Bug 436390 - LDAPI: support auto-bind
LDAPI: support auto-bind
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
Reported: 2008-03-06 17:07 EST by Noriko Hosoi
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-29 19:02:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
cvs diff slap.h getsocketpeer.c daemon.c (5.79 KB, patch)
2008-05-09 19:52 EDT, Noriko Hosoi
no flags Details | Diff
cvs diff daemon.c bind.c (2.18 KB, patch)
2008-05-13 12:23 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (1.56 KB, text/plain)
2008-05-16 12:48 EDT, Noriko Hosoi
no flags Details

  None (edit)
Description Noriko Hosoi 2008-03-06 17:07:35 EST
Description of problem:
* slapd_get_socket_peer has OS dependent implementation.  Only the
  system which getsockopt supports SO_PEERCRED is enabled, which
  is Linux.  Should we enable the code for other OSes?

rmeggins wrote:
> Yes.  But there is code in there for Solaris and HP-UX which use different
implementations.  Do they work? Yes.  But there is code in there for Solaris and
HP-UX which use different implementations.  Do they work?
Comment 2 Noriko Hosoi 2008-05-09 19:52:46 EDT
Created attachment 304994 [details]
cvs diff slap.h getsocketpeer.c daemon.c


Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9
and HP-UX.  The recvmsg call returns an error immediately if no data is waiting
to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK).  To
make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns
EAGAIN.  But set a retry count not to hang there.

Also introduced c_local_valid in the Connection handle to tell the autobind
code that the uid/gid pair is valid or not.
Comment 3 Noriko Hosoi 2008-05-13 12:23:20 EDT
Created attachment 305257 [details]
cvs diff daemon.c bind.c


In addition to the previous changes, I'm modifying the code as follows.  The
change in daemon.c stops the automagic/unconditional auto-bind.  In bind.c,
slapd_bind_local_user (in which auto-bind is implemented) is called.  It was
called in do_bind even before, but there was no bind type or method restriction
set.  I'm proposing to change the code to call it only when SASL/EXTERNAL
request is passed.

Test Cases:
Login as root.	Search "cn=config" with "-x (simple authentication)".  The
search only returns entries which are available for anonymous.

   # ldapsearch *-x* -H ldapi://%2fvar%2frun%2fslapd-test2.socket -b
   "cn=config" "(cn=*)" dn
   # extended LDIF
   # SNMP, config
   dn: cn=SNMP,cn=config

   # search result
   search: 2
   result: 0 Success

   # numResponses: 2
   # numEntries: 1

Login as root, Search "cn=config" with "-Y EXTERNAL".  Then, the search returns
all the entries which require Directory Manager privilege.

   # ldapsearch *-Y EXTERNAL *-H
   ldapi://%2fvar%2frun%2fslapd-test2.socket -b "cn=config" "(cn=*)" dn
   SASL/EXTERNAL authentication started
   SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
   SASL SSF: 0
   # extended LDIF
   # config
   dn: cn=config

   # encryption, config
   dn: cn=encryption,cn=config

   # features, config
   dn: cn=features,cn=config
   # search result
   search: 2
   result: 0 Success

   # numResponses: 125
   # numEntries: 124
Comment 4 Noriko Hosoi 2008-05-16 12:48:30 EDT
Created attachment 305709 [details]
cvs commit message

Reviewed and commented by Rich, Andrew, and Howard (Thank you!!)

Checked in into CVS HEAD.
Comment 5 Jenny Galipeau 2009-02-24 12:46:59 EST
DS 8.1 supports ldapi autobind and is being tested with ldapi automated acceptance tests
Comment 6 Chandrasekar Kannan 2009-04-29 19:02:42 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.