[Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND

Noriko Hosoi nhosoi at redhat.com
Wed May 14 18:20:45 UTC 2008 

Thank you for the background info and suggestions, Howard and Andrew.

We are thinking auto-bind could be useful for some type of applications 
and trying to make it co-existing safely with the current features.

Here is the summary of the changes:
436388 (Item 1): --enable-autobind is supported.  Unless it's set, the 
auto-bind code is not compiled in.

436390 (Item 2): I updated the previous proposal based upon the 
feedbacks: now auto-bind is executed only from the bind code and when 
the client explicitly sends the SASL/EXTERNAL request to the server.  On 
the server side, it's disabled, by default.  To enable it, 
nsslapd-ldapiautobind needs to be set to "on" by an administrator.  
Having these changes, e.g., this search request is authenticated as 
Directory Manager if it's launched by a super user.
  # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-<ID>.socket 
-b "cn=config" "(cn=*)"
If the EXTERNAL request is not passed, it's bound as anonymous.

436400 (Item 3):  Currently, dse.ldif stores extra configuration 
attributes only necessary for auto-bind, by default.  They should not be 
there unless auto-bind is enabled.

Your comments would be greatly appreciated.

Thanks,
--noriko

Item 1)
> Summary: LDAPI: introduce --enable-autobind to support AUTOBIND
>
> https://bugzilla.redhat.com/show_bug.cgi?id=436388
>
> ------- Additional Comments From nhosoi at redhat.com  2008-05-09 18:35 
> EST -------
> Created an attachment (id=304990)
>  --> (https://bugzilla.redhat.com/attachment.cgi?id=304990&action=view)
> cvs diff configure.ac Makefile.am
>
> Files:
>  ldapserver/configure.ac
>  ldapserver/Makefile.am
>
> Description: introduced --enable-autobind
>     By default, autobind is off.

Item 2)

> Summary: LDAPI: support auto-bind
>
> https://bugzilla.redhat.com/show_bug.cgi?id=436390
>
> ------- Additional Comments From nhosoi at redhat.com  2008-05-09 19:52 
> EST -------
> Created an attachment (id=304994)
>  --> (https://bugzilla.redhat.com/attachment.cgi?id=304994&action=view)
> cvs diff slap.h getsocketpeer.c daemon.c
>
> Files:
>  ldap/servers/slapd/slap.h
>            /getsocketpeer.c
>            /daemon.c
>
> Description:
> Debugged the basic code of slapd_get_socket_peer, which is used for 
> Solaris9
> and HP-UX.  The recvmsg call returns an error immediately if no data 
> is waiting
> to be received since the socket is set PR_SockOpt_Nonblocking 
> (O_NONBLOCK).  To
> make slapd_get_socket_peer more robust, we have to retry recvmsg if it 
> returns
> EAGAIN.  But set a retry count not to hang there.
>
> Also introduced c_local_valid in the Connection handle to tell the 
> autobind
> code that the uid/gid pair is valid or not. 
>
> ------- Additional Comments From nhosoi at redhat.com  2008-05-13 12:23 
> EST -------
> Created an attachment (id=305257)
>  --> (https://bugzilla.redhat.com/attachment.cgi?id=305257&action=view)
> cvs diff daemon.c bind.c
>
> Files:
>   ldap/servers/slapd/daemon.c
>             /bind.c
>
> Description:
> In addition to the previous changes, I'm modifying the code as 
> follows.  The
> change in daemon.c stops the automagic/unconditional auto-bind.  In 
> bind.c,
> slapd_bind_local_user (in which auto-bind is implemented) is called.  
> It was
> called in do_bind even before, but there was no bind type or method 
> restriction
> set.  I'm proposing to change the code to call it only when SASL/EXTERNAL
> request is passed.
Item 3)

> Summary: LDAPI: cleaning up template-ldapi*.ldif files
>
> https://bugzilla.redhat.com/show_bug.cgi?id=436400
>
>
> ------- Additional Comments From nhosoi at redhat.com  2008-05-09 18:52 
> EST -------
> Created an attachment (id=304993)
>  --> (https://bugzilla.redhat.com/attachment.cgi?id=304993&action=view)
> cvs diff template-ldapi-default.ldif.in DSCreate.pm.in
>
> Files:
>  ldap/ldif/template-ldapi-default.ldif.in
>  ldap/admin/src/scripts/DSCreate.pm.in
>
> Description:
> LDAPI itself requires these 2 configuration parameters.
>    nsslapd-ldapifilepath: /var/run/slapd-<ID>.socket
>    nsslapd-ldapilisten: on
>
> The rest is needed only when autobind is enabled.
> Modified DSCreate to generate the following parameters when the DS is
> configured with --enable-autobind.
>    nsslapd-ldapiautobind: off
>    nsslapd-ldapimaprootdn: cn=Directory Manager
>    nsslapd-ldapimaptoentries: off
>    nsslapd-ldapiuidnumbertype: uidNumber
>    nsslapd-ldapigidnumbertype: gidNumber
>    nsslapd-ldapientrysearchbase: <your_suffix>
>    nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth
>
> Fixed nsslapd-ldapientrysearchbase value to set the server's suffix 
> (instead of
> hardcoded dc=example,dc=com).
>
> template-ldapi-default.ldif.in seems not used.    But to reduce the 
> confusion, I
> updated the file, as well, for the future use.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20080514/6afbae65/attachment.bin>

More information about the Fedora-directory-devel mailing list