Bug 436390 - LDAPI: support auto-bind
Summary: LDAPI: support auto-bind
Alias: None
Product: 389
Classification: Retired
Component: Directory Server
Version: 1.1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Noriko Hosoi
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 249650 FDS1.2.0
TreeView+ depends on / blocked
Reported: 2008-03-06 22:07 UTC by Noriko Hosoi
Modified: 2015-01-04 23:31 UTC (History)
2 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-04-29 23:02:42 UTC

Attachments (Terms of Use)
cvs diff slap.h getsocketpeer.c daemon.c (5.79 KB, patch)
2008-05-09 23:52 UTC, Noriko Hosoi
no flags Details | Diff
cvs diff daemon.c bind.c (2.18 KB, patch)
2008-05-13 16:23 UTC, Noriko Hosoi
no flags Details | Diff
cvs commit message (1.56 KB, text/plain)
2008-05-16 16:48 UTC, Noriko Hosoi
no flags Details

Description Noriko Hosoi 2008-03-06 22:07:35 UTC
Description of problem:
* slapd_get_socket_peer has OS dependent implementation.  Only the
  system which getsockopt supports SO_PEERCRED is enabled, which
  is Linux.  Should we enable the code for other OSes?

rmeggins wrote:
> Yes.  But there is code in there for Solaris and HP-UX which use different
implementations.  Do they work? Yes.  But there is code in there for Solaris and
HP-UX which use different implementations.  Do they work?

Comment 2 Noriko Hosoi 2008-05-09 23:52:46 UTC
Created attachment 304994 [details]
cvs diff slap.h getsocketpeer.c daemon.c


Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9
and HP-UX.  The recvmsg call returns an error immediately if no data is waiting
to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK).  To
make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns
EAGAIN.  But set a retry count not to hang there.

Also introduced c_local_valid in the Connection handle to tell the autobind
code that the uid/gid pair is valid or not.

Comment 3 Noriko Hosoi 2008-05-13 16:23:20 UTC
Created attachment 305257 [details]
cvs diff daemon.c bind.c


In addition to the previous changes, I'm modifying the code as follows.  The
change in daemon.c stops the automagic/unconditional auto-bind.  In bind.c,
slapd_bind_local_user (in which auto-bind is implemented) is called.  It was
called in do_bind even before, but there was no bind type or method restriction
set.  I'm proposing to change the code to call it only when SASL/EXTERNAL
request is passed.

Test Cases:
Login as root.	Search "cn=config" with "-x (simple authentication)".  The
search only returns entries which are available for anonymous.

   # ldapsearch *-x* -H ldapi://%2fvar%2frun%2fslapd-test2.socket -b
   "cn=config" "(cn=*)" dn
   # extended LDIF
   # SNMP, config
   dn: cn=SNMP,cn=config

   # search result
   search: 2
   result: 0 Success

   # numResponses: 2
   # numEntries: 1

Login as root, Search "cn=config" with "-Y EXTERNAL".  Then, the search returns
all the entries which require Directory Manager privilege.

   # ldapsearch *-Y EXTERNAL *-H
   ldapi://%2fvar%2frun%2fslapd-test2.socket -b "cn=config" "(cn=*)" dn
   SASL/EXTERNAL authentication started
   SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
   SASL SSF: 0
   # extended LDIF
   # config
   dn: cn=config

   # encryption, config
   dn: cn=encryption,cn=config

   # features, config
   dn: cn=features,cn=config
   # search result
   search: 2
   result: 0 Success

   # numResponses: 125
   # numEntries: 124

Comment 4 Noriko Hosoi 2008-05-16 16:48:30 UTC
Created attachment 305709 [details]
cvs commit message

Reviewed and commented by Rich, Andrew, and Howard (Thank you!!)

Checked in into CVS HEAD.

Comment 5 Jenny Severance 2009-02-24 17:46:59 UTC
DS 8.1 supports ldapi autobind and is being tested with ldapi automated acceptance tests

Comment 6 Chandrasekar Kannan 2009-04-29 23:02:42 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.