[Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you for the background info and suggestions, Howard and Andrew.
We are thinking auto-bind could be useful for some type of applications and trying to make it co-existing safely with the current features. 

Here is the summary of the changes:
436388 (Item 1): --enable-autobind is supported. Unless it's set, the auto-bind code is not compiled in.
436390 (Item 2): I updated the previous proposal based upon the feedbacks: now auto-bind is executed only from the bind code and when the client explicitly sends the SASL/EXTERNAL request to the server. On the server side, it's disabled, by default. To enable it, nsslapd-ldapiautobind needs to be set to "on" by an administrator. Having these changes, e.g., this search request is authenticated as Directory Manager if it's launched by a super user. # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-<ID>.socket -b "cn=config" "(cn=*)" 
If the EXTERNAL request is not passed, it's bound as anonymous.
436400 (Item 3): Currently, dse.ldif stores extra configuration attributes only necessary for auto-bind, by default. They should not be there unless auto-bind is enabled. 

Your comments would be greatly appreciated.

Thanks,
--noriko

Item 1)

Summary: LDAPI: introduce --enable-autobind to support AUTOBIND

https://bugzilla.redhat.com/show_bug.cgi?id=436388
------- Additional Comments From nhosoi@xxxxxxxxxx 2008-05-09 18:35 EST ------- 
Created an attachment (id=304990)
 --> (https://bugzilla.redhat.com/attachment.cgi?id=304990&action=view)
cvs diff configure.ac Makefile.am

Files:
 ldapserver/configure.ac
 ldapserver/Makefile.am

Description: introduced --enable-autobind
    By default, autobind is off.


Item 2)


Summary: LDAPI: support auto-bind

https://bugzilla.redhat.com/show_bug.cgi?id=436390
------- Additional Comments From nhosoi@xxxxxxxxxx 2008-05-09 19:52 EST ------- 
Created an attachment (id=304994)
 --> (https://bugzilla.redhat.com/attachment.cgi?id=304994&action=view)
cvs diff slap.h getsocketpeer.c daemon.c

Files:
 ldap/servers/slapd/slap.h
           /getsocketpeer.c
           /daemon.c

Description:
Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9 and HP-UX. The recvmsg call returns an error immediately if no data is waiting to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK). To make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns 
EAGAIN.  But set a retry count not to hang there.
Also introduced c_local_valid in the Connection handle to tell the autobind code that the uid/gid pair is valid or not. ------- Additional Comments From nhosoi@xxxxxxxxxx 2008-05-13 12:23 EST ------- 
Created an attachment (id=305257)
 --> (https://bugzilla.redhat.com/attachment.cgi?id=305257&action=view)
cvs diff daemon.c bind.c

Files:
  ldap/servers/slapd/daemon.c
            /bind.c

Description:
In addition to the previous changes, I'm modifying the code as follows. The change in daemon.c stops the automagic/unconditional auto-bind. In bind.c, slapd_bind_local_user (in which auto-bind is implemented) is called. It was called in do_bind even before, but there was no bind type or method restriction 
set.  I'm proposing to change the code to call it only when SASL/EXTERNAL
request is passed.

Item 3)


Summary: LDAPI: cleaning up template-ldapi*.ldif files

https://bugzilla.redhat.com/show_bug.cgi?id=436400
------- Additional Comments From nhosoi@xxxxxxxxxx 2008-05-09 18:52 EST ------- 
Created an attachment (id=304993)
 --> (https://bugzilla.redhat.com/attachment.cgi?id=304993&action=view)
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in

Files:
 ldap/ldif/template-ldapi-default.ldif.in
 ldap/admin/src/scripts/DSCreate.pm.in

Description:
LDAPI itself requires these 2 configuration parameters.
   nsslapd-ldapifilepath: /var/run/slapd-<ID>.socket
   nsslapd-ldapilisten: on

The rest is needed only when autobind is enabled.
Modified DSCreate to generate the following parameters when the DS is
configured with --enable-autobind.
   nsslapd-ldapiautobind: off
   nsslapd-ldapimaprootdn: cn=Directory Manager
   nsslapd-ldapimaptoentries: off
   nsslapd-ldapiuidnumbertype: uidNumber
   nsslapd-ldapigidnumbertype: gidNumber
   nsslapd-ldapientrysearchbase: <your_suffix>
   nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth
Fixed nsslapd-ldapientrysearchbase value to set the server's suffix (instead of 
hardcoded dc=example,dc=com).
template-ldapi-default.ldif.in seems not used. But to reduce the confusion, I 
updated the file, as well, for the future use.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux