Move authentication configuration cache into libotp

This enables plugins to share authentication configuration cache code.

Additionally, update the caching mechanism to be declarative and faster.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>

7 files changed, 29 insertions, 413 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index eeb352611..1ab6c6704 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -44,7 +44,6 @@ libipa_pwd_extop_la_LIBADD  = \
 	$(ASN1_UTIL_DIR)/libipaasn1.la  \
 	$(NULL)
 libipa_pwd_extop_la_SOURCES = 		\
-	authcfg.c			\
 	common.c			\
 	encoding.c			\
 	prepost.c			\
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c
deleted file mode 100644
index 3ab5668ed..000000000
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c
+++ /dev/null
@@ -1,280 +0,0 @@
-/** BEGIN COPYRIGHT BLOCK
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- * Additional permission under GPLv3 section 7:
- *
- * In the following paragraph, "GPL" means the GNU General Public
- * License, version 3 or any later version, and "Non-GPL Code" means
- * code that is governed neither by the GPL nor a license
- * compatible with the GPL.
- *
- * You may link the code of this Program with Non-GPL Code and convey
- * linked combinations including the two, provided that such Non-GPL
- * Code only links to the code of this Program through those well
- * defined interfaces identified in the file named EXCEPTION found in
- * the source code files (the "Approved Interfaces"). The files of
- * Non-GPL Code may instantiate templates or use macros or inline
- * functions from the Approved Interfaces without causing the resulting
- * work to be covered by the GPL. Only the copyright holders of this
- * Program may make changes or additions to the list of Approved
- * Interfaces.
- *
- * Authors:
- * Nathaniel McCallum <npmccallum@redhat.com>
- *
- * Copyright (C) 2014 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK **/
-
-#include "authcfg.h"
-#include "ipapwd.h"
-
-#include "pratom.h"
-
-static struct config {
-    struct config *next;
-    Slapi_DN *suffix;
-    uint32_t config;
-} *config;
-
-static uint32_t string_to_config(const char *str)
-{
-    static const struct {
-        const char *string;
-        uint32_t config;
-    } map[] = {
-        { "disabled", AUTHCFG_AUTH_TYPE_DISABLED },
-        { "password", AUTHCFG_AUTH_TYPE_PASSWORD },
-        { "otp",      AUTHCFG_AUTH_TYPE_OTP },
-        { "pkinit",   AUTHCFG_AUTH_TYPE_PKINIT },
-        { "radius",   AUTHCFG_AUTH_TYPE_RADIUS },
-        {}
-    };
-
-    for (uint32_t i = 0; map[i].string != NULL; i++) {
-        if (strcasecmp(map[i].string, str) == 0)
-            return map[i].config;
-    }
-
-    return AUTHCFG_AUTH_TYPE_NONE;
-}
-
-static uint32_t entry_to_config(Slapi_Entry *e)
-{
-    char **auth_types = NULL;
-
-    if (e == NULL)
-        return AUTHCFG_AUTH_TYPE_NONE;
-
-    /* Fetch the auth type values from the config entry. */
-    auth_types = slapi_entry_attr_get_charray(e, "ipaUserAuthType");
-    if (auth_types == NULL)
-        return AUTHCFG_AUTH_TYPE_NONE;
-
-    uint32_t types = AUTHCFG_AUTH_TYPE_NONE;
-    for (uint32_t i = 0; auth_types[i] != NULL; i++)
-        types |= string_to_config(auth_types[i]);
-
-    slapi_ch_array_free(auth_types);
-
-    return types;
-}
-
-static Slapi_DN *suffix_to_config_dn(Slapi_DN *suffix)
-{
-    Slapi_DN *sdn = NULL;
-    char *dn = NULL;
-
-    if (suffix == NULL)
-        return NULL;
-
-    dn = PR_smprintf("cn=ipaConfig,cn=etc,%s", slapi_sdn_get_dn(suffix));
-    if (dn == NULL)
-        return NULL;
-
-    sdn = slapi_sdn_new_dn_byval(dn);
-    PR_smprintf_free(dn);
-    return sdn;
-}
-
-static uint32_t suffix_to_config(Slapi_DN *suffix)
-{
-    static char *attrs[] = { "ipaUserAuthType", NULL };
-    Slapi_Entry *entry = NULL;
-    Slapi_DN *sdn = NULL;
-    uint32_t types;
-    int ret;
-
-    sdn = suffix_to_config_dn(suffix);
-    if (sdn == NULL)
-        return AUTHCFG_AUTH_TYPE_NONE;
-
-    ret = slapi_search_internal_get_entry(sdn, attrs, &entry,
-                                          ipapwd_get_plugin_id());
-    slapi_sdn_free(&sdn);
-    if (ret != LDAP_SUCCESS)
-        return AUTHCFG_AUTH_TYPE_NONE;
-
-    types = entry_to_config(entry);
-    slapi_entry_free(entry);
-
-    return types;
-}
-
-static Slapi_DN *sdn_to_suffix(Slapi_DN *sdn)
-{
-    Slapi_DN *suffix = NULL;
-    void *node = NULL;
-
-    if (sdn == NULL)
-        return NULL;
-
-    for (suffix = slapi_get_first_suffix(&node, 0); suffix != NULL;
-         suffix = slapi_get_next_suffix(&node, 0)) {
-        if (slapi_sdn_issuffix(sdn, suffix))
-            return suffix;
-    }
-
-    return NULL;
-}
-
-static bool sdn_is_config(Slapi_DN *sdn)
-{
-    Slapi_DN *sfx = NULL;
-    Slapi_DN *cfg = NULL;
-    int cmp;
-
-    if (sdn == NULL)
-        return false;
-
-    sfx = sdn_to_suffix(sdn);
-    if (sfx == NULL)
-        return false;
-
-    cfg = suffix_to_config_dn(sfx);
-    if (cfg == NULL)
-        return false;
-
-    cmp = slapi_sdn_compare(cfg, sdn);
-    slapi_sdn_free(&cfg);
-    return cmp == 0;
-}
-
-void cache_free(struct config **cfg)
-{
-    if (cfg == NULL || *cfg == NULL)
-        return;
-
-    cache_free(&(*cfg)->next);
-    free(*cfg);
-    *cfg = NULL;
-}
-
-bool authcfg_init(void)
-{
-    struct config *cfg = NULL;
-    Slapi_DN *sfx = NULL;
-    void *node = NULL;
-
-    /* If we are already initialized, return true. */
-    if (config != NULL)
-        return true;
-
-    /* Look up the config for each suffix. */
-    for (sfx = slapi_get_first_suffix(&node, 0); sfx != NULL;
-         sfx = slapi_get_next_suffix(&node, 0)) {
-        cfg = calloc(1, sizeof(*cfg));
-        if (cfg == NULL) {
-            authcfg_fini();
-            return false;
-        }
-
-        cfg->suffix = sfx;
-        cfg->config = suffix_to_config(sfx);
-        cfg->next = config;
-        config = cfg;
-    }
-
-    return true;
-}
-
-void authcfg_fini(void)
-{
-    cache_free(&config);
-}
-
-uint32_t authcfg_get_auth_types(Slapi_Entry *user_entry)
-{
-    uint32_t glbl = AUTHCFG_AUTH_TYPE_NONE;
-    uint32_t user = AUTHCFG_AUTH_TYPE_NONE;
-    Slapi_DN *sfx = NULL;
-    Slapi_DN *sdn = NULL;
-
-    /* Find the root suffix. */
-    sdn = slapi_entry_get_sdn(user_entry);
-    sfx = sdn_to_suffix(sdn);
-
-    /* Find the global config. */
-    if (sfx != NULL) {
-        for (struct config *cfg = config; cfg && sfx; cfg = cfg->next) {
-            if (slapi_sdn_compare(sfx, cfg->suffix) == 0) {
-                glbl = PR_ATOMIC_ADD(&cfg->config, 0);
-                break;
-            }
-        }
-    }
-
-    /* Global disabled overrides user settings. */
-    if (glbl & AUTHCFG_AUTH_TYPE_DISABLED)
-        return AUTHCFG_AUTH_TYPE_DISABLED;
-
-    /* Get the user's config. */
-    user = entry_to_config(user_entry);
-
-    if (user == AUTHCFG_AUTH_TYPE_NONE) {
-        if (glbl == AUTHCFG_AUTH_TYPE_NONE)
-            return AUTHCFG_AUTH_TYPE_PASSWORD;
-        return glbl;
-    }
-
-    return user & ~AUTHCFG_AUTH_TYPE_DISABLED;
-}
-
-void authcfg_reload_global_config(Slapi_DN *sdn, Slapi_Entry *config_entry)
-{
-    uint32_t glbl = AUTHCFG_AUTH_TYPE_NONE;
-    Slapi_DN *sfx = NULL;
-    Slapi_DN *dest;
-
-    /* Get the destination DN. */
-    dest = config_entry == NULL ? NULL : slapi_entry_get_sdn(config_entry);
-
-    /* Added, modified, moved into place. */
-    if (sdn_is_config(dest)) {
-        sfx = sdn_to_suffix(dest);
-        glbl = entry_to_config(config_entry);
-
-    /* Deleted, moved out of place. */
-    } else if (sdn_is_config(sdn)) {
-        sfx = sdn_to_suffix(sdn);
-    }
-
-    /* Reload config. */
-    for (struct config *cfg = config; cfg && sfx; cfg = cfg->next) {
-        if (slapi_sdn_compare(sfx, cfg->suffix) == 0) {
-            PR_ATOMIC_SET(&cfg->config, glbl);
-            break;
-        }
-    }
-}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h
deleted file mode 100644
index c2fc24605..000000000
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/** BEGIN COPYRIGHT BLOCK
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- * Additional permission under GPLv3 section 7:
- *
- * In the following paragraph, "GPL" means the GNU General Public
- * License, version 3 or any later version, and "Non-GPL Code" means
- * code that is governed neither by the GPL nor a license
- * compatible with the GPL.
- *
- * You may link the code of this Program with Non-GPL Code and convey
- * linked combinations including the two, provided that such Non-GPL
- * Code only links to the code of this Program through those well
- * defined interfaces identified in the file named EXCEPTION found in
- * the source code files (the "Approved Interfaces"). The files of
- * Non-GPL Code may instantiate templates or use macros or inline
- * functions from the Approved Interfaces without causing the resulting
- * work to be covered by the GPL. Only the copyright holders of this
- * Program may make changes or additions to the list of Approved
- * Interfaces.
- *
- * Authors:
- * Nathaniel McCallum <npmccallum@redhat.com>
- *
- * Copyright (C) 2014 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK **/
-
-
-#ifndef AUTHCFG_H_
-#define AUTHCFG_H_
-
-#include <dirsrv/slapi-plugin.h>
-#include <stdbool.h>
-
-#define AUTHCFG_AUTH_TYPE_NONE     0
-#define AUTHCFG_AUTH_TYPE_DISABLED 1
-#define AUTHCFG_AUTH_TYPE_PASSWORD 2
-#define AUTHCFG_AUTH_TYPE_OTP      4
-#define AUTHCFG_AUTH_TYPE_PKINIT   8
-#define AUTHCFG_AUTH_TYPE_RADIUS   16
-
-/* Initialize authentication configuration.
- *
- * Thread Safety: NO
- */
-bool authcfg_init(void);
-
-/* Free global authentication configuration resources.
- *
- * Thread Safety: NO
- */
-void authcfg_fini(void);
-
-/* Gets the permitted authentication types for the given user entry.
- *
- * The entry should be queried for the "ipaUserAuthType" attribute.
- *
- * Thread Safety: YES
- */
-uint32_t authcfg_get_auth_types(Slapi_Entry *user_entry);
-
-/* Reloads configuration from the specified global config entry.
- *
- * If the provided entry isn't a global config entry, this is a no-op.
- *
- * Thread Safety: YES
- */
-void authcfg_reload_global_config(Slapi_DN *sdn, Slapi_Entry *config_entry);
-
-#endif /* AUTHCFG_H_ */
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index ceea49cab..09c877f70 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -39,7 +39,7 @@
 
 #include "ipapwd.h"
 #include "util.h"
-#include "authcfg.h"
+#include "../libotp/otp_config.h"
 #include "ipa_asn1.h"
 
 /*
@@ -89,6 +89,8 @@ Slapi_PluginDesc ipapwd_plugin_desc = {
 void *ipapwd_plugin_id;
 static int usetxn = 0;
 
+extern struct otp_config *otp_config;
+
 void *ipapwd_get_plugin_id(void)
 {
     return ipapwd_plugin_id;
@@ -1792,16 +1794,6 @@ static int ipapwd_start( Slapi_PBlock *pb )
     Slapi_Entry *config_entry = NULL;
     int ret;
 
-    /* NOTE: We never call authcfg_fini() from a destructor. This is because
-     *       it may race with threaded requests at shutdown. This leak should
-     *       only occur when the DS is exiting, so it isn't a big deal.
-     */
-    if (!authcfg_init()) {
-        LOG_FATAL("AuthConf initialization failed!\n");
-        ret = LDAP_OPERATIONS_ERROR;
-        goto done;
-    }
-
     krberr = krb5_init_context(&krbctx);
     if (krberr) {
         LOG_FATAL("krb5_init_context failed\n");
@@ -1871,11 +1863,16 @@ static int ipapwd_start( Slapi_PBlock *pb )
 
     ret = LDAP_SUCCESS;
 
+    /* NOTE: We never call otp_config_fini() from a destructor. This is because
+     *       it may race with threaded requests at shutdown. This leak should
+     *       only occur when the DS is exiting, so it isn't a big deal.
+     */
+    otp_config = otp_config_init(ipapwd_plugin_id);
+
 done:
     free(realm);
     krb5_free_context(krbctx);
     if (config_entry) slapi_entry_free(config_entry);
-    if (ret != LDAP_SUCCESS) authcfg_fini();
     return ret;
 }
 
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 1dff6db1a..96c55f39b 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -63,7 +63,6 @@
 #include "ipapwd.h"
 #include "util.h"
 #include "syncreq.h"
-#include "authcfg.h"
 
 #define IPAPWD_OP_NULL 0
 #define IPAPWD_OP_ADD 1
@@ -75,6 +74,8 @@ extern Slapi_PluginDesc ipapwd_plugin_desc;
 extern void *ipapwd_plugin_id;
 extern const char *ipa_realm_tree;
 
+struct otp_config *otp_config = NULL;
+
 /* structure with information for each extension */
 struct ipapwd_op_ext {
     char *object_name;   /* name of the object extended   */
@@ -967,23 +968,9 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
     return ret;
 }
 
-static int ipapwd_post_authcfg(Slapi_PBlock *pb)
+static int ipapwd_post_updatecfg(Slapi_PBlock *pb)
 {
-    Slapi_Entry *config_entry = NULL;
-    Slapi_DN *sdn = NULL;
-    int oprc = 0;
-
-    /* Just bail if the operation failed. */
-    if (slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0 || oprc != 0)
-        return 0;
-
-    if (slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn) != 0)
-        return 0;
-
-    /* Ignore the error here (delete operations). */
-    slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &config_entry);
-
-    authcfg_reload_global_config(sdn, config_entry);
+    otp_config_update(otp_config, pb);
     return 0;
 }
 
@@ -1003,8 +990,7 @@ static int ipapwd_post_modadd(Slapi_PBlock *pb)
 
     LOG_TRACE("=>\n");
 
-    /* Ignore error when parsing configuration. */
-    ipapwd_post_authcfg(pb);
+    otp_config_update(otp_config, pb);
 
     /* time to get the operation handler */
     ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
@@ -1144,7 +1130,7 @@ static bool ipapwd_do_otp_auth(const char *dn, Slapi_Entry *bind_entry,
     bool success = false;
 
     /* Find all of the user's active tokens. */
-    tokens = otp_token_find(ipapwd_plugin_id, dn, NULL, true, NULL);
+    tokens = otp_token_find(otp_config, dn, NULL, true, NULL);
     if (tokens == NULL) {
         slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
                         "%s: can't find tokens for '%s'.\n", __func__, dn);
@@ -1190,11 +1176,7 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
     uint32_t auth_types;
 
     /* Get the configured authentication types. */
-    auth_types = authcfg_get_auth_types(entry);
-
-    /* If global disabled flag is set, just punt. */
-    if (auth_types & AUTHCFG_AUTH_TYPE_DISABLED)
-        return true;
+    auth_types = otp_config_auth_types(otp_config, entry);
 
     /*
      * IMPORTANT SECTION!
@@ -1206,14 +1188,14 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
      * 2. If PWD is enabled or OTP succeeded, fall through to PWD validation.
      */
 
-    if (auth_types & AUTHCFG_AUTH_TYPE_OTP) {
+    if (auth_types & OTP_CONFIG_AUTH_TYPE_OTP) {
         LOG_PLUGIN_NAME(IPAPWD_PLUGIN_NAME,
                         "Attempting OTP authentication for '%s'.\n", bind_dn);
         if (ipapwd_do_otp_auth(bind_dn, entry, creds))
             return true;
     }
 
-    return auth_types & AUTHCFG_AUTH_TYPE_PASSWORD;
+    return auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD;
 }
 
 static int ipapwd_authenticate(const char *dn, Slapi_Entry *entry,
@@ -1461,7 +1443,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     }
 
     /* Attempt to handle a token synchronization request. */
-    if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))
+    if (syncreq && !sync_request_handle(otp_config, pb, dn))
         goto invalid_creds;
 
     /* Attempt to write out kerberos keys for the user. */
@@ -1513,9 +1495,9 @@ int ipapwd_post_init(Slapi_PBlock *pb)
     ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
     if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipapwd_plugin_desc);
     if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN, (void *)ipapwd_post_modadd);
-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *)ipapwd_post_authcfg);
+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *)ipapwd_post_updatecfg);
     if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *)ipapwd_post_modadd);
-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *)ipapwd_post_authcfg);
+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *)ipapwd_post_updatecfg);
 
     return ret;
 }
@@ -1526,10 +1508,10 @@ int ipapwd_intpost_init(Slapi_PBlock *pb)
 
     ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_03);
     if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipapwd_plugin_desc);
-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN, (void *)ipapwd_post_authcfg);
-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *)ipapwd_post_authcfg);
-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *)ipapwd_post_authcfg);
-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *)ipapwd_post_authcfg);
+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN, (void *)ipapwd_post_updatecfg);
+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *)ipapwd_post_updatecfg);
+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *)ipapwd_post_updatecfg);
+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *)ipapwd_post_updatecfg);
     return ret;
 }
 
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c
index 10c49b724..0aef43802 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c
@@ -52,7 +52,7 @@ bool sync_request_present(Slapi_PBlock *pb)
     return ldap_control_find(OTP_SYNC_REQUEST_OID, controls, NULL) != NULL;
 }
 
-bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,
+bool sync_request_handle(const struct otp_config *cfg, Slapi_PBlock *pb,
                          const char *user_dn)
 {
     struct otp_token **tokens = NULL;
@@ -90,7 +90,7 @@ bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,
         /* Process the synchronization. */
         success = false;
         if (ber_scanf(ber, "}") != LBER_ERROR) {
-            tokens = otp_token_find(plugin_id, user_dn, token_dn, true, NULL);
+            tokens = otp_token_find(cfg, user_dn, token_dn, true, NULL);
             if (tokens != NULL) {
                 success = otp_token_sync_berval(tokens, OTP_SYNC_MAX_STEPS, first, second);
                 otp_token_free_array(tokens);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h
index 34235901b..98a97c4c9 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h
@@ -41,7 +41,7 @@
 #ifndef SYNCREQ_H_
 #define SYNCREQ_H_
 
-#include <dirsrv/slapi-plugin.h>
+#include "../libotp/otp_config.h"
 #include <stdbool.h>
 
 /*
@@ -57,7 +57,7 @@
 
 bool sync_request_present(Slapi_PBlock *pb);
 
-bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,
+bool sync_request_handle(const struct otp_config *cfg, Slapi_PBlock *pb,
                          const char *user_dn);
 
 #endif /* SYNCREQ_H_ */