Bug 230673 - LDAPI: referral mode needs LDAPI socket
LDAPI: referral mode needs LDAPI socket
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Admin (Show other bugs)
1.0.4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
:
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
 
Reported: 2007-03-01 20:24 EST by Noriko Hosoi
Modified: 2015-01-04 18:24 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 18:59:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
cvs diffs (admin/src/create_instance.c, servers/slapd/libglobs.c) (1.69 KB, patch)
2007-03-02 16:43 EST, Noriko Hosoi
no flags Details | Diff
cvs commit message (1022 bytes, text/plain)
2007-03-02 17:39 EST, Noriko Hosoi
no flags Details
cvs diff config.c (2.53 KB, patch)
2008-05-12 20:14 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (788 bytes, text/plain)
2008-05-14 14:40 EDT, Noriko Hosoi
no flags Details

  None (edit)
Comment 1 Noriko Hosoi 2007-03-02 16:28:31 EST
(In reply to comment #0)
>> Description of problem:
>> [error #1]
>> [...]
>>
>> I guess my question is PR_Bind for LDAPI is needed for the referral mode.  If
>> not, we could just skip it?
Richard Megginson wrote:
> It could be.  I could see where it would be useful.  We may have to change the
> server to add another command line argument for referral mode, to allow you to
> pass in the ldapi url.  I'll note that openldap allows you to use -H LDAPURL e.g.
> -H ldap://hostname:389/ -H ldapi:///var/run/ldapi etc.  However, we do not yet
> have an LDAP URL parser that understands ldapi.

This issue should be revisited for the 7.3 release.
Comment 2 Noriko Hosoi 2007-03-02 16:38:01 EST
(In reply to comment #0)
> Description of problem:
> [error #2]
> [...]
> Also, to work around this problem, is it okay to add this code to create the
> directory to put the ldapi unix socket if it does not exist?
Richard Megginson wrote:
I don't think we should create the directory if it does not exist.  That doesn't
seem right to
me.  I think we should just warn.

Pete Rowley wrote:
> You know, given our server installs with newinst.pl in regular cases and all
this has 
> default config set up for directories we already write to, perhaps the right
thing to do 
> is to have default off for ldapi.  That would have minimum impact on tests
that don't 
> care about it (and are set up other ways) and wouldn't effect server installs
through 
> regular means.
Richard Megginson wrote:
Then ds_newinst could set it to "on" if the user specified an ldapifilepath.  I
think that
would appease Andrew as well.

Based upon the suggestions from Pete and Rich, if setting "ldapifilepath=
/path/to/ldapifile/slapd-ID.socket" in the install inf file is used as a trigger
to set ldapi to
"on".  Otherwise, set to "off".  The function ds_gen_confs in create_instance.c
switches
between on and off depending upon the existence of ldapifilepath value.   Also,
the ldapi
default setting in libglobs.c is changed to "off".
Comment 3 Noriko Hosoi 2007-03-02 16:43:16 EST
Created attachment 149157 [details]
cvs diffs (admin/src/create_instance.c, servers/slapd/libglobs.c)

Changes:
create_instance.c: if ldapifilepath is not passed, LDAPI is disabled in the
		   newly created instance.
libglobs.c: LDAPI is disabled in the initial configuration parameter setting.
Comment 4 Noriko Hosoi 2007-03-02 17:39:04 EST
Created attachment 149160 [details]
cvs commit message

Reviewed by Rich (Thank you!)

Checked in into HEAD.
Comment 5 Noriko Hosoi 2007-03-02 17:41:10 EST
Leave this bug opened for the Comment #1.
Comment 6 Noriko Hosoi 2007-08-03 13:29:51 EDT
Since we don't use the code, this problem does not exist any more?  Just leave
it for now...
Comment 7 Noriko Hosoi 2008-05-12 20:14:24 EDT
Created attachment 305187 [details]
cvs diff config.c

File: ldap/servers/slapd/config.c

Problem Description: If you start the server with the referral mode, e.g., like
this:
 ns-slapd refer -D /etc/dirsrv/slapd-test -r ldap://laputa.example.com
UNIX socket for LDAPI was not opened since LDAPI configuration parameters are
not read from dse.ldif at that moment.

Fix Description: adding the code to process nsslapd-ldapifilepath and
nsslapd-ldapilisten in slapd_bootstrap_config.
Comment 8 Noriko Hosoi 2008-05-12 20:22:13 EDT
Test case (using openLDAP client)

# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-test.socket -b
"dc=example,dc=com" -v "(uid=*)"
ldap_initialize( ldapi://%2fvar%2frun%2fslapd-test.socket )
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Referral (10)
Comment 9 Rich Megginson 2008-05-14 12:06:20 EDT
I don't really like adding more code to the hack that is the bootstrap code in
config.c, but this looks ok.
Comment 10 Noriko Hosoi 2008-05-14 14:40:46 EDT
Created attachment 305393 [details]
cvs commit message

Reviewed by Rich (Thank you!!)

Checked in into CVS HEAD.
Comment 11 Jenny Galipeau 2009-03-11 14:22:53 EDT
Can you please add steps to setup and verify this bug with RH DS?
Thanks
Jenny
Comment 12 Noriko Hosoi 2009-03-11 14:41:06 EDT
(In reply to comment #11)
> Can you please add steps to setup and verify this bug with RH DS?

1. enable ldapi
nsslapd-ldaplisten: on

2. assume you have a referral server: ldap://<host>.<domain>

3. start the server with the referrel mode (note: this is another server which refer the referral server)
cd /usr/lib[64]/dirsrv/slapd-ID
./ns-slapd refer -D /etc/dirsrv/slapd-ID -r ldap://<host>.<domain>

If this server starts successfully, the bug is verified.
Comment 13 Jenny Galipeau 2009-03-11 14:53:12 EDT
Is this only a fedora bug?

/etc/dirsrv/slapd-ID/ns-slapd does not exist and the flags are not valid for start-slapd
Comment 14 Noriko Hosoi 2009-03-11 15:14:01 EDT
(In reply to comment #13)
> Is this only a fedora bug?
> 
> /etc/dirsrv/slapd-ID/ns-slapd does not exist and the flags are not valid for
> start-slapd  

Oops, sorry! :p
/usr/sbin/ns-slapd refer -D /etc/dirsrv/slapd-ID -r ldap://<host>.<domain>
Comment 15 Jenny Galipeau 2009-03-11 15:22:41 EDT
that works! thank you
fix verified DS 8.1 RHEL 5

[root@jennyv2 slapd-jennyv2]# /usr/sbin/ns-slapd refer -D /etc/dirsrv/slapd-jennyv2/ -r ldap://jennyv4.bos.redhat.com


[root@jennyv2 slapd-jennyv2]# tail -f /var/log/dirsrv/slapd-jennyv2/errors
[11/Mar/2009:15:14:31 -0400] - Listening on All Interfaces port 636 for LDAPS requests
[11/Mar/2009:15:14:31 -0400] - Listening on /var/run/slapd-jennyv2.socket for LDAPI requests
[11/Mar/2009:15:25:23 -0400] - slapd shutting down - signaling operation threads
[11/Mar/2009:15:25:23 -0400] - slapd shutting down - closing down internal subsystems and plugins
[11/Mar/2009:15:25:26 -0400] - Waiting for 4 database threads to stop
[11/Mar/2009:15:25:26 -0400] - All database threads now stopped
[11/Mar/2009:15:25:26 -0400] - slapd stopped.
[11/Mar/2009:15:26:18 -0400] - Red Hat-Directory/8.1.0 B2009.050.914 starting up
[11/Mar/2009:15:26:18 -0400] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[11/Mar/2009:15:26:18 -0400] - Listening on /var/run/slapd-jennyv2.socket for LDAPI requests
Comment 16 Chandrasekar Kannan 2009-04-29 18:59:49 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.