Bug 436400

Summary: LDAPI: cleaning up template-ldapi-default.ldif.in and DSCreate.pm.in
Product: [Retired] 389 Reporter: Noriko Hosoi <nhosoi>
Component: Directory ServerAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 1.1.0CC: benl, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 8.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-29 23:02:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 249650, 493682    
Attachments:
Description Flags
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in
none
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in none

Description Noriko Hosoi 2008-03-06 22:21:03 UTC 
Description of problem:

LDAPI Configuration Parameters (cn=config):

    nsslapd-ldapifilepath: <full_path_of_the_UNIX_socket>
    example> nsslapd-ldapifilepath: /var/run/dirsrv/slapd-fds.socket

    nsslapd-ldapilisten: on | off
    main parameter to turn on and off LDAPI, by default off

The rest are introduced to support AUTOBIND, which maps the UNIX uid and gid to
the corresponding entry stored in the Directory Server and bind the server with
the entry.

    nsslapd-ldapiautobind: on | off
    Parameter to turn on and off AUTOBIND

    nsslapd-ldapimaprootdn: <dn_which_is_used_for_root_uid>
    Entry to be mapped when the bind uid number is 0.  Specify "cn=Directory
Manager" or a highly privileged user.

    nsslapd-ldapimaptoentries: on | off
    If this parameter is on, uid and gid are mapped to the dn which is
dynamically searched with the values defined below.

    nsslapd-ldapiuidnumbertype: uidNumber
    This value is used in the search filter (uidNumber=<local_uid>)

    nsslapd-ldapigidnumbertype: gidNumber
    This value is used in the search filter (gidNumber=<local_gid>)

    nsslapd-ldapientrysearchbase: dc=example, dc=com
    This value is used for the search base.

    nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth
    Introduced for the safety net, when mapping entry fails, use this special
user to allow to bind.

Note: All of the parameters except nsslapd-ldapiautobind are included in
template-ldapi-default.ldif and added to dse.ldif.  But they are not really
used.  Plus, template  I think we can remove nsslapd-ldapimaprootdn,
nsslapd-ldapimaptoentries, nsslapd-ldapiuidnumbertype,
nsslapd-ldapigidnumbertype, sslapd-ldapientrysearchbase,
nsslapd-ldapiautodnsuffix from template-ldapi-default.ldif.
Comment 1 Noriko Hosoi 2008-03-06 22:31:58 UTC 
These template files may not be used to initialize the ldapi configuration
parameters.  Rather, createConfigFile (DSCreate.pm.in) hardcoded them:

    337         if ("@enable_autobind@") {
    338             $ent->setValues("nsslapd-ldapiautobind", "on");
    339         }
    340         $ent->setValues("nsslapd-ldapimaprootdn", $inf->{slapd}->{RootDN
       });
    341         $ent->setValues("nsslapd-ldapimaptoentries", "off");
    342         $ent->setValues("nsslapd-ldapiuidnumbertype", "uidNumber");
    343         $ent->setValues("nsslapd-ldapigidnumbertype", "gidNumber");    
344         $ent->setValues("nsslapd-ldapientrysearchbase", "dc=example, dc=   
    com");
    345         $ent->setValues("nsslapd-ldapiautodnsuffix", "cn=peercred,cn=ext
       ernal,cn=auth");
Comment 3 Noriko Hosoi 2008-05-09 22:52:13 UTC 
Created attachment 304993 [details]
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in

Files:
 ldap/ldif/template-ldapi-default.ldif.in
 ldap/admin/src/scripts/DSCreate.pm.in

Description:
LDAPI itself requires these 2 configuration parameters.
   nsslapd-ldapifilepath: /var/run/slapd-<ID>.socket
   nsslapd-ldapilisten: on

The rest is needed only when autobind is enabled.
Modified DSCreate to generate the following parameters when the DS is
configured with --enable-autobind.
   nsslapd-ldapiautobind: off
   nsslapd-ldapimaprootdn: cn=Directory Manager
   nsslapd-ldapimaptoentries: off
   nsslapd-ldapiuidnumbertype: uidNumber
   nsslapd-ldapigidnumbertype: gidNumber
   nsslapd-ldapientrysearchbase: <your_suffix>
   nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth

Fixed nsslapd-ldapientrysearchbase value to set the server's suffix (instead of
hardcoded dc=example,dc=com).

template-ldapi-default.ldif.in seems not used.	But to reduce the confusion, I
updated the file, as well, for the future use.
Comment 4 Noriko Hosoi 2008-05-16 16:28:43 UTC 
Created attachment 305706 [details]
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in

Reviewed and commented by Rich, Andrew, and Howard (Thank you!!)

Checked in into CVS HEAD.
Comment 5 Noriko Hosoi 2008-05-16 16:50:27 UTC 
(In reply to comment #4)
s/cvs diff template-ldapi-default.ldif.in DSCreate.pm.in/cvs commit message/
Comment 6 Jenny Severance 2009-03-12 16:54:23 UTC 
This seems more like a task reminder than a bug.  Can we just close it since LDAPI in now implemented?
Comment 7 Noriko Hosoi 2009-03-12 18:25:23 UTC 
Default LDAP related config attributes in the installed dse.ldif:
nsslapd-ldapifilepath: /var/run/slapd-m0.socket
nsslapd-ldapilisten: off
nsslapd-ldapiautobind: off
nsslapd-ldapimaprootdn: cn=Directory Manager
nsslapd-ldapimaptoentries: off
nsslapd-ldapiuidnumbertype: uidNumber
nsslapd-ldapigidnumbertype: gidNumber
nsslapd-ldapientrysearchbase: dc=example,dc=com

These attribute value set is reflecting template-ldapi-default.ldif.in. 
=======================================================================

Corresponding section of installed DSCreate.pm
    370             $ent->setValues("nsslapd-ldapilisten", "off");
    371         }
    372         if ("1") {
    373             $ent->setValues("nsslapd-ldapiautobind", "off");
    374             $ent->setValues("nsslapd-ldapimaprootdn", $inf->{slapd}->{Ro        otDN});
    375             $ent->setValues("nsslapd-ldapimaptoentries", "off");
    376             $ent->setValues("nsslapd-ldapiuidnumbertype", "uidNumber");
    377             $ent->setValues("nsslapd-ldapigidnumbertype", "gidNumber");
    378             $ent->setValues("nsslapd-ldapientrysearchbase", $inf->{slapd        }->{Suffix});
    379             if ("") {
    380                 $ent->setValues("nsslapd-ldapiautodnsuffix", "cn=peercred,cn=external,cn=auth");
    381             }
    382         }
    383         if (!$conn->update($ent)) {
    384             $conn->close();
    385             return ("error_enabling_feature", "ldapi", $conn->getErrorString());
    386         }

These code is reflecting DSCreate.pm.in.
Comment 8 Chandrasekar Kannan 2009-04-29 23:02:48 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html