[Fedora-directory-devel] Please review: [Bug 436388] LDAPI: introduce --enable-autobind to support AUTOBIND

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Summary: LDAPI: introduce --enable-autobind to support AUTOBIND

https://bugzilla.redhat.com/show_bug.cgi?id=436388


Description of problem:
* Auto bind codes are all in the ENABLE_AUTOBIND macro.  Should we
 enable it and support the functionality?

rmeggins wrote:
> Yes, but turned off by default. 
Okay. then should we add --enable-autobind to configure.ac? rmeggins wrote:

> Yes.
Or should ENABLE_AUTOBIND be part of LDAPI? I feel autobind is tightly coupled with LDAPI, ENABLE_AUTOBIND could be replaced with ENABLE_LDAPI and merge template-ldapi-autobind into template-ldapi-default? rmeggins wrote: 
> I think there may be some security conscious people who will not want to

enable autobind at all and will want to build without it.


------- Additional Comments From nhosoi@xxxxxxxxxx  2008-03-14 18:19 EST -------
autoconf gets uid # and gid # from the LDAPI UNIX socket and retrieve the
matched entry from the backend to bind the server.
For example, Assume these are my uid # and gid # on the test system: 
 $ id
 uid=12345(nhosoi) gid=12345(nhosoi)

Add this posix account to the server:
dn: uid=nhosoi, dc=example,dc=com
objectclass: top
objectclass: posixAccount
cn: noriko hosoi
uid: nhosoi
uidNumber: 12345
gidNumber: 12345
homeDirectory: /home/nhosoi
loginShell: bash
userPassword: nhosoi

Then, run the search against LDAPI UNIX socket without the bind user.  Autobind
internally searches an entry with the filter
(&(uidNumber=12345)(gidNumber=12345)) and binds using the found entry.
$ ldapsearch -H ldapi://%2fvar%2frun%2fslapd-laputa.socket/ -w nhosoi -Y
DIGEST-MD5 -b "dc=example,dc=com" "(cn=*)"
SASL/DIGEST-MD5 authentication started
SASL username: nhosoi
SASL SSF: 128
SASL installing layers
[...]

Tested on RHEL4.

To use autobind, ldapi, autobind, and maptoentries need to be turned on.
nsslapd-ldapifilepath: /var/run/slapd-laputa.socket
nsslapd-ldapilisten: on
nsslapd-ldapiautobind: on
nsslapd-ldapimaprootdn: cn=Directory Manager
nsslapd-ldapimaptoentries: on
nsslapd-ldapiuidnumbertype: uidNumber
nsslapd-ldapigidnumbertype: gidNumber
nsslapd-ldapientrysearchbase: dc=example,dc=com
nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth

------- Additional Comments From nhosoi@xxxxxxxxxx  2008-03-14 18:30 EST -------
Created an attachment (id=298099)
--> (https://bugzilla.redhat.com/attachment.cgi?id=298099&action=view)
cvs diff configure.ac Makefile.am

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux