|Summary:||LDAPI: referral mode needs LDAPI socket|
|Product:||[Retired] 389||Reporter:||Noriko Hosoi <nhosoi>|
|Component:||Admin||Assignee:||Noriko Hosoi <nhosoi>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Chandrasekar Kannan <ckannan>|
|Fixed In Version:||8.1||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-04-29 22:59:49 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
|Bug Blocks:||249650, 493682|
Comment 1 Noriko Hosoi 2007-03-02 21:28:31 UTC
(In reply to comment #0) >> Description of problem: >> [error #1] >> [...] >> >> I guess my question is PR_Bind for LDAPI is needed for the referral mode. If >> not, we could just skip it? Richard Megginson wrote: > It could be. I could see where it would be useful. We may have to change the > server to add another command line argument for referral mode, to allow you to > pass in the ldapi url. I'll note that openldap allows you to use -H LDAPURL e.g. > -H ldap://hostname:389/ -H ldapi:///var/run/ldapi etc. However, we do not yet > have an LDAP URL parser that understands ldapi. This issue should be revisited for the 7.3 release.
Comment 2 Noriko Hosoi 2007-03-02 21:38:01 UTC
(In reply to comment #0) > Description of problem: > [error #2] > [...] > Also, to work around this problem, is it okay to add this code to create the > directory to put the ldapi unix socket if it does not exist? Richard Megginson wrote: I don't think we should create the directory if it does not exist. That doesn't seem right to me. I think we should just warn. Pete Rowley wrote: > You know, given our server installs with newinst.pl in regular cases and all this has > default config set up for directories we already write to, perhaps the right thing to do > is to have default off for ldapi. That would have minimum impact on tests that don't > care about it (and are set up other ways) and wouldn't effect server installs through > regular means. Richard Megginson wrote: Then ds_newinst could set it to "on" if the user specified an ldapifilepath. I think that would appease Andrew as well. Based upon the suggestions from Pete and Rich, if setting "ldapifilepath= /path/to/ldapifile/slapd-ID.socket" in the install inf file is used as a trigger to set ldapi to "on". Otherwise, set to "off". The function ds_gen_confs in create_instance.c switches between on and off depending upon the existence of ldapifilepath value. Also, the ldapi default setting in libglobs.c is changed to "off".
Comment 3 Noriko Hosoi 2007-03-02 21:43:16 UTC
Created attachment 149157 [details] cvs diffs (admin/src/create_instance.c, servers/slapd/libglobs.c) Changes: create_instance.c: if ldapifilepath is not passed, LDAPI is disabled in the newly created instance. libglobs.c: LDAPI is disabled in the initial configuration parameter setting.
Comment 4 Noriko Hosoi 2007-03-02 22:39:04 UTC
Created attachment 149160 [details] cvs commit message Reviewed by Rich (Thank you!) Checked in into HEAD.
Comment 6 Noriko Hosoi 2007-08-03 17:29:51 UTC
Since we don't use the code, this problem does not exist any more? Just leave it for now...
Comment 7 Noriko Hosoi 2008-05-13 00:14:24 UTC
Created attachment 305187 [details] cvs diff config.c File: ldap/servers/slapd/config.c Problem Description: If you start the server with the referral mode, e.g., like this: ns-slapd refer -D /etc/dirsrv/slapd-test -r ldap://laputa.example.com UNIX socket for LDAPI was not opened since LDAPI configuration parameters are not read from dse.ldif at that moment. Fix Description: adding the code to process nsslapd-ldapifilepath and nsslapd-ldapilisten in slapd_bootstrap_config.
Comment 8 Noriko Hosoi 2008-05-13 00:22:13 UTC
Test case (using openLDAP client) # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-test.socket -b "dc=example,dc=com" -v "(uid=*)" ldap_initialize( ldapi://%2fvar%2frun%2fslapd-test.socket ) SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Referral (10)
Comment 9 Rich Megginson 2008-05-14 16:06:20 UTC
I don't really like adding more code to the hack that is the bootstrap code in config.c, but this looks ok.
Comment 10 Noriko Hosoi 2008-05-14 18:40:46 UTC
Created attachment 305393 [details] cvs commit message Reviewed by Rich (Thank you!!) Checked in into CVS HEAD.
Comment 11 Jenny Severance 2009-03-11 18:22:53 UTC
Can you please add steps to setup and verify this bug with RH DS? Thanks Jenny
Comment 12 Noriko Hosoi 2009-03-11 18:41:06 UTC
(In reply to comment #11) > Can you please add steps to setup and verify this bug with RH DS? 1. enable ldapi nsslapd-ldaplisten: on 2. assume you have a referral server: ldap://<host>.<domain> 3. start the server with the referrel mode (note: this is another server which refer the referral server) cd /usr/lib/dirsrv/slapd-ID ./ns-slapd refer -D /etc/dirsrv/slapd-ID -r ldap://<host>.<domain> If this server starts successfully, the bug is verified.
Comment 13 Jenny Severance 2009-03-11 18:53:12 UTC
Is this only a fedora bug? /etc/dirsrv/slapd-ID/ns-slapd does not exist and the flags are not valid for start-slapd
Comment 14 Noriko Hosoi 2009-03-11 19:14:01 UTC
(In reply to comment #13) > Is this only a fedora bug? > > /etc/dirsrv/slapd-ID/ns-slapd does not exist and the flags are not valid for > start-slapd Oops, sorry! :p /usr/sbin/ns-slapd refer -D /etc/dirsrv/slapd-ID -r ldap://<host>.<domain>
Comment 15 Jenny Severance 2009-03-11 19:22:41 UTC
that works! thank you fix verified DS 8.1 RHEL 5 [root@jennyv2 slapd-jennyv2]# /usr/sbin/ns-slapd refer -D /etc/dirsrv/slapd-jennyv2/ -r ldap://jennyv4.bos.redhat.com [root@jennyv2 slapd-jennyv2]# tail -f /var/log/dirsrv/slapd-jennyv2/errors [11/Mar/2009:15:14:31 -0400] - Listening on All Interfaces port 636 for LDAPS requests [11/Mar/2009:15:14:31 -0400] - Listening on /var/run/slapd-jennyv2.socket for LDAPI requests [11/Mar/2009:15:25:23 -0400] - slapd shutting down - signaling operation threads [11/Mar/2009:15:25:23 -0400] - slapd shutting down - closing down internal subsystems and plugins [11/Mar/2009:15:25:26 -0400] - Waiting for 4 database threads to stop [11/Mar/2009:15:25:26 -0400] - All database threads now stopped [11/Mar/2009:15:25:26 -0400] - slapd stopped. [11/Mar/2009:15:26:18 -0400] - Red Hat-Directory/8.1.0 B2009.050.914 starting up [11/Mar/2009:15:26:18 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [11/Mar/2009:15:26:18 -0400] - Listening on /var/run/slapd-jennyv2.socket for LDAPI requests
Comment 16 Chandrasekar Kannan 2009-04-29 22:59:49 UTC
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html