Bug 436390
Summary: | LDAPI: support auto-bind | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] 389 | Reporter: | Noriko Hosoi <nhosoi> | ||||||||
Component: | Directory Server | Assignee: | Noriko Hosoi <nhosoi> | ||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | high | ||||||||||
Version: | 1.1.0 | CC: | benl, jgalipea | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | 8.1 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2009-04-29 23:02:42 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 249650, 493682 | ||||||||||
Attachments: |
|
Created attachment 304994 [details]
cvs diff slap.h getsocketpeer.c daemon.c
Files:
ldap/servers/slapd/slap.h
/getsocketpeer.c
/daemon.c
Description:
Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9
and HP-UX. The recvmsg call returns an error immediately if no data is waiting
to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK). To
make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns
EAGAIN. But set a retry count not to hang there.
Also introduced c_local_valid in the Connection handle to tell the autobind
code that the uid/gid pair is valid or not.
Created attachment 305257 [details]
cvs diff daemon.c bind.c
Files:
ldap/servers/slapd/daemon.c
/bind.c
Description:
In addition to the previous changes, I'm modifying the code as follows. The
change in daemon.c stops the automagic/unconditional auto-bind. In bind.c,
slapd_bind_local_user (in which auto-bind is implemented) is called. It was
called in do_bind even before, but there was no bind type or method restriction
set. I'm proposing to change the code to call it only when SASL/EXTERNAL
request is passed.
Test Cases:
Login as root. Search "cn=config" with "-x (simple authentication)". The
search only returns entries which are available for anonymous.
# ldapsearch *-x* -H ldapi://%2fvar%2frun%2fslapd-test2.socket -b
"cn=config" "(cn=*)" dn
# extended LDIF
# SNMP, config
dn: cn=SNMP,cn=config
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Login as root, Search "cn=config" with "-Y EXTERNAL". Then, the search returns
all the entries which require Directory Manager privilege.
# ldapsearch *-Y EXTERNAL *-H
ldapi://%2fvar%2frun%2fslapd-test2.socket -b "cn=config" "(cn=*)" dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
# config
dn: cn=config
# encryption, config
dn: cn=encryption,cn=config
# features, config
dn: cn=features,cn=config
[...]
# search result
search: 2
result: 0 Success
# numResponses: 125
# numEntries: 124
Created attachment 305709 [details]
cvs commit message
Reviewed and commented by Rich, Andrew, and Howard (Thank you!!)
Checked in into CVS HEAD.
DS 8.1 supports ldapi autobind and is being tested with ldapi automated acceptance tests An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html |
Description of problem: * slapd_get_socket_peer has OS dependent implementation. Only the system which getsockopt supports SO_PEERCRED is enabled, which is Linux. Should we enable the code for other OSes? rmeggins wrote: > Yes. But there is code in there for Solaris and HP-UX which use different implementations. Do they work? Yes. But there is code in there for Solaris and HP-UX which use different implementations. Do they work?