Description of problem: * Auto bind codes are all in the ENABLE_AUTOBIND macro. Should we enable it and support the functionality? rmeggins wrote: > Yes, but turned off by default. Okay. then should we add --enable-autobind to configure.ac? rmeggins wrote: > Yes. Or should ENABLE_AUTOBIND be part of LDAPI? I feel autobind is tightly coupled with LDAPI, ENABLE_AUTOBIND could be replaced with ENABLE_LDAPI and merge template-ldapi-autobind into template-ldapi-default? rmeggins wrote: > I think there may be some security conscious people who will not want to enable autobind at all and will want to build without it.
autoconf gets uid # and gid # from the LDAPI UNIX socket and retrieve the matched entry from the backend to bind the server. For example, Assume these are my uid # and gid # on the test system: $ id uid=12345(nhosoi) gid=12345(nhosoi) Add this posix account to the server: dn: uid=nhosoi, dc=example,dc=com objectclass: top objectclass: posixAccount cn: noriko hosoi uid: nhosoi uidNumber: 12345 gidNumber: 12345 homeDirectory: /home/nhosoi loginShell: bash userPassword: nhosoi Then, run the search against LDAPI UNIX socket without the bind user. Autobind internally searches an entry with the filter (&(uidNumber=12345)(gidNumber=12345)) and binds using the found entry. $ ldapsearch -H ldapi://%2fvar%2frun%2fslapd-laputa.socket/ -w nhosoi -Y DIGEST-MD5 -b "dc=usersys,dc=redhat,dc=com" "(cn=*)" SASL/DIGEST-MD5 authentication started SASL username: nhosoi SASL SSF: 128 SASL installing layers [...] Tested on RHEL4.
To use autobind, ldapi, autobind, and maptoentries need to be turned on. nsslapd-ldapifilepath: /var/run/slapd-laputa.socket nsslapd-ldapilisten: on nsslapd-ldapiautobind: on nsslapd-ldapimaprootdn: cn=Directory Manager nsslapd-ldapimaptoentries: on nsslapd-ldapiuidnumbertype: uidNumber nsslapd-ldapigidnumbertype: gidNumber nsslapd-ldapientrysearchbase: dc=example,dc=com nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth (*correction*) in the sample in the comment #1, "dc=usersys, dc=redhat,dc=com" should be replaced with "dc=example,dc=com"
Created attachment 298099 [details] cvs diff configure.ac Makefile.am
Created attachment 304990 [details] cvs diff configure.ac Makefile.am Files: ldapserver/configure.ac ldapserver/Makefile.am Description: introduced --enable-autobind By default, autobind is off.
Created attachment 305718 [details] cvs commit message Reviewed and commented by Rich, Andrew, and Howard (Thank you!!) Checked in into CVS HEAD.
Created attachment 313763 [details] cvs diff configure.ac Problem description: AUTO-BIND was accidentally turned on. These 2 are the only ldapi related attributes allowed in dse.ldif nsslapd-ldapifilepath: /var/run/slapd-test.socket nsslapd-ldapilisten: off
(In reply to comment #7) > Created an attachment (id=313763) [details] > cvs diff configure.ac > > Problem description: AUTO-BIND was accidentally turned on. > > These 2 are the only ldapi related attributes allowed in dse.ldif > nsslapd-ldapifilepath: /var/run/slapd-test.socket > nsslapd-ldapilisten: off It was not true. AUTO-BIND was not on. Changing the status back to MODIFIED.
ldapiautobind is available for DS81 and is off by default.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html