Bug 230673

Summary: LDAPI: referral mode needs LDAPI socket
Product: [Retired] 389 Reporter: Noriko Hosoi <nhosoi>
Component: AdminAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0.4CC: benl, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 8.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-29 22:59:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 249650, 493682    
Description Flags
cvs diffs (admin/src/create_instance.c, servers/slapd/libglobs.c)
cvs commit message
cvs diff config.c
cvs commit message none

Comment 1 Noriko Hosoi 2007-03-02 21:28:31 UTC
(In reply to comment #0)
>> Description of problem:
>> [error #1]
>> [...]
>> I guess my question is PR_Bind for LDAPI is needed for the referral mode.  If
>> not, we could just skip it?
Richard Megginson wrote:
> It could be.  I could see where it would be useful.  We may have to change the
> server to add another command line argument for referral mode, to allow you to
> pass in the ldapi url.  I'll note that openldap allows you to use -H LDAPURL e.g.
> -H ldap://hostname:389/ -H ldapi:///var/run/ldapi etc.  However, we do not yet
> have an LDAP URL parser that understands ldapi.

This issue should be revisited for the 7.3 release.

Comment 2 Noriko Hosoi 2007-03-02 21:38:01 UTC
(In reply to comment #0)
> Description of problem:
> [error #2]
> [...]
> Also, to work around this problem, is it okay to add this code to create the
> directory to put the ldapi unix socket if it does not exist?
Richard Megginson wrote:
I don't think we should create the directory if it does not exist.  That doesn't
seem right to
me.  I think we should just warn.

Pete Rowley wrote:
> You know, given our server installs with newinst.pl in regular cases and all
this has 
> default config set up for directories we already write to, perhaps the right
thing to do 
> is to have default off for ldapi.  That would have minimum impact on tests
that don't 
> care about it (and are set up other ways) and wouldn't effect server installs
> regular means.
Richard Megginson wrote:
Then ds_newinst could set it to "on" if the user specified an ldapifilepath.  I
think that
would appease Andrew as well.

Based upon the suggestions from Pete and Rich, if setting "ldapifilepath=
/path/to/ldapifile/slapd-ID.socket" in the install inf file is used as a trigger
to set ldapi to
"on".  Otherwise, set to "off".  The function ds_gen_confs in create_instance.c
between on and off depending upon the existence of ldapifilepath value.   Also,
the ldapi
default setting in libglobs.c is changed to "off".

Comment 3 Noriko Hosoi 2007-03-02 21:43:16 UTC
Created attachment 149157 [details]
cvs diffs (admin/src/create_instance.c, servers/slapd/libglobs.c)

create_instance.c: if ldapifilepath is not passed, LDAPI is disabled in the
		   newly created instance.
libglobs.c: LDAPI is disabled in the initial configuration parameter setting.

Comment 4 Noriko Hosoi 2007-03-02 22:39:04 UTC
Created attachment 149160 [details]
cvs commit message

Reviewed by Rich (Thank you!)

Checked in into HEAD.

Comment 5 Noriko Hosoi 2007-03-02 22:41:10 UTC
Leave this bug opened for the Comment #1.

Comment 6 Noriko Hosoi 2007-08-03 17:29:51 UTC
Since we don't use the code, this problem does not exist any more?  Just leave
it for now...

Comment 7 Noriko Hosoi 2008-05-13 00:14:24 UTC
Created attachment 305187 [details]
cvs diff config.c

File: ldap/servers/slapd/config.c

Problem Description: If you start the server with the referral mode, e.g., like
 ns-slapd refer -D /etc/dirsrv/slapd-test -r ldap://laputa.example.com
UNIX socket for LDAPI was not opened since LDAPI configuration parameters are
not read from dse.ldif at that moment.

Fix Description: adding the code to process nsslapd-ldapifilepath and
nsslapd-ldapilisten in slapd_bootstrap_config.

Comment 8 Noriko Hosoi 2008-05-13 00:22:13 UTC
Test case (using openLDAP client)

# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-test.socket -b
"dc=example,dc=com" -v "(uid=*)"
ldap_initialize( ldapi://%2fvar%2frun%2fslapd-test.socket )
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Referral (10)

Comment 9 Rich Megginson 2008-05-14 16:06:20 UTC
I don't really like adding more code to the hack that is the bootstrap code in
config.c, but this looks ok.

Comment 10 Noriko Hosoi 2008-05-14 18:40:46 UTC
Created attachment 305393 [details]
cvs commit message

Reviewed by Rich (Thank you!!)

Checked in into CVS HEAD.

Comment 11 Jenny Severance 2009-03-11 18:22:53 UTC
Can you please add steps to setup and verify this bug with RH DS?

Comment 12 Noriko Hosoi 2009-03-11 18:41:06 UTC
(In reply to comment #11)
> Can you please add steps to setup and verify this bug with RH DS?

1. enable ldapi
nsslapd-ldaplisten: on

2. assume you have a referral server: ldap://<host>.<domain>

3. start the server with the referrel mode (note: this is another server which refer the referral server)
cd /usr/lib[64]/dirsrv/slapd-ID
./ns-slapd refer -D /etc/dirsrv/slapd-ID -r ldap://<host>.<domain>

If this server starts successfully, the bug is verified.

Comment 13 Jenny Severance 2009-03-11 18:53:12 UTC
Is this only a fedora bug?

/etc/dirsrv/slapd-ID/ns-slapd does not exist and the flags are not valid for start-slapd

Comment 14 Noriko Hosoi 2009-03-11 19:14:01 UTC
(In reply to comment #13)
> Is this only a fedora bug?
> /etc/dirsrv/slapd-ID/ns-slapd does not exist and the flags are not valid for
> start-slapd  

Oops, sorry! :p
/usr/sbin/ns-slapd refer -D /etc/dirsrv/slapd-ID -r ldap://<host>.<domain>

Comment 15 Jenny Severance 2009-03-11 19:22:41 UTC
that works! thank you
fix verified DS 8.1 RHEL 5

[root@jennyv2 slapd-jennyv2]# /usr/sbin/ns-slapd refer -D /etc/dirsrv/slapd-jennyv2/ -r ldap://jennyv4.bos.redhat.com

[root@jennyv2 slapd-jennyv2]# tail -f /var/log/dirsrv/slapd-jennyv2/errors
[11/Mar/2009:15:14:31 -0400] - Listening on All Interfaces port 636 for LDAPS requests
[11/Mar/2009:15:14:31 -0400] - Listening on /var/run/slapd-jennyv2.socket for LDAPI requests
[11/Mar/2009:15:25:23 -0400] - slapd shutting down - signaling operation threads
[11/Mar/2009:15:25:23 -0400] - slapd shutting down - closing down internal subsystems and plugins
[11/Mar/2009:15:25:26 -0400] - Waiting for 4 database threads to stop
[11/Mar/2009:15:25:26 -0400] - All database threads now stopped
[11/Mar/2009:15:25:26 -0400] - slapd stopped.
[11/Mar/2009:15:26:18 -0400] - Red Hat-Directory/8.1.0 B2009.050.914 starting up
[11/Mar/2009:15:26:18 -0400] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[11/Mar/2009:15:26:18 -0400] - Listening on /var/run/slapd-jennyv2.socket for LDAPI requests

Comment 16 Chandrasekar Kannan 2009-04-29 22:59:49 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.