_s( ldap,
++                                  users_dir.c_str(),
++                                  LDAP_SCOPE_ONELEVEL,
++                                  filter.c_str(),
++                                  const_cast<char**>(attrs2),
++                                  0,
++                                  NULL,
++                                  NULL,
++                                  NULL,
++                                  1,
++                                  &response);
++
++
++  if(return_code != LDAP_SUCCESS)
++  {
++    error= "ldap_search_ext_s failed:";
++    error+= ldap_err2string(return_code);
++    printerror();
++    ldap_msgfree(response);
++    ldap_value_free(gid);
++    ldap_value_free(uid);
++    return true;
++  }
++
++  LDAPMessage *entry2= ldap_first_entry(ldap, response);
++  ldap_entries= ldap_count_entries(ldap, entry2);
++
++  if(ldap_entries == 0 || ldap_entries == -1)
++  {
++    ldap_msgfree(response);
++    ldap_value_free(gid);
++    ldap_value_free(uid);
++    return true;
++  }
++
++  attr= ldap_first_attribute(ldap, entry2, &berv); //attr is gidNumber
++  char **gidNumber= ldap_get_values(ldap, entry2, attr); //we got the gidNumber of user B
++
++  if(gidNumber==NULL)
++  {
++    if(berv != NULL)
++    {
++      ber_free(berv, 0);
++    }
++
++    ldap_memfree(attr);
++    ldap_msgfree(response);
++    ldap_value_free(gid);
++    ldap_value_free(uid);
++    return true;
++  }
++
++  filter= "gidNumber=";
++  filter+= gidNumber[0];
++
++  // searching for the user B group attrs
++  return_code= ldap_search_ext_s(ldap,
++                                 groups_dir.c_str(),
++                                 LDAP_SCOPE_ONELEVEL,
++                                 filter.c_str(),
++                                 NULL, /* all attributes are requested */
++                                 0,
++                                 NULL,
++                                 NULL,
++                                 NULL,
++                                 1,
++                                 &response);
++
++  if(return_code != LDAP_SUCCESS)
++  {
++    error= "ldap_search_ext_s failed:";
++    error+= ldap_err2string(return_code);
++    printerror();
++
++    ldap_msgfree(response);
++    ldap_value_free(gid);
++    ldap_value_free(uid);
++
++    return true;
++  }
++
++  LDAPMessage *grp_entry= ldap_first_entry(ldap, response);
++  ldap_entries= ldap_count_entries(ldap, grp_entry);
++
++  if(ldap_entries == 0 || ldap_entries == -1)
++  {
++
++    if(berv != NULL)
++    {
++      ber_free(berv, 0);
++    }
++
++    ldap_memfree(attr);
++    ldap_msgfree(response);
++    ldap_value_free(gidNumber);
++    ldap_value_free(gid);
++    ldap_value_free(uid);
++    return true;
++  }
++
++  char *group_dn= ldap_get_dn(ldap, grp_entry);
++
++  if(group_dn == NULL)
++  {
++
++    if(berv != NULL)
++    {
++      ber_free(berv, 0);
++    }
++
++    ldap_memfree(attr);
++    ldap_value_free(gidNumber);
++    ldap_value_free(gid);
++    ldap_value_free(uid);
++
++    return true;
++  }
++
++  if(uid == NULL)
++  {
++    return true;
++  }
++  struct berval ber_uid;
++  ber_uid.bv_len= strlen(uid[0]);
++  ber_uid.bv_val= uid[0];
++
++  return_code= ldap_compare_ext_s(ldap,
++                                  group_dn,
++                                  "memberUID",
++                                  &ber_uid,
++                                  NULL,
++                                  NULL);
++  bool retval= true;
++
++  if(return_code == LDAP_COMPARE_TRUE)
++  {
++    retval= false;
++  }
++  else if(return_code != LDAP_COMPARE_FALSE)
++  {
++    error= "ldap_compare_ext_s failed:";
++    error+= ldap_err2string(return_code);
++    printerror();
++  }
++
++  ldap_memfree(group_dn);
++  if(berv != NULL)
++  {
++    ber_free(berv, 0);
++  }
++  ldap_memfree(attr);
++  ldap_value_free(gidNumber);
++  ldap_value_free(gid);
++  ldap_value_free(uid);
++
++  return retval;
++}
++
++
++/**
++ * check_if_allowed returns TRUE if user is NOT authorized in target table. Otherwise, it returns FALSE.
++ * check_if_allowed function, checks if uidNumber attribute of user's LDAP record matches with
++ * allowedUsers attribute of tables's LDAP record or gidNumber matches with allowedGroups.
++ * If neither of them matches, check_if_allowed search for the supplementaries groups of user
++ * and returns true if none of them is allowed. Otherwise it returns false.
++ */
++
++bool LDAP_policy::check_if_allowed(LDAPMessage *u_rep, const drizzled::identifier::User &user, const drizzled::identifier::Table &table)
++{
++  LDAPMessage *entry= ldap_first_entry(ldap, u_rep);
++	int rc;
++	string table_dn= "cn=" + table.getTableName() + "," + tables_dir;
++	char *uattr, **gid= NULL, **uid= NULL;
++	BerElement *uber_val;
++	int ldap_entries= ldap_count_entries(ldap, entry);
++
++	if(ldap_entries == 0 || ldap_entries == -1)
++	{
++		return true;
++	}
++
++	for(uattr= ldap_first_attribute(ldap, entry, &uber_val);
++      uattr != NULL;
++      uattr=ldap_next_attribute(ldap, entry, uber_val))
++	{
++		if( not strcmp(uattr, "gidNumber"))
++		{
++			gid= ldap_get_values(ldap, entry, uattr);
++
++			struct berval bval;
++			bval.bv_val= gid[0];
++			bval.bv_len= strlen(gid[0]);
++
++			rc= ldap_compare_ext_s( ldap,
++                              table_dn.c_str(),
++                              "allowedGroups",
++                              &bval,
++                              NULL,
++                              NULL);
++
++			if(rc == LDAP_COMPARE_TRUE)
++			{
++				if(uber_val != NULL)
++				{
++					ber_free(uber_val, 0);
++				}
++
++				ldap_memfree(uattr);
++
++				if(uid!=NULL)
++					ldap_value_free(uid);
++
++				ldap_value_free(gid);
++
++				user_cache.insert(user, table, true);
++
++				return false;
++			}
++			else if(rc != LDAP_COMPARE_FALSE)
++			{
++				error= "ldap_compare_ext_s failed: ";
++				error+= ldap_err2string(rc);
++				printerror();
++
++				if(uber_val != NULL)
++				{
++					ber_free(uber_val, 0);
++				}
++
++				ldap_memfree(uattr);
++
++				if(uid!=NULL)
++					ldap_value_free(uid);
++
++				ldap_value_free(gid);
++
++				return true;
++			}
++
++		}
++		else if( not strcmp(uattr, "uidNumber"))
++		{
++			uid= ldap_get_values(ldap, entry,  uattr);
++
++			struct berval bval;
++			bval.bv_val= uid[0];
++			bval.bv_len= strlen(uid[0]);
++
++			rc= ldap_compare_ext_s(	ldap,
++                              table_dn.c_str(),
++                              "allowedUsers",
++                              &bval,
++                              NULL,
++                              NULL);
++
++			if( rc == LDAP_COMPARE_TRUE )
++			{
++
++				if(uber_val != NULL)
++				{
++					ber_free(uber_val, 0);
++				}
++				ldap_memfree(uattr);
++
++				if(gid!=NULL)
++					ldap_value_free(gid);
++
++				ldap_value_free(uid);
++
++				user_cache.insert(user, table, true);
++
++				return false;
++			}
++			else if(rc != LDAP_COMPARE_FALSE)
++			{
++				error= "ldap_compare_ext_s failed: ";
++				error+= ldap_err2string(rc);
++				printerror();
++
++				if(uber_val != NULL)
++				{
++					ber_free(uber_val, 0);
++				}
++
++				ldap_memfree(uattr);
++
++				if(gid!=NULL)
++					ldap_value_free(gid);
++
++				ldap_value_free(uid);
++
++				return true;
++			}
++		}
++	}
++
++	if(uber_val != NULL)
++	{
++		ber_free(uber_val, 0);
++	}
++
++	ldap_memfree(uattr);
++
++	const char *group_attrs[]= {  "gidNumber",
++                                NULL
++                                };
++
++	LDAPMessage *group_response;
++
++	string filter= "(memberUID=";
++	filter+= uid[0];
++	filter+= ")";
++
++	rc= ldap_search_ext_s(ldap,
++                        groups_dir.c_str(),
++                        LDAP_SCOPE_ONELEVEL,
++                        filter.c_str(),
++                        const_cast<char**>(group_attrs),
++                        0,
++                        NULL,
++                        NULL,
++                        NULL,
++                        LDAP_NO_LIMIT,
++                        &group_response);
++
++	if( rc != LDAP_SUCCESS)
++	{
++		error= "ldap_search_ext_s: ";
++		error+= ldap_err2string(rc);
++		printerror();
++		ldap_value_free(uid);
++		ldap_value_free(gid);
++
++		return true;
++	}
++
++	LDAPMessage *gentry= ldap_first_entry(ldap, group_response);
++	ldap_entries= ldap_count_entries(ldap, gentry);
++
++	if(ldap_entries == 0 || ldap_entries == -1)
++	{
++		ldap_value_free(gid);
++		ldap_value_free(uid);
++		ldap_msgfree(gentry);
++		ldap_msgfree(group_response);
++
++		return true;
++	}
++
++	BerElement *gber;
++	char *gattr= ldap_first_attribute(ldap, gentry, &gber); // it has only one attribute, gidNumber
++
++	if(gattr == NULL)
++	{
++		ldap_value_free(gid);
++		ldap_value_free(uid);
++		if(gber != NULL)
++		{
++			ber_free(gber, 0);
++		}
++		ldap_msgfree(group_response);
++		ldap_msgfree(gentry);
++		return true;
++	}
++
++	char **groups= ldap_get_values(ldap, gentry, gattr); // we have the gidNumber attribute of users' supplementaries groups
++
++	if(groups == NULL)
++	{
++		ldap_value_free(gid);
++		ldap_value_free(uid);
++		if( gber != NULL )
++		{
++			ber_free(gber, 0);
++		}
++		ldap_msgfree(group_response);
++		ldap_msgfree(gentry);
++		return true;
++	}
++
++	int num_of_val= ldap_count_values(groups) - 1;
++
++	while( num_of_val >= 0)
++	{
++		struct berval bval;
++		bval.bv_len= strlen(groups[num_of_val]);
++		bval.bv_val= groups[num_of_val];
++
++		rc= ldap_compare_ext_s(	ldap,
++                            table_dn.c_str(),
++                            "allowedGroups",
++                            &bval,
++                            NULL,
++                            NULL);
++
++		if( rc == LDAP_COMPARE_TRUE )
++		{
++
++			if(gber != NULL)
++			{
++				ber_free(gber, 0);
++			}
++			ldap_memfree(gattr);
++			ldap_value_free(groups);
++			ldap_value_free(gid);
++			ldap_value_free(uid);
++			ldap_msgfree(gentry);
++
++			user_cache.insert(user, table, true);
++
++			return false;
++		}
++		else if( rc != LDAP_COMPARE_FALSE )
++		{
++			error= "ldap_compare_ext_s failed: ";
++			error+= ldap_err2string(rc);
++			printerror();
++
++			if(gber != NULL)
++			{
++				ber_free(gber, 0);
++			}
++
++			ldap_memfree(gattr);
++			ldap_value_free(groups);
++			ldap_value_free(gid);
++			ldap_value_free(uid);
++			ldap_msgfree(gentry);
++
++			return true;
++		}
++
++		num_of_val--;
++	}
++
++	if(gber != NULL)
++	{
++		ber_free(gber, 0);
++	}
++
++	ldap_memfree(gattr);
++	ldap_value_free(groups);
++	ldap_value_free(gid);
++	ldap_value_free(uid);
++	ldap_msgfree(gentry);
++	ldap_msgfree(group_response);
++
++	user_cache.insert(user, table, false);
++
++	return true;
++}
++
++
++/**
++ * check_if_allowed returns TRUE if user is NOT authorized in target schema. Otherwise, it returns FALSE.
++ * check_if_allowed function, checks if uidNumber attribute of user's LDAP record matches with
++ * allowedUsers attribute of schema's LDAP record or gidNumber matches with allowedGroups.
++ * If neither of them matches, check_if_allowed search for the supplementaries groups of user
++ * and returns true if none of them is allowed. Otherwise it returns false.
++ */
++
++bool LDAP_policy::check_if_allowed(LDAPMessage *u_rep, const drizzled::identifier::User &user, const drizzled::identifier::Schema& schema)
++{
++  LDAPMessage *entry= ldap_first_entry(ldap, u_rep);
++  int ldap_entries= ldap_count_entries(ldap, entry);
++  if(ldap_entries == 0 || ldap_entries == -1)
++  {
++    return true;
++  }
++
++  int rc;
++  string user_id;
++  char *uattr, **gid= NULL, **uid= NULL;
++  uid= NULL;
++  BerElement *uber_val;
++  string schema_dn= "cn=" + schema.getSchemaName() + "," + schemas_dir;
++
++  for(uattr= ldap_first_attribute(ldap, entry, &uber_val);
++      uattr!=NULL;
++      uattr=ldap_next_attribute(ldap, entry, uber_val))
++  {
++
++	if(not strcmp(uattr, "gidNumber"))
++    {
++      gid= ldap_get_values(ldap, entry, uattr);
++
++      struct berval bval;
++      bval.bv_val= gid[0];
++      bval.bv_len= strlen(gid[0]);
++
++      rc= ldap_compare_ext_s( ldap,
++                              schema_dn.c_str(),
++                              "allowedGroups",
++                              &bval,
++                              NULL,
++                              NULL);
++
++      if( rc == LDAP_COMPARE_TRUE)
++      {
++        if(uber_val != NULL)
++        {
++          ber_free(uber_val, 0);
++        }
++        ldap_memfree(uattr);
++        ldap_value_free(gid);
++
++        if(uid != NULL)
++          ldap_value_free(uid);
++
++        user_cache.insert(user, schema, true);
++
++        return false;
++      }
++      else if(rc != LDAP_COMPARE_FALSE)
++      {
++        //Maybe when return code is "No such object" I could add in cache.
++
++        error= "ldap_compare_ext_s failed: ";
++        error+= ldap_err2string(rc);
++        printerror();
++
++        if(uber_val != NULL)
++        {
++          ber_free(uber_val, 0);
++        }
++
++        ldap_memfree(uattr);
++        ldap_value_free(gid);
++
++        if( uid != NULL)
++          ldap_value_free(uid);
++
++        return true;
++      }
++    }
++    else if (not strcmp(uattr, "uidNumber"))
++    {
++      uid= ldap_get_values(ldap, entry, uattr);
++
++      struct berval bval;
++      bval.bv_val= uid[0];
++      bval.bv_len= strlen(uid[0]);
++
++      rc= ldap_compare_ext_s(	ldap,
++                              schema_dn.c_str(),
++                              "allowedUsers",
++                              &bval,
++                              NULL,
++                              NULL);
++
++      if( rc == LDAP_COMPARE_TRUE)
++      {
++
++        if(uber_val != NULL)
++        {
++          ber_free(uber_val, 0);
++        }
++
++        if(gid != NULL)
++          ldap_value_free(gid);
++
++        ldap_memfree(uattr);
++        ldap_value_free(uid);
++
++        user_cache.insert(user, schema, true);
++
++        return false;
++      }
++      else if (rc != LDAP_COMPARE_FALSE)
++      {
++
++        error= "ldap_compare_ext_s failed: ";
++        error+= ldap_err2string(rc);
++        printerror();
++        if(uber_val != NULL)
++        {
++          ber_free(uber_val, 0);
++        }
++        ldap_memfree(uattr);
++
++        if(uid != NULL)
++          ldap_value_free(uid);
++
++        ldap_value_free(gid);
++
++        return true;
++      }
++    }
++  }
++
++  ldap_memfree(uattr);
++
++  if(uber_val != NULL)
++  {
++    ber_free(uber_val, 0);
++  }
++
++  if(uid==NULL)
++  {
++    return true;
++  }
++  const char *gattrs[]= {"gidNumber",
++                          NULL
++                        };
++
++  LDAPMessage *group_response;
++
++  string filter= "(memberUID=";
++  filter+= uid[0];
++  filter+= ")";
++
++  rc= ldap_search_ext_s(ldap,
++                        groups_dir.c_str(),
++                        LDAP_SCOPE_ONELEVEL,
++                        filter.c_str(),
++                        const_cast<char**>(gattrs),
++                        0,
++                        NULL,
++                        NULL,
++                        NULL,
++                        LDAP_NO_LIMIT,
++                        &group_response);
++
++  if(rc != LDAP_SUCCESS)
++  {
++    error= "ldap_search_ext_s: ";
++    error+= ldap_err2string(rc);
++    printerror();
++    return true;
++  }
++
++  LDAPMessage *gentry= ldap_first_entry(ldap, group_response);
++  BerElement *gber;
++
++  char *gattr= ldap_first_attribute(ldap, gentry, &gber);
++  char **groups= ldap_get_values(ldap, gentry, gattr); // exoyme ta groups sta opoia anoikei o user
++
++  for(int num_of_values= ldap_count_values(groups) - 1; num_of_values >= 0; num_of_values--)
++  {
++    struct berval bval;
++    bval.bv_len= strlen(groups[num_of_values]);
++    bval.bv_val= groups[num_of_values];
++
++    if( ldap_compare_ext_s(	ldap,
++                            schema_dn.c_str(),
++                            "allowedGroups",
++                            &bval,
++                            NULL,
++                            NULL) == LDAP_COMPARE_TRUE)
++    {
++
++	  if(gber != NULL)
++      {
++        ber_free(gber, 0);
++      }
++      ldap_memfree(gattr);
++      ldap_value_free(groups);
++
++      user_cache.insert(user, schema, true);
++
++      return false;
++    }
++  }
++
++  if(gber != NULL)
++  {
++        ber_free(gber, 0);
++  }
++  ldap_memfree(gattr);
++  ldap_value_free(groups);
++  ldap_msgfree(group_response);
++
++  user_cache.insert(user, schema, false);
++
++  return true;
++}
++
++bool LDAP_policy::restrictTable(const drizzled::identifier::User &user_ctx,
++                                const drizzled::identifier::Table& table)
++{
++
++  if( table.getSchemaName() == "information_schema" || table.getSchemaName() == "INFORMATION_SCHEMA")
++  {
++    return false;
++  }
++
++  LDAPMessage *user_response;
++
++  const char *uattrs[]= { "uidNumber",
++                          "gidNumber",
++                          NULL
++                          };
++
++  string filter= "(&(cn=" + user_ctx.username() + ")(BelongInSchema=" + table.getSchemaName() + "))";
++  /* Schema attribute allows to determine from which schema, is the table we are looking for.
++	   Still I need to implement the BelongInSchema schema */
++
++  CacheResponse cache_res= user_cache.is_authorized(user_ctx, table);
++
++  if(cache_res == ALLOWED)
++  {
++    return false;
++  }
++  else if(cache_res == DENIED)
++  {
++    return true;
++  }
++
++  int return_code= ldap_search_ext_s( ldap,
++                                      users_dir.c_str(),
++                                      LDAP_SCOPE_ONELEVEL,
++                                      filter.c_str(),
++                                      const_cast<char**>(uattrs),
++                                      0,
++                                      NULL,
++                                      NULL,
++                                      NULL,
++                                      1,
++                                      &user_response);
++
++  if(return_code != LDAP_SUCCESS)
++  {
++    error= "ldap_search_ext_s failed:";
++    error+= ldap_err2string(return_code);
++    printerror();
++
++    return true;
++  }
++
++  bool restr= check_if_allowed(user_response, user_ctx, table);
++
++  ldap_msgfree(user_response);
++
++  return restr;
++}
++
++bool LDAP_policy::restrictSchema(const drizzled::identifier::User &user_ctx,
++                                 const drizzled::identifier::Schema& schema)
++{
++
++  if(schema.getSchemaName() == "information_schema" || schema.getSchemaName() == "INFORMATION_SCHEMA")
++  {
++    return false;
++  }
++
++  CacheResponse cache_res= user_cache.is_authorized(user_ctx, schema);
++
++  if(cache_res == ALLOWED)
++  {
++    return false;
++  }
++  else if (cache_res == DENIED)
++  {
++    return true;
++  }
++
++  LDAPMessage *user_response;
++  const char *uattrs[]= { "uidNumber",
++                          "gidNumber",
++                          NULL
++                          };
++  string filter = "(cn=" + user_ctx.username() + ")";
++
++  int return_code= ldap_search_ext_s(ldap,
++                                     users_dir.c_str(),
++                                     LDAP_SCOPE_ONELEVEL,
++                                     filter.c_str(),
++                                     const_cast<char**>(uattrs),
++                                     0,
++                                     NULL,
++                                     NULL,
++                                     NULL,
++                                     1,
++                                     &user_response); //search for gidNumber and uidNumber in users' directory
++
++  if(return_code != LDAP_SUCCESS) {
++    error= "ldap_search_ext_s failed:";
++    error+= ldap_err2string(return_code);
++    printerror();
++    return true;
++  }
++
++  bool restr= check_if_allowed(user_response, user_ctx, schema);
++  ldap_msgfree(user_response);
++
++  return restr;
++}
++
++bool LDAP_policy::connect(void)
++{
++  int return_code= ldap_initialize(&ldap, (char *)uri.c_str());
++
++  if (return_code != LDAP_SUCCESS)
++  {
++    error= "ldap_initialize failed: ";
++    error+= ldap_err2string(return_code);
++    printerror();
++    return false;
++  }
++
++  int version= 3;
++  return_code= ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
++
++  if (return_code != LDAP_SUCCESS)
++  {
++    ldap_unbind_ext_s(ldap, NULL, NULL);
++    ldap= NULL;
++    error= "ldap_set_option failed: ";
++    error+= ldap_err2string(return_code);
++    printerror();
++    return false;
++  }
++
++  return_code= ldap_simple_bind_s(ldap, NULL, NULL);
++
++  if (return_code != LDAP_SUCCESS)
++  {
++    ldap_unbind(ldap);
++    ldap= NULL;
++    error= "ldap_simple_bind_s failed: ";
++    error+= ldap_err2string(return_code);
++    printerror();
++
++    return false;
++  }
++
++  return true;
++
++}
++
++inline bool CacheItem::is_valid() const
++{
++	time_t temp_timer;
++	temp_timer = time(NULL);
++
++	if(temp_timer - timer > cache_timeout)
++	{
++		return false;
++	}
++	else
++	{
++		return true;
++	}
++}
++
++void UserCache::insert(const drizzled::identifier::User &user, const drizzled::identifier::Table &table, bool auth)
++{
++  string user_name= user.username();
++
++  if(table_cache.count(user_name) != 1) // user not found, need to insert a new one
++  {
++    CacheItem new_cache_item(user_name, table.getTableName(), table.getSchemaName(), auth);
++    table_cache.insert(CacheMap::value_type(user_name, ItemDeque()));
++    table_cache[user_name].push_back(new_cache_item);
++  }
++  else //user found
++  {
++    CacheItem new_cache_item(user_name, table.getTableName(), table.getSchemaName(), auth);
++    table_cache[user_name].push_back(new_cache_item);
++  }
++}
++
++void UserCache::insert(const drizzled::identifier::User &user, const drizzled::identifier::Schema &schema, bool auth)
++{
++  string user_name= user.username();
++
++	if(schema_cache.count(user.username()) != 1)
++	{
++	  CacheItem new_cache_item(user_name, "", schema.getSchemaName(), auth);
++		schema_cache.insert(CacheMap::value_type(user_name, ItemDeque()));
++		schema_cache[user_name].push_back(new_cache_item);
++	}
++	else
++	{
++		CacheItem new_cache_item(user_name, "", schema.getSchemaName(), auth);
++		schema_cache[user_name].push_back(new_cache_item);
++	}
++}
++
++int UserCache::remove(const drizzled::identifier::User &user, const drizzled::identifier::Table &table)
++{
++  CacheMap_Iterator map_iterator;
++	map_iterator= table_cache.find(user.username());
++
++	if(map_iterator == table_cache.end() )
++	{
++		return -1;
++	}
++
++	ItemDeque::iterator deque_iter;
++
++	string user_name= user.username();
++	string table_name= table.getTableName();
++	string schema_name= table.getSchemaName();
++
++	for( 	deque_iter= table_cache[user_name].begin();
++			deque_iter != table_cache[user_name].end();
++			deque_iter++)
++	{
++		if( (deque_iter->getTable() == table_name)
++			&& (deque_iter->getSchema() == schema_name) )
++		{
++			break;
++		}
++	}
++
++	if(deque_iter != table_cache[user_name].end())
++	{
++	  table_cache[user_name].erase(deque_iter);
++
++	  return 0;
++	}
++	return -1;
++}
++
++int UserCache::remove(const drizzled::identifier::User &user, const drizzled::identifier::Schema &schema)
++{
++  CacheMap_Iterator map_iterator;
++  map_iterator= schema_cache.find(user.username());
++
++  if( map_iterator == schema_cache.end())
++  {
++	return -1;
++  }
++
++  ItemDeque::iterator deque_iter;
++
++  string user_name= user.username();
++  string schema_name= schema.getSchemaName();
++
++  for(	deque_iter= schema_cache[user_name].begin();
++		deque_iter != schema_cache[user_name].end();
++		deque_iter++)
++  {
++    if( deque_iter->getSchema() == schema_name)
++    {
++      break;
++    }
++  }
++
++  if( deque_iter != schema_cache[user_name].end())
++  {
++    schema_cache[user_name].erase(deque_iter);
++
++    return 0;
++  }
++  return -1;
++}
++
++CacheResponse UserCache::is_authorized(const drizzled::identifier::User &user, const drizzled::identifier::Schema &schema)
++{
++	if(schema_cache.size() == 0)
++    return NOT_FOUND;
++
++	CacheMap_Iterator map_iterator;
++	map_iterator= schema_cache.find(user.username());
++
++	if(map_iterator != schema_cache.end())
++	{
++		ItemDeque::iterator deque_iter;
++
++		string user_name= user.username();
++		string schema_name= schema.getSchemaName();
++
++		for(deque_iter= schema_cache[user_name].begin();
++			deque_iter != schema_cache[user_name].end();
++			deque_iter++)
++		{
++		  if(deque_iter->getSchema() == schema_name)
++		  {
++		    break;
++		  }
++		}
++
++
++		if(deque_iter != schema_cache[user_name].end())
++		{
++		  if(deque_iter->is_valid())
++		  {
++		    if(deque_iter->is_authorized())
++			{
++			  return ALLOWED;
++			}
++			else
++			{
++			  return DENIED;
++			}
++		  }
++		  else
++		  {
++			remove(user, schema);
++		    return NOT_FOUND;
++		  }
++		}
++		else //not found
++		{
++		  return NOT_FOUND;
++		}
++	}
++	else
++	{
++		return NOT_FOUND;
++	}
++}
++
++CacheResponse UserCache::is_authorized(const drizzled::identifier::User &user, const drizzled::identifier::Table &table)
++{
++	if(table_cache.size() == 0)
++		return NOT_FOUND;
++
++	CacheMap_Iterator map_iterator;
++	map_iterator= table_cache.find(user.username());
++
++	if(map_iterator != table_cache.end())
++	{
++		ItemDeque::iterator deque_iter;
++
++		string user_name= user.username();
++		string table_name= table.getTableName();
++		string schema_name= table.getSchemaName();
++
++		for(deque_iter= table_cache[user_name].begin();
++			deque_iter != table_cache[user_name].end();
++			deque_iter++)
++		{
++		  if(deque_iter->getTable() == table_name
++			&& deque_iter->getSchema() == schema_name)
++		  {
++			break;
++		  }
++		}
++
++
++		if(deque_iter != table_cache[user_name].end())
++		{
++		  if(deque_iter->is_valid())
++		  {
++			  if(deque_iter->is_authorized())
++			  {
++				return ALLOWED;
++			  }
++			  else
++			  {
++				return DENIED;
++			  }
++		  }
++		  else //cache item has expired, so we should remove it
++		  {
++			remove(user, table);
++			return NOT_FOUND;
++		  }
++		}
++		else // table/schema for the user does not exist in cache
++		{
++		  return NOT_FOUND;
++		}
++	}
++	else //user does not exist in cache
++	{
++		return NOT_FOUND;
++	}
++}
++
++} /* namespace ldap_policy */
++
++DRIZZLE_DECLARE_PLUGIN
++{
++  DRIZZLE_VERSION_ID,
++  "ldap_policy",
++  "0.1",
++  "Sialveras Zisis",
++  N_("LDAP based authorization system"),
++  PLUGIN_LICENSE_GPL,
++  ldap_policy::init,
++  NULL,
++  ldap_policy::init_options
++}
++DRIZZLE_DECLARE_PLUGIN_END;
++
 === added file 'plugin/ldap_policy/ldap_policy.hpp'
 --- plugin/ldap_policy/ldap_policy.hpp	1970-01-01 00:00:00 +0000
 +++ plugin/ldap_policy/ldap_policy.hpp	2012-08-21 14:09:20 +0000
@@ -0,0 +1,194 @@
++/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
++ *  vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
++ *
++ *  Copyright (C) 2012 Zisis Sialveras
++ *
++ *  This program is free software; you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation; version 2 of the License.
++ *
++ *  This program is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with this program; if not, write to the Free Software
++ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
++ */
++
++
++#pragma once
++
++#include <config.h>
++
++
++#include <boost/unordered_map.hpp>
++
++#include <drizzled/plugin/authorization.h>
++#include <drizzled/plugin.h>
++
++#include <deque>
++#include <string>
++#include <ctime>
++
++#define LDAP_DEPRECATED 1
++#include <ldap.h>
++
++namespace ldap_policy
++{
++
++std::string DEFAULT_URI= "ldap://localhost/";
++std::string DEFAULT_USERS_DIR= "ou=users,dc=example,dc=com";
++std::string DEFAULT_SCHEMAS_DIR= "ou=schemas,dc=example,dc=com";
++std::string DEFAULT_TABLES_DIR= "ou=tables,dc=example,dc=com";
++std::string DEFAULT_GROUPS_DIR= "ou=groups,dc=example,dc=com";
++time_t DEFAULT_CACHE_TIMEOUT= 500;
++
++time_t cache_timeout;
++std::string uri;
++std::string groups_dir;
++std::string base_dn;
++std::string bind_passwd;
++std::string users_dir;
++std::string schemas_dir;
++std::string tables_dir;
++
++
++class CacheItem
++{
++	std::string user, table, schema;
++	bool authorized;
++	time_t timer;
++
++ public:
++
++  CacheItem(std::string u, std::string t, std::string s, bool a): user(u), table(t), schema(s), authorized(a)
++	{
++		timer = time(NULL);
++	};
++
++	/*
++	CacheItem()
++	{
++		gettimeofday(&tv, NULL);
++	};
++	*/
++
++	~CacheItem(){};
++
++	inline bool is_valid() const;
++
++	inline bool is_authorized()
++	{
++	  return authorized;
++	};
++
++	void setTable(std::string t)
++	{
++		table = t;
++	};
++
++	void setSchema(std::string s)
++	{
++		schema = s;
++	};
++
++	inline std::string getTable()
++	{
++		return table;
++	};
++
++	inline std::string getSchema()
++	{
++		return schema;
++	};
++
++};
++
++typedef std::deque<CacheItem> ItemDeque;
++typedef boost::unordered_map<std::string, ItemDeque> CacheMap;
++typedef boost::unordered_map<std::string, ItemDeque>::const_iterator CacheMap_Iterator;
++
++typedef enum
++{
++  ALLOWED,
++  DENIED,
++  NOT_FOUND
++} CacheResponse;
++
++class UserCache
++{
++  CacheMap table_cache, schema_cache;
++
++ public:
++
++  UserCache() {};
++
++  ~UserCache() {};
++
++  /**
++   * Insert a schema/table in cache for a specific user.
++   *
++   * If the last parametr is true then the user is allowed to access the schema/table.
++   * Otherwise, if it is false, access is denied.
++   */
++  void insert(const drizzled::identifier::User &, const drizzled::identifier::Table &, bool );
++  void insert(const drizzled::identifier::User &, const drizzled::identifier::Schema &, bool );
++
++  /**
++   * Removes a schema/table from cache for a specific user.
++   */
++  int remove(const drizzled::identifier::User &, const drizzled::identifier::Table &);
++  int remove(const drizzled::identifier::User &, const drizzled::identifier::Schema &);
++
++  /**
++   * Returns if a user is authorized to access target schema/table.
++   */
++  CacheResponse is_authorized(const drizzled::identifier::User &, const drizzled::identifier::Table &);
++  CacheResponse is_authorized(const drizzled::identifier::User &, const drizzled::identifier::Schema &);
++
++} user_cache;
++
++class LDAP_policy :
++  public drizzled::plugin::Authorization
++{
++
++  std::string error;
++  LDAP *ldap;
++
++  void printerror();
++
++  bool check_if_allowed(LDAPMessage *, const drizzled::identifier::User &, const drizzled::identifier::Schema& );
++  bool check_if_allowed(LDAPMessage *, const drizzled::identifier::User &, const drizzled::identifier::Table & );
++
++ public:
++  LDAP_policy():
++    drizzled::plugin::Authorization("ldap_policy")
++  {
++
++  }
++
++  ~LDAP_policy()
++  {
++	if(ldap != NULL)
++		ldap_unbind(ldap);
++  }
++
++  bool connect(void);
++
++  virtual bool restrictSchema(const drizzled::identifier::User &user_ctx,
++                              const drizzled::identifier::Schema& schema);
++
++  virtual bool restrictProcess(const drizzled::identifier::User &user_ctx,
++                              const drizzled::identifier::User &session_ctx);
++
++  virtual bool restrictTable(const drizzled::identifier::User& user_ctx,
++                            const drizzled::identifier::Table& table);
++
++
++};
++
++} /* namespace ldap_policy */
++
++
 === added file 'plugin/ldap_policy/plugin.ini'
 --- plugin/ldap_policy/plugin.ini	1970-01-01 00:00:00 +0000
 +++ plugin/ldap_policy/plugin.ini	2012-08-21 14:09:20 +0000
@@ -0,0 +1,3 @@
++[plugin]
++build_conditional="x${ac_cv_libldap}" = "xyes"
++ldflags=${LTLIBLDAP}
 === modified file 'tests/lib/server_mgmt/drizzled.py'
 --- tests/lib/server_mgmt/drizzled.py	2012-06-19 18:46:42 +0000
 +++ tests/lib/server_mgmt/drizzled.py	2012-08-21 14:09:20 +0000
@@ -200,8 +200,9 @@
          # This is what test-run.pl does and it helps us pass logging_stats tests
          # while not self.ping_server(server, quiet=True) and timer != timeout:
--        return self.system_manager.find_path( [self.pid_file]
--                                            , required=0)
++        #return self.system_manager.find_path( [self.pid_file]
++        #                                    , required=0)
++        return self.ping(quiet=True)
      def create_slave_config_file(self):
         """ Create a config file suitable for use