Bug 436390 - LDAPI: support auto-bind
Summary: LDAPI: support auto-bind
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Directory Server
Version: 1.1.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Noriko Hosoi
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 249650 FDS1.2.0
TreeView+ depends on / blocked
 
Reported: 2008-03-06 22:07 UTC by Noriko Hosoi
Modified: 2015-01-04 23:31 UTC (History)
2 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-29 23:02:42 UTC


Attachments (Terms of Use)
cvs diff slap.h getsocketpeer.c daemon.c (5.79 KB, patch)
2008-05-09 23:52 UTC, Noriko Hosoi
no flags Details | Diff
cvs diff daemon.c bind.c (2.18 KB, patch)
2008-05-13 16:23 UTC, Noriko Hosoi
no flags Details | Diff
cvs commit message (1.56 KB, text/plain)
2008-05-16 16:48 UTC, Noriko Hosoi
no flags Details

Description Noriko Hosoi 2008-03-06 22:07:35 UTC
Description of problem:
* slapd_get_socket_peer has OS dependent implementation.  Only the
  system which getsockopt supports SO_PEERCRED is enabled, which
  is Linux.  Should we enable the code for other OSes?

rmeggins wrote:
> Yes.  But there is code in there for Solaris and HP-UX which use different
implementations.  Do they work? Yes.  But there is code in there for Solaris and
HP-UX which use different implementations.  Do they work?

Comment 2 Noriko Hosoi 2008-05-09 23:52:46 UTC
Created attachment 304994 [details]
cvs diff slap.h getsocketpeer.c daemon.c

Files:
 ldap/servers/slapd/slap.h
		   /getsocketpeer.c
		   /daemon.c

Description:
Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9
and HP-UX.  The recvmsg call returns an error immediately if no data is waiting
to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK).  To
make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns
EAGAIN.  But set a retry count not to hang there.

Also introduced c_local_valid in the Connection handle to tell the autobind
code that the uid/gid pair is valid or not.

Comment 3 Noriko Hosoi 2008-05-13 16:23:20 UTC
Created attachment 305257 [details]
cvs diff daemon.c bind.c

Files:
  ldap/servers/slapd/daemon.c
		    /bind.c

Description:
In addition to the previous changes, I'm modifying the code as follows.  The
change in daemon.c stops the automagic/unconditional auto-bind.  In bind.c,
slapd_bind_local_user (in which auto-bind is implemented) is called.  It was
called in do_bind even before, but there was no bind type or method restriction
set.  I'm proposing to change the code to call it only when SASL/EXTERNAL
request is passed.

Test Cases:
Login as root.	Search "cn=config" with "-x (simple authentication)".  The
search only returns entries which are available for anonymous.

   # ldapsearch *-x* -H ldapi://%2fvar%2frun%2fslapd-test2.socket -b
   "cn=config" "(cn=*)" dn
   # extended LDIF
   # SNMP, config
   dn: cn=SNMP,cn=config

   # search result
   search: 2
   result: 0 Success

   # numResponses: 2
   # numEntries: 1

Login as root, Search "cn=config" with "-Y EXTERNAL".  Then, the search returns
all the entries which require Directory Manager privilege.

   # ldapsearch *-Y EXTERNAL *-H
   ldapi://%2fvar%2frun%2fslapd-test2.socket -b "cn=config" "(cn=*)" dn
   SASL/EXTERNAL authentication started
   SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
   SASL SSF: 0
   # extended LDIF
   # config
   dn: cn=config

   # encryption, config
   dn: cn=encryption,cn=config

   # features, config
   dn: cn=features,cn=config
       [...]
   # search result
   search: 2
   result: 0 Success

   # numResponses: 125
   # numEntries: 124

Comment 4 Noriko Hosoi 2008-05-16 16:48:30 UTC
Created attachment 305709 [details]
cvs commit message

Reviewed and commented by Rich, Andrew, and Howard (Thank you!!)

Checked in into CVS HEAD.

Comment 5 Jenny Severance 2009-02-24 17:46:59 UTC
DS 8.1 supports ldapi autobind and is being tested with ldapi automated acceptance tests

Comment 6 Chandrasekar Kannan 2009-04-29 23:02:42 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html


Note You need to log in before you can comment on or make changes to this bug.