[Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND
Noriko Hosoi
nhosoi at redhat.com
Wed May 14 18:20:45 UTC 2008
Thank you for the background info and suggestions, Howard and Andrew.
We are thinking auto-bind could be useful for some type of applications
and trying to make it co-existing safely with the current features.
Here is the summary of the changes:
436388 (Item 1): --enable-autobind is supported. Unless it's set, the
auto-bind code is not compiled in.
436390 (Item 2): I updated the previous proposal based upon the
feedbacks: now auto-bind is executed only from the bind code and when
the client explicitly sends the SASL/EXTERNAL request to the server. On
the server side, it's disabled, by default. To enable it,
nsslapd-ldapiautobind needs to be set to "on" by an administrator.
Having these changes, e.g., this search request is authenticated as
Directory Manager if it's launched by a super user.
# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-<ID>.socket
-b "cn=config" "(cn=*)"
If the EXTERNAL request is not passed, it's bound as anonymous.
436400 (Item 3): Currently, dse.ldif stores extra configuration
attributes only necessary for auto-bind, by default. They should not be
there unless auto-bind is enabled.
Your comments would be greatly appreciated.
Thanks,
--noriko
Item 1)
> Summary: LDAPI: introduce --enable-autobind to support AUTOBIND
>
> https://bugzilla.redhat.com/show_bug.cgi?id=436388
>
> ------- Additional Comments From nhosoi at redhat.com 2008-05-09 18:35
> EST -------
> Created an attachment (id=304990)
> --> (https://bugzilla.redhat.com/attachment.cgi?id=304990&action=view)
> cvs diff configure.ac Makefile.am
>
> Files:
> ldapserver/configure.ac
> ldapserver/Makefile.am
>
> Description: introduced --enable-autobind
> By default, autobind is off.
Item 2)
> Summary: LDAPI: support auto-bind
>
> https://bugzilla.redhat.com/show_bug.cgi?id=436390
>
> ------- Additional Comments From nhosoi at redhat.com 2008-05-09 19:52
> EST -------
> Created an attachment (id=304994)
> --> (https://bugzilla.redhat.com/attachment.cgi?id=304994&action=view)
> cvs diff slap.h getsocketpeer.c daemon.c
>
> Files:
> ldap/servers/slapd/slap.h
> /getsocketpeer.c
> /daemon.c
>
> Description:
> Debugged the basic code of slapd_get_socket_peer, which is used for
> Solaris9
> and HP-UX. The recvmsg call returns an error immediately if no data
> is waiting
> to be received since the socket is set PR_SockOpt_Nonblocking
> (O_NONBLOCK). To
> make slapd_get_socket_peer more robust, we have to retry recvmsg if it
> returns
> EAGAIN. But set a retry count not to hang there.
>
> Also introduced c_local_valid in the Connection handle to tell the
> autobind
> code that the uid/gid pair is valid or not.
>
> ------- Additional Comments From nhosoi at redhat.com 2008-05-13 12:23
> EST -------
> Created an attachment (id=305257)
> --> (https://bugzilla.redhat.com/attachment.cgi?id=305257&action=view)
> cvs diff daemon.c bind.c
>
> Files:
> ldap/servers/slapd/daemon.c
> /bind.c
>
> Description:
> In addition to the previous changes, I'm modifying the code as
> follows. The
> change in daemon.c stops the automagic/unconditional auto-bind. In
> bind.c,
> slapd_bind_local_user (in which auto-bind is implemented) is called.
> It was
> called in do_bind even before, but there was no bind type or method
> restriction
> set. I'm proposing to change the code to call it only when SASL/EXTERNAL
> request is passed.
Item 3)
> Summary: LDAPI: cleaning up template-ldapi*.ldif files
>
> https://bugzilla.redhat.com/show_bug.cgi?id=436400
>
>
> ------- Additional Comments From nhosoi at redhat.com 2008-05-09 18:52
> EST -------
> Created an attachment (id=304993)
> --> (https://bugzilla.redhat.com/attachment.cgi?id=304993&action=view)
> cvs diff template-ldapi-default.ldif.in DSCreate.pm.in
>
> Files:
> ldap/ldif/template-ldapi-default.ldif.in
> ldap/admin/src/scripts/DSCreate.pm.in
>
> Description:
> LDAPI itself requires these 2 configuration parameters.
> nsslapd-ldapifilepath: /var/run/slapd-<ID>.socket
> nsslapd-ldapilisten: on
>
> The rest is needed only when autobind is enabled.
> Modified DSCreate to generate the following parameters when the DS is
> configured with --enable-autobind.
> nsslapd-ldapiautobind: off
> nsslapd-ldapimaprootdn: cn=Directory Manager
> nsslapd-ldapimaptoentries: off
> nsslapd-ldapiuidnumbertype: uidNumber
> nsslapd-ldapigidnumbertype: gidNumber
> nsslapd-ldapientrysearchbase: <your_suffix>
> nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth
>
> Fixed nsslapd-ldapientrysearchbase value to set the server's suffix
> (instead of
> hardcoded dc=example,dc=com).
>
> template-ldapi-default.ldif.in seems not used. But to reduce the
> confusion, I
> updated the file, as well, for the future use.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20080514/6afbae65/attachment.bin>
More information about the Fedora-directory-devel
mailing list