Bug 230673 - LDAPI: referral mode needs LDAPI socket
LDAPI: referral mode needs LDAPI socket
Product: 389
Classification: Community
Component: Admin (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
Reported: 2007-03-01 20:24 EST by Noriko Hosoi
Modified: 2015-01-04 18:24 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-29 18:59:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
cvs diffs (admin/src/create_instance.c, servers/slapd/libglobs.c) (1.69 KB, patch)
2007-03-02 16:43 EST, Noriko Hosoi
no flags Details | Diff
cvs commit message (1022 bytes, text/plain)
2007-03-02 17:39 EST, Noriko Hosoi
no flags Details
cvs diff config.c (2.53 KB, patch)
2008-05-12 20:14 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (788 bytes, text/plain)
2008-05-14 14:40 EDT, Noriko Hosoi
no flags Details

  None (edit)
Comment 1 Noriko Hosoi 2007-03-02 16:28:31 EST
(In reply to comment #0)
>> Description of problem:
>> [error #1]
>> [...]
>> I guess my question is PR_Bind for LDAPI is needed for the referral mode.  If
>> not, we could just skip it?
Richard Megginson wrote:
> It could be.  I could see where it would be useful.  We may have to change the
> server to add another command line argument for referral mode, to allow you to
> pass in the ldapi url.  I'll note that openldap allows you to use -H LDAPURL e.g.
> -H ldap://hostname:389/ -H ldapi:///var/run/ldapi etc.  However, we do not yet
> have an LDAP URL parser that understands ldapi.

This issue should be revisited for the 7.3 release.
Comment 2 Noriko Hosoi 2007-03-02 16:38:01 EST
(In reply to comment #0)
> Description of problem:
> [error #2]
> [...]
> Also, to work around this problem, is it okay to add this code to create the
> directory to put the ldapi unix socket if it does not exist?
Richard Megginson wrote:
I don't think we should create the directory if it does not exist.  That doesn't
seem right to
me.  I think we should just warn.

Pete Rowley wrote:
> You know, given our server installs with newinst.pl in regular cases and all
this has 
> default config set up for directories we already write to, perhaps the right
thing to do 
> is to have default off for ldapi.  That would have minimum impact on tests
that don't 
> care about it (and are set up other ways) and wouldn't effect server installs
> regular means.
Richard Megginson wrote:
Then ds_newinst could set it to "on" if the user specified an ldapifilepath.  I
think that
would appease Andrew as well.

Based upon the suggestions from Pete and Rich, if setting "ldapifilepath=
/path/to/ldapifile/slapd-ID.socket" in the install inf file is used as a trigger
to set ldapi to
"on".  Otherwise, set to "off".  The function ds_gen_confs in create_instance.c
between on and off depending upon the existence of ldapifilepath value.   Also,
the ldapi
default setting in libglobs.c is changed to "off".
Comment 3 Noriko Hosoi 2007-03-02 16:43:16 EST
Created attachment 149157 [details]
cvs diffs (admin/src/create_instance.c, servers/slapd/libglobs.c)

create_instance.c: if ldapifilepath is not passed, LDAPI is disabled in the
		   newly created instance.
libglobs.c: LDAPI is disabled in the initial configuration parameter setting.
Comment 4 Noriko Hosoi 2007-03-02 17:39:04 EST
Created attachment 149160 [details]
cvs commit message

Reviewed by Rich (Thank you!)

Checked in into HEAD.
Comment 5 Noriko Hosoi 2007-03-02 17:41:10 EST
Leave this bug opened for the Comment #1.
Comment 6 Noriko Hosoi 2007-08-03 13:29:51 EDT
Since we don't use the code, this problem does not exist any more?  Just leave
it for now...
Comment 7 Noriko Hosoi 2008-05-12 20:14:24 EDT
Created attachment 305187 [details]
cvs diff config.c

File: ldap/servers/slapd/config.c

Problem Description: If you start the server with the referral mode, e.g., like
 ns-slapd refer -D /etc/dirsrv/slapd-test -r ldap://laputa.example.com
UNIX socket for LDAPI was not opened since LDAPI configuration parameters are
not read from dse.ldif at that moment.

Fix Description: adding the code to process nsslapd-ldapifilepath and
nsslapd-ldapilisten in slapd_bootstrap_config.
Comment 8 Noriko Hosoi 2008-05-12 20:22:13 EDT
Test case (using openLDAP client)

# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-test.socket -b
"dc=example,dc=com" -v "(uid=*)"
ldap_initialize( ldapi://%2fvar%2frun%2fslapd-test.socket )
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Referral (10)
Comment 9 Rich Megginson 2008-05-14 12:06:20 EDT
I don't really like adding more code to the hack that is the bootstrap code in
config.c, but this looks ok.
Comment 10 Noriko Hosoi 2008-05-14 14:40:46 EDT
Created attachment 305393 [details]
cvs commit message

Reviewed by Rich (Thank you!!)

Checked in into CVS HEAD.
Comment 11 Jenny Galipeau 2009-03-11 14:22:53 EDT
Can you please add steps to setup and verify this bug with RH DS?
Comment 12 Noriko Hosoi 2009-03-11 14:41:06 EDT
(In reply to comment #11)
> Can you please add steps to setup and verify this bug with RH DS?

1. enable ldapi
nsslapd-ldaplisten: on

2. assume you have a referral server: ldap://<host>.<domain>

3. start the server with the referrel mode (note: this is another server which refer the referral server)
cd /usr/lib[64]/dirsrv/slapd-ID
./ns-slapd refer -D /etc/dirsrv/slapd-ID -r ldap://<host>.<domain>

If this server starts successfully, the bug is verified.
Comment 13 Jenny Galipeau 2009-03-11 14:53:12 EDT
Is this only a fedora bug?

/etc/dirsrv/slapd-ID/ns-slapd does not exist and the flags are not valid for start-slapd
Comment 14 Noriko Hosoi 2009-03-11 15:14:01 EDT
(In reply to comment #13)
> Is this only a fedora bug?
> /etc/dirsrv/slapd-ID/ns-slapd does not exist and the flags are not valid for
> start-slapd  

Oops, sorry! :p
/usr/sbin/ns-slapd refer -D /etc/dirsrv/slapd-ID -r ldap://<host>.<domain>
Comment 15 Jenny Galipeau 2009-03-11 15:22:41 EDT
that works! thank you
fix verified DS 8.1 RHEL 5

[root@jennyv2 slapd-jennyv2]# /usr/sbin/ns-slapd refer -D /etc/dirsrv/slapd-jennyv2/ -r ldap://jennyv4.bos.redhat.com

[root@jennyv2 slapd-jennyv2]# tail -f /var/log/dirsrv/slapd-jennyv2/errors
[11/Mar/2009:15:14:31 -0400] - Listening on All Interfaces port 636 for LDAPS requests
[11/Mar/2009:15:14:31 -0400] - Listening on /var/run/slapd-jennyv2.socket for LDAPI requests
[11/Mar/2009:15:25:23 -0400] - slapd shutting down - signaling operation threads
[11/Mar/2009:15:25:23 -0400] - slapd shutting down - closing down internal subsystems and plugins
[11/Mar/2009:15:25:26 -0400] - Waiting for 4 database threads to stop
[11/Mar/2009:15:25:26 -0400] - All database threads now stopped
[11/Mar/2009:15:25:26 -0400] - slapd stopped.
[11/Mar/2009:15:26:18 -0400] - Red Hat-Directory/8.1.0 B2009.050.914 starting up
[11/Mar/2009:15:26:18 -0400] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[11/Mar/2009:15:26:18 -0400] - Listening on /var/run/slapd-jennyv2.socket for LDAPI requests
Comment 16 Chandrasekar Kannan 2009-04-29 18:59:49 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.