[Fedora-directory-devel] Please Review: Add LDAPI (LDAP over unix domain sockets)
Pete Rowley
prowley at redhat.com
Fri Feb 23 18:24:40 UTC 2007
Andrew Bartlett wrote:
> On Mon, 2007-02-19 at 14:08 -0800, Pete Rowley wrote:
>
>> This is a feature that exists in OpenLDAP (but has no RFC that I am aware of).
>> Heimdal uses this feature exclusively for its directory interactions (making it
>> incompatible with other LDAP directories), and Samba testing is often performed
>> over unix domain sockets (a convenience for them). There are advantages: no TCP
>> overhead for local connections, the ability to test for the OS level user
>> credentials, and AFAIK, an unsniffable transport without additional
>> requirements. On that last point, I welcome arguments to the contrary.
>>
>> The socket file is created as var/run/fedora-ds/slapd-<instance>.socket by
>> default, but this can be modified in configuration. I'm actually not sure where
>> the best place to put this is since access control along the path to the socket
>> matters. The socket itself is chmodded to give rw to owner, groups, and other by
>> the server upon creation.
>>
>
> How do I change this location? What are the configuration parameters?
>
> It seems to be:
> + fprintf(f, "nsslapd-ldapifilepath: %s/%s-%s.socket\n", cf->run_dir,
> PRODUCT_NAME, cf->servid);
> + fprintf(f, "nsslapd-ldapilisten: on\n");
> + fprintf(f, "nsslapd-ldapiautobind: on\n");
>
> But some clarification would be useful.
>
>
Those attributes are set in the cn=config entry, ldapsearch -x -D
"cn=Directory Manager" -w yourpasswd -b "cn=config" -s base
"(objectclass=*)"
You can modify them over ldap.
nsslapd-ldapifilepath = full path of socket file
nsslapd-ldapilisten = off/on to actually do ldapi at all
nsslapd-ldapiautobind = off/on enforce OS authentication
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20070223/05a922df/attachment.bin>
More information about the Fedora-directory-devel
mailing list