Bug 436390 - LDAPI: support auto-bind
LDAPI: support auto-bind
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
1.1.0
All Linux
high Severity high
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
:
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
 
Reported: 2008-03-06 17:07 EST by Noriko Hosoi
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:02:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
cvs diff slap.h getsocketpeer.c daemon.c (5.79 KB, patch)
2008-05-09 19:52 EDT, Noriko Hosoi
no flags Details | Diff
cvs diff daemon.c bind.c (2.18 KB, patch)
2008-05-13 12:23 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (1.56 KB, text/plain)
2008-05-16 12:48 EDT, Noriko Hosoi
no flags Details

  None (edit)
Description Noriko Hosoi 2008-03-06 17:07:35 EST
Description of problem:
* slapd_get_socket_peer has OS dependent implementation.  Only the
  system which getsockopt supports SO_PEERCRED is enabled, which
  is Linux.  Should we enable the code for other OSes?

rmeggins wrote:
> Yes.  But there is code in there for Solaris and HP-UX which use different
implementations.  Do they work? Yes.  But there is code in there for Solaris and
HP-UX which use different implementations.  Do they work?
Comment 2 Noriko Hosoi 2008-05-09 19:52:46 EDT
Created attachment 304994 [details]
cvs diff slap.h getsocketpeer.c daemon.c

Files:
 ldap/servers/slapd/slap.h
		   /getsocketpeer.c
		   /daemon.c

Description:
Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9
and HP-UX.  The recvmsg call returns an error immediately if no data is waiting
to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK).  To
make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns
EAGAIN.  But set a retry count not to hang there.

Also introduced c_local_valid in the Connection handle to tell the autobind
code that the uid/gid pair is valid or not.
Comment 3 Noriko Hosoi 2008-05-13 12:23:20 EDT
Created attachment 305257 [details]
cvs diff daemon.c bind.c

Files:
  ldap/servers/slapd/daemon.c
		    /bind.c

Description:
In addition to the previous changes, I'm modifying the code as follows.  The
change in daemon.c stops the automagic/unconditional auto-bind.  In bind.c,
slapd_bind_local_user (in which auto-bind is implemented) is called.  It was
called in do_bind even before, but there was no bind type or method restriction
set.  I'm proposing to change the code to call it only when SASL/EXTERNAL
request is passed.

Test Cases:
Login as root.	Search "cn=config" with "-x (simple authentication)".  The
search only returns entries which are available for anonymous.

   # ldapsearch *-x* -H ldapi://%2fvar%2frun%2fslapd-test2.socket -b
   "cn=config" "(cn=*)" dn
   # extended LDIF
   # SNMP, config
   dn: cn=SNMP,cn=config

   # search result
   search: 2
   result: 0 Success

   # numResponses: 2
   # numEntries: 1

Login as root, Search "cn=config" with "-Y EXTERNAL".  Then, the search returns
all the entries which require Directory Manager privilege.

   # ldapsearch *-Y EXTERNAL *-H
   ldapi://%2fvar%2frun%2fslapd-test2.socket -b "cn=config" "(cn=*)" dn
   SASL/EXTERNAL authentication started
   SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
   SASL SSF: 0
   # extended LDIF
   # config
   dn: cn=config

   # encryption, config
   dn: cn=encryption,cn=config

   # features, config
   dn: cn=features,cn=config
       [...]
   # search result
   search: 2
   result: 0 Success

   # numResponses: 125
   # numEntries: 124
Comment 4 Noriko Hosoi 2008-05-16 12:48:30 EDT
Created attachment 305709 [details]
cvs commit message

Reviewed and commented by Rich, Andrew, and Howard (Thank you!!)

Checked in into CVS HEAD.
Comment 5 Jenny Galipeau 2009-02-24 12:46:59 EST
DS 8.1 supports ldapi autobind and is being tested with ldapi automated acceptance tests
Comment 6 Chandrasekar Kannan 2009-04-29 19:02:42 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.