Description of problem: * slapd_get_socket_peer has OS dependent implementation. Only the system which getsockopt supports SO_PEERCRED is enabled, which is Linux. Should we enable the code for other OSes? rmeggins wrote: > Yes. But there is code in there for Solaris and HP-UX which use different implementations. Do they work? Yes. But there is code in there for Solaris and HP-UX which use different implementations. Do they work?
Created attachment 304994 [details] cvs diff slap.h getsocketpeer.c daemon.c Files: ldap/servers/slapd/slap.h /getsocketpeer.c /daemon.c Description: Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9 and HP-UX. The recvmsg call returns an error immediately if no data is waiting to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK). To make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns EAGAIN. But set a retry count not to hang there. Also introduced c_local_valid in the Connection handle to tell the autobind code that the uid/gid pair is valid or not.
Created attachment 305257 [details] cvs diff daemon.c bind.c Files: ldap/servers/slapd/daemon.c /bind.c Description: In addition to the previous changes, I'm modifying the code as follows. The change in daemon.c stops the automagic/unconditional auto-bind. In bind.c, slapd_bind_local_user (in which auto-bind is implemented) is called. It was called in do_bind even before, but there was no bind type or method restriction set. I'm proposing to change the code to call it only when SASL/EXTERNAL request is passed. Test Cases: Login as root. Search "cn=config" with "-x (simple authentication)". The search only returns entries which are available for anonymous. # ldapsearch *-x* -H ldapi://%2fvar%2frun%2fslapd-test2.socket -b "cn=config" "(cn=*)" dn # extended LDIF # SNMP, config dn: cn=SNMP,cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Login as root, Search "cn=config" with "-Y EXTERNAL". Then, the search returns all the entries which require Directory Manager privilege. # ldapsearch *-Y EXTERNAL *-H ldapi://%2fvar%2frun%2fslapd-test2.socket -b "cn=config" "(cn=*)" dn SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # config dn: cn=config # encryption, config dn: cn=encryption,cn=config # features, config dn: cn=features,cn=config [...] # search result search: 2 result: 0 Success # numResponses: 125 # numEntries: 124
Created attachment 305709 [details] cvs commit message Reviewed and commented by Rich, Andrew, and Howard (Thank you!!) Checked in into CVS HEAD.
DS 8.1 supports ldapi autobind and is being tested with ldapi automated acceptance tests
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html