[Fedora-directory-devel] Please review: [Bug 436397] New: LDAPI: move default LDAPI UNIX socket from /var/run/dirsrv/slapd-ID.socket to /var/run/slapd-ID.socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

After the discussion, we agreed to move the LDAPI UNIX socket from RHDS/FDS run_dir (/var/run/dirsrv, by default) to its parent directory. 

Thanks,
--noriko

https://bugzilla.redhat.com/show_bug.cgi?id=436397

          Summary: LDAPI: move default LDAPI UNIX socket from
                   /var/run/dirsrv/slapd-ID.socket to /var/run/slapd-
                   ID.socket
          Product: Fedora Directory Server
          Version: 1.1.0
         Platform: All
       OS/Version: Linux
           Status: NEW
         Severity: low
         Priority: low
        Component: Directory Server
       AssignedTo: nhosoi@xxxxxxxxxx
       ReportedBy: nhosoi@xxxxxxxxxx
        QAContact: ckannan@xxxxxxxxxx
  Estimated Hours: 0.0


Description of problem:
* If fedora-ds-base is installed by root, the mode of
 /var/run/dirsrv is 0750, which prevents ordinary users to access
 the UNIX socket.  Should the mode be 0755?  Or we don't allow
 non-root/non-nobody users to use LDAPI?

   drwxr-x---  2 nobody nobody 4096 Mar  5 13:57 /var/run/dirsrv/
   It's set by makeDSDirs in DSCreate.pm.

rmeggins wrote:


> We should see what OpenLDAP does - they use /var/run/ldapi by default - what
mode is that by default? It's about the intermediate directory's permission. OpenLDAP just has /var and /var/run. ldapi is already the socket, isn't it? rmeggins wrote: 
> Yes.
We have one more level /var/run/dirsrv, which is hiding the socket from non-root and non-nobody... But yes, I have to install openldap and investigate more. rmeggins wrote: 
> Hmm - we probably don't want to open up /var/run/dirsrv if we don't have to -
maybe we should move the socket into /var/run? e.g. /var/run/slapd-instance.socket? I think that's a good idea. One thing I'd like to make sure is we have to worry about RHDS/FDS coexisting with OpenLDAP server on one host? Something like, if port 389 is already taken, our setup-ds offers alternative. Do we need to do something similar for LDAPI socket? rmeggins wrote: 
> If there is already a /var/run/ldapi and it is in use by openldap (or another

redhat/fedora ds) we probably don't want to use it. nalin wrote:

> When OpenLDAP's libldap gets 'ldapi:///' as a URI, it tries to connect
> to '/var/run/ldapi'.  Perhaps we should just use that?
>
> Nalin

------- Additional Comments From nhosoi@xxxxxxxxxx  2008-03-13 16:36 EST -------
Created an attachment (id=297983)
--> (https://bugzilla.redhat.com/attachment.cgi?id=297983&action=view)
cvs diff DSCreate.pm.in

Description: create an LDAPI UNIX socket at the parent dir of run_dir
(/var/run/dirsrv, by default).

Test result.
Installed by root and the server's owner is nobody.
# ls -l /var/run/slapd-*socket
srw-rw-rw-  1 root root 0 Mar 13 10:28 /var/run/slapd-laputa1.socket

[..] - Red Hat-Directory/8.0.0 B2008.073.1814 starting up
[..] - slapd started.  Listening on All Interfaces port 10391 for LDAP requests

[..] - Listening on /var/run/slapd-laputa1.socket for LDAPI requests

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux