Bug 436388 - LDAPI: introduce --enable-autobind to support AUTOBIND
LDAPI: introduce --enable-autobind to support AUTOBIND
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
Reported: 2008-03-06 16:59 EST by Noriko Hosoi
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-29 19:02:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
cvs diff configure.ac Makefile.am (2.32 KB, patch)
2008-03-14 18:30 EDT, Noriko Hosoi
no flags Details | Diff
cvs diff configure.ac Makefile.am (1.67 KB, patch)
2008-05-09 18:35 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (1.28 KB, text/plain)
2008-05-16 13:35 EDT, Noriko Hosoi
no flags Details
cvs diff configure.ac (806 bytes, patch)
2008-08-07 20:21 EDT, Noriko Hosoi
no flags Details | Diff

  None (edit)
Description Noriko Hosoi 2008-03-06 16:59:49 EST
Description of problem:
* Auto bind codes are all in the ENABLE_AUTOBIND macro.  Should we
  enable it and support the functionality?

rmeggins wrote:
> Yes, but turned off by default. 

Okay.  then should we add --enable-autobind to configure.ac?

rmeggins wrote:
> Yes.

Or should ENABLE_AUTOBIND be part of LDAPI?  I feel autobind is tightly coupled
with LDAPI, ENABLE_AUTOBIND could be replaced with ENABLE_LDAPI and merge
template-ldapi-autobind into template-ldapi-default?

rmeggins wrote:
> I think there may be some security conscious people who will not want to
enable autobind at all and will want to build without it.
Comment 1 Noriko Hosoi 2008-03-14 18:19:16 EDT
autoconf gets uid # and gid # from the LDAPI UNIX socket and retrieve the
matched entry from the backend to bind the server.

For example, 
Assume these are my uid # and gid # on the test system:
  $ id
  uid=12345(nhosoi) gid=12345(nhosoi)

Add this posix account to the server:
dn: uid=nhosoi, dc=example,dc=com
objectclass: top
objectclass: posixAccount
cn: noriko hosoi
uid: nhosoi
uidNumber: 12345
gidNumber: 12345
homeDirectory: /home/nhosoi
loginShell: bash
userPassword: nhosoi

Then, run the search against LDAPI UNIX socket without the bind user.  Autobind
internally searches an entry with the filter
(&(uidNumber=12345)(gidNumber=12345)) and binds using the found entry.
$ ldapsearch -H ldapi://%2fvar%2frun%2fslapd-laputa.socket/ -w nhosoi -Y
DIGEST-MD5 -b "dc=usersys,dc=redhat,dc=com" "(cn=*)"
SASL/DIGEST-MD5 authentication started
SASL username: nhosoi
SASL installing layers

Tested on RHEL4.
Comment 2 Noriko Hosoi 2008-03-14 18:28:19 EDT
To use autobind, ldapi, autobind, and maptoentries need to be turned on.
nsslapd-ldapifilepath: /var/run/slapd-laputa.socket
nsslapd-ldapilisten: on
nsslapd-ldapiautobind: on
nsslapd-ldapimaprootdn: cn=Directory Manager
nsslapd-ldapimaptoentries: on
nsslapd-ldapiuidnumbertype: uidNumber
nsslapd-ldapigidnumbertype: gidNumber
nsslapd-ldapientrysearchbase: dc=example,dc=com
nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth

(*correction*) in the sample in the comment #1, "dc=usersys, dc=redhat,dc=com"
should be replaced with  "dc=example,dc=com"
Comment 3 Noriko Hosoi 2008-03-14 18:30:00 EDT
Created attachment 298099 [details]
cvs diff configure.ac Makefile.am
Comment 5 Noriko Hosoi 2008-05-09 18:35:00 EDT
Created attachment 304990 [details]
cvs diff configure.ac Makefile.am


Description: introduced --enable-autobind
    By default, autobind is off.
Comment 6 Noriko Hosoi 2008-05-16 13:35:19 EDT
Created attachment 305718 [details]
cvs commit message

Reviewed and commented by Rich, Andrew, and Howard (Thank you!!)

Checked in into CVS HEAD.
Comment 7 Noriko Hosoi 2008-08-07 20:21:22 EDT
Created attachment 313763 [details]
cvs diff configure.ac

Problem description: AUTO-BIND was accidentally turned on.

These 2 are the only ldapi related attributes allowed in dse.ldif
nsslapd-ldapifilepath: /var/run/slapd-test.socket
nsslapd-ldapilisten: off
Comment 8 Noriko Hosoi 2008-08-08 12:20:27 EDT
(In reply to comment #7)
> Created an attachment (id=313763) [details]
> cvs diff configure.ac
> Problem description: AUTO-BIND was accidentally turned on.
> These 2 are the only ldapi related attributes allowed in dse.ldif
> nsslapd-ldapifilepath: /var/run/slapd-test.socket
> nsslapd-ldapilisten: off

It was not true.  AUTO-BIND was not on.

Changing the status back to MODIFIED.
Comment 9 Jenny Galipeau 2009-02-20 11:29:03 EST
ldapiautobind is available for DS81 and is off by default.
Comment 10 Chandrasekar Kannan 2009-04-29 19:02:39 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.