Bug 436388 - LDAPI: introduce --enable-autobind to support AUTOBIND
LDAPI: introduce --enable-autobind to support AUTOBIND
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
1.1.0
All Linux
high Severity high
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
:
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
 
Reported: 2008-03-06 16:59 EST by Noriko Hosoi
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:02:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
cvs diff configure.ac Makefile.am (2.32 KB, patch)
2008-03-14 18:30 EDT, Noriko Hosoi
no flags Details | Diff
cvs diff configure.ac Makefile.am (1.67 KB, patch)
2008-05-09 18:35 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (1.28 KB, text/plain)
2008-05-16 13:35 EDT, Noriko Hosoi
no flags Details
cvs diff configure.ac (806 bytes, patch)
2008-08-07 20:21 EDT, Noriko Hosoi
no flags Details | Diff

  None (edit)
Description Noriko Hosoi 2008-03-06 16:59:49 EST
Description of problem:
* Auto bind codes are all in the ENABLE_AUTOBIND macro.  Should we
  enable it and support the functionality?

rmeggins wrote:
> Yes, but turned off by default. 

Okay.  then should we add --enable-autobind to configure.ac?

rmeggins wrote:
> Yes.

Or should ENABLE_AUTOBIND be part of LDAPI?  I feel autobind is tightly coupled
with LDAPI, ENABLE_AUTOBIND could be replaced with ENABLE_LDAPI and merge
template-ldapi-autobind into template-ldapi-default?

rmeggins wrote:
> I think there may be some security conscious people who will not want to
enable autobind at all and will want to build without it.
Comment 1 Noriko Hosoi 2008-03-14 18:19:16 EDT
autoconf gets uid # and gid # from the LDAPI UNIX socket and retrieve the
matched entry from the backend to bind the server.

For example, 
Assume these are my uid # and gid # on the test system:
  $ id
  uid=12345(nhosoi) gid=12345(nhosoi)

Add this posix account to the server:
dn: uid=nhosoi, dc=example,dc=com
objectclass: top
objectclass: posixAccount
cn: noriko hosoi
uid: nhosoi
uidNumber: 12345
gidNumber: 12345
homeDirectory: /home/nhosoi
loginShell: bash
userPassword: nhosoi

Then, run the search against LDAPI UNIX socket without the bind user.  Autobind
internally searches an entry with the filter
(&(uidNumber=12345)(gidNumber=12345)) and binds using the found entry.
$ ldapsearch -H ldapi://%2fvar%2frun%2fslapd-laputa.socket/ -w nhosoi -Y
DIGEST-MD5 -b "dc=usersys,dc=redhat,dc=com" "(cn=*)"
SASL/DIGEST-MD5 authentication started
SASL username: nhosoi
SASL SSF: 128
SASL installing layers
[...]

Tested on RHEL4.
Comment 2 Noriko Hosoi 2008-03-14 18:28:19 EDT
To use autobind, ldapi, autobind, and maptoentries need to be turned on.
nsslapd-ldapifilepath: /var/run/slapd-laputa.socket
nsslapd-ldapilisten: on
nsslapd-ldapiautobind: on
nsslapd-ldapimaprootdn: cn=Directory Manager
nsslapd-ldapimaptoentries: on
nsslapd-ldapiuidnumbertype: uidNumber
nsslapd-ldapigidnumbertype: gidNumber
nsslapd-ldapientrysearchbase: dc=example,dc=com
nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth

(*correction*) in the sample in the comment #1, "dc=usersys, dc=redhat,dc=com"
should be replaced with  "dc=example,dc=com"
Comment 3 Noriko Hosoi 2008-03-14 18:30:00 EDT
Created attachment 298099 [details]
cvs diff configure.ac Makefile.am
Comment 5 Noriko Hosoi 2008-05-09 18:35:00 EDT
Created attachment 304990 [details]
cvs diff configure.ac Makefile.am

Files:
 ldapserver/configure.ac
 ldapserver/Makefile.am

Description: introduced --enable-autobind
    By default, autobind is off.
Comment 6 Noriko Hosoi 2008-05-16 13:35:19 EDT
Created attachment 305718 [details]
cvs commit message

Reviewed and commented by Rich, Andrew, and Howard (Thank you!!)

Checked in into CVS HEAD.
Comment 7 Noriko Hosoi 2008-08-07 20:21:22 EDT
Created attachment 313763 [details]
cvs diff configure.ac

Problem description: AUTO-BIND was accidentally turned on.

These 2 are the only ldapi related attributes allowed in dse.ldif
nsslapd-ldapifilepath: /var/run/slapd-test.socket
nsslapd-ldapilisten: off
Comment 8 Noriko Hosoi 2008-08-08 12:20:27 EDT
(In reply to comment #7)
> Created an attachment (id=313763) [details]
> cvs diff configure.ac
> 
> Problem description: AUTO-BIND was accidentally turned on.
> 
> These 2 are the only ldapi related attributes allowed in dse.ldif
> nsslapd-ldapifilepath: /var/run/slapd-test.socket
> nsslapd-ldapilisten: off

It was not true.  AUTO-BIND was not on.

Changing the status back to MODIFIED.
Comment 9 Jenny Galipeau 2009-02-20 11:29:03 EST
ldapiautobind is available for DS81 and is off by default.
Comment 10 Chandrasekar Kannan 2009-04-29 19:02:39 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.