Bug 229280 - Add LDAPI (LDAP over unix domain sockets)
Add LDAPI (LDAP over unix domain sockets)
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
All All
medium Severity medium
: ---
: ---
Assigned To: Jim Whitehurst
Viktor Ashirov
: 219573 (view as bug list)
Depends On:
Blocks: 434914
  Show dependency treegraph
Reported: 2007-02-19 16:54 EST by Bob Lord
Modified: 2015-12-07 11:51 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-12-07 11:51:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Diff to add ldapi (151.25 KB, patch)
2007-02-19 16:56 EST, Pete Rowley
no flags Details | Diff
getsocketpeer.c (3.92 KB, text/plain)
2007-02-19 16:58 EST, Pete Rowley
no flags Details
getsocketpeer.h (2.28 KB, text/plain)
2007-02-19 16:59 EST, Pete Rowley
no flags Details

  None (edit)
Description Pete Rowley 2007-02-19 16:54:21 EST
This is a feature that exists in OpenLDAP (but has no RFC that I am aware of).
Heimdal uses this feature exclusively for its directory interactions (making it
incompatible with other LDAP directories), and Samba testing is often performed
over unix domain sockets (a convenience for them). There are advantages: no TCP
overhead for local connections, the ability to test for the OS level user
credentials, and AFAIK, an unsniffable transport without additional
requirements. On that last point, I welcome arguments to the contrary.

The socket file is created as var/run/fedora-ds/slapd-localhost.socket by
default, but this can be modified in configuration. I'm actually not sure where
the best place to put this is since access control along the path to the socket
matters. The socket itself is chmodded to give rw to owner, groups, and other by
the server upon creation.

I've added LDAPI auto authentication / bind, which basically means that if you
access the DS over LDAPI it will trust the OS level auth and automatically bind
you at connection open (i.e. the server won't wait for an explicit bind).  There
are several options to this:

1. You can turn auto binding on or off
2. You can specify a dn that root should be bound as (e.g. directory manager, or
perhaps an admin account)
3. You can specify that the user maps to an existing entry via admin specified
attributes - which are probably going to be uidNumber and gidNumber (the
default) - root can be bound this way too, and this method takes precedence over 2.
4. In the event that the other methods are turned off, or do not result in bind
credentials, you can specify that a DN be constructed for the bind DN and supply
a suffix for the DN - this allows non-mapped entries to look sensible, you may
use this feature to specifiy a suffix that works with existing access control
for example.

When auto binding is on, and option 4. is set, or option 2. is set and the unix
user credentials match a single entry in the DIT, users are automatically bound
at connection open and anonymous binds are impossible since an anonymous bind
attempt is modified to the credentials used at connection open. Non-anonymous
binds work as usual. This means that scripts and so on can be "dumb" and
credentials need not be left lying around for snoopers, users on the local
machine not be concerned with credentials either, and yet all connections can be
subject to targetted access control.

All configuration is dynamically observed except for the socket file location
and the LDAPI switch itself - these require a server restart for the same
reasons TCP port modification does - the socket must be created with root
privilege prior to suing to its execution user.
Comment 1 Pete Rowley 2007-02-19 16:56:35 EST
Created attachment 148370 [details]
Diff to add ldapi
Comment 2 Pete Rowley 2007-02-19 16:58:41 EST
Created attachment 148371 [details]
Comment 3 Pete Rowley 2007-02-19 16:59:27 EST
Created attachment 148372 [details]
Comment 4 Pete Rowley 2007-02-19 17:01:26 EST
Cross platform code for OS level authentication is currently defined out (other
than linux), I intend to enable that as testing for these platforms progresses.
Comment 5 Noriko Hosoi 2007-03-06 20:11:33 EST
Description of problem:
SSL test started hanging since setting LDAPI to off by default.

The cause of the problem is in the static function setup_pr_read_pds, after
setting SLAPD_POLL_FLAGS, if LDAPI is not on, the code cleaned up the SSL fd...
I guess it's a simple typo. ;)

    991 static void
    992 setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *
       s_tcps, PRFileDesc *i_unix, PRIntn *num_to_read)
    993 {
   1045     /* The fds entry for s_tcps is always FDS_S_TCPS */
   1046     if (s_tcps != NULL && accept_new_connections)
   1047     {
   1048         ct->fd[FDS_S_TCPS].fd = s_tcps;
   1049         ct->fd[FDS_S_TCPS].in_flags = SLAPD_POLL_FLAGS;
   1050         ct->fd[FDS_S_TCPS].out_flags = 0;
   1051         LDAPDebug( LDAP_DEBUG_HOUSE,
   1052             "listening for SSL connections on %d\n", socketdesc, 0, 0 );
  1053     } else {
   1054         ct->fd[FDS_S_TCPS].fd = NULL;
   1055     }
   1057 #if !defined(_WIN32)
   1058     /* The fds entry for i_unix is always FDS_I_UNIX */
   1059     if (i_unix != NULL && accept_new_connections)
   1060     {
   1061         ct->fd[FDS_I_UNIX].fd = i_unix;
   1062         ct->fd[FDS_I_UNIX].in_flags = SLAPD_POLL_FLAGS;
   1063         ct->fd[FDS_I_UNIX].out_flags = 0;
   1064         LDAPDebug( LDAP_DEBUG_HOUSE,
   1065             "listening for LDAPI connections on %d\n", socketdesc, 0, 0
   1066     } else {
   1067         ct->fd[FDS_S_TCPS].fd = NULL; <=== override SSL fd
   1068     }

This change fixes the problem.
Index: daemon.c
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/daemon.c,v
retrieving revision 1.12
diff -t -w -U4 -r1.12 daemon.c
--- daemon.c    27 Feb 2007 02:57:30 -0000      1.12
+++ daemon.c    7 Mar 2007 01:02:45 -0000
@@ -1063,9 +1063,9 @@
                 ct->fd[FDS_I_UNIX].out_flags = 0;
                 LDAPDebug( LDAP_DEBUG_HOUSE,
                         "listening for LDAPI connections on %d\n", socketdesc,
0, 0 );
         } else {
-                ct->fd[FDS_S_TCPS].fd = NULL;
+                ct->fd[FDS_I_UNIX].fd = NULL;
Comment 6 Nathan Kinder 2007-03-06 20:32:30 EST
Yep, looks like a cut and paste error.  The change looks fine to me.
Comment 7 Noriko Hosoi 2007-03-06 20:54:38 EST
Thank you, Nathan, for the review!  Checked in into HEAD.

Resolves: 229280
Summary: Add LDAPI (LDAP over unix domain sockets) (Comment #5)
Change: Fixed a copy & paste error...
CVS: ----------------------------------------------------------------------
CVS: Modified Files:
CVS:    daemon.c
CVS: ----------------------------------------------------------------------
Checking in daemon.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/daemon.c,v  <--  daemon.c
new revision: 1.13; previous revision: 1.12
Comment 8 Rich Megginson 2007-10-05 12:12:43 EDT
*** Bug 219573 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.