Description of problem: * If fedora-ds-base is installed by root, the mode of /var/run/dirsrv is 0750, which prevents ordinary users to access the UNIX socket. Should the mode be 0755? Or we don't allow non-root/non-nobody users to use LDAPI? drwxr-x--- 2 nobody nobody 4096 Mar 5 13:57 /var/run/dirsrv/ It's set by makeDSDirs in DSCreate.pm. rmeggins wrote: > We should see what OpenLDAP does - they use /var/run/ldapi by default - what mode is that by default? It's about the intermediate directory's permission. OpenLDAP just has /var and /var/run. ldapi is already the socket, isn't it? rmeggins wrote: > Yes. We have one more level /var/run/dirsrv, which is hiding the socket from non-root and non-nobody... But yes, I have to install openldap and investigate more. rmeggins wrote: > Hmm - we probably don't want to open up /var/run/dirsrv if we don't have to - maybe we should move the socket into /var/run? e.g. /var/run/slapd-instance.socket? I think that's a good idea. One thing I'd like to make sure is we have to worry about RHDS/FDS coexisting with OpenLDAP server on one host? Something like, if port 389 is already taken, our setup-ds offers alternative. Do we need to do something similar for LDAPI socket? rmeggins wrote: > If there is already a /var/run/ldapi and it is in use by openldap (or another redhat/fedora ds) we probably don't want to use it. nalin wrote: > When OpenLDAP's libldap gets 'ldapi:///' as a URI, it tries to connect > to '/var/run/ldapi'. Perhaps we should just use that? > > Nalin
Created attachment 297983 [details] cvs diff DSCreate.pm.in Description: create an LDAPI UNIX socket at the parent dir of run_dir (/var/run/dirsrv, by default). Test result. Installed by root and the server's owner is nobody. # ls -l /var/run/slapd-*socket srw-rw-rw- 1 root root 0 Mar 13 10:28 /var/run/slapd-laputa1.socket [..] - Red Hat-Directory/8.0.0 B2008.073.1814 starting up [..] - slapd started. Listening on All Interfaces port 10391 for LDAP requests [..] - Listening on /var/run/slapd-laputa1.socket for LDAPI requests
Ok. Is root:root 0666 the correct ownership and mode? Is that what openldap uses?
I've installed OpenLDAP 2.3.30 on RHEL4. By default, the prefix is /usr/local. And the LDAPI UNIX socket is created at /usr/local/var/run with the mode 0777 owned by root (I started the server as root. For comparison, I tried to start the server as myself, which failed.) [root@laputa openldap-2.3.30]# ls -l /usr/local/var/run total 20 srwxrwxrwx 1 root root 0 Mar 13 13:29 ldapi -rw-r--r-- 1 root root 39 Mar 13 13:29 slapd.args -rw-r--r-- 1 root root 6 Mar 13 13:29 slapd.pid
Created attachment 297992 [details] cvs commit message Reviewed by Rich (Thanks!) Checked in into CVS HEAD.
fix verified: RHEL5 - /var/run/slapd-<instance>.socket HP-UX - /var/opt/dirsrv/slapd-<instance>/slapd-<instance>.socket Both in parent directory to the run_dir.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html