Red Hat Bugzilla – Bug 436397
LDAPI: move default LDAPI UNIX socket from /var/run/dirsrv/slapd-ID.socket to /var/run/slapd-ID.socket
Last modified: 2015-01-04 18:31:08 EST
Description of problem:
* If fedora-ds-base is installed by root, the mode of
/var/run/dirsrv is 0750, which prevents ordinary users to access
the UNIX socket. Should the mode be 0755? Or we don't allow
non-root/non-nobody users to use LDAPI?
drwxr-x--- 2 nobody nobody 4096 Mar 5 13:57 /var/run/dirsrv/
It's set by makeDSDirs in DSCreate.pm.
> We should see what OpenLDAP does - they use /var/run/ldapi by default - what
mode is that by default?
It's about the intermediate directory's permission. OpenLDAP just has /var and
/var/run. ldapi is already the socket, isn't it?
We have one more level /var/run/dirsrv, which is hiding the socket from non-root
and non-nobody... But yes, I have to install openldap and investigate more.
> Hmm - we probably don't want to open up /var/run/dirsrv if we don't have to -
maybe we should move the socket into /var/run? e.g. /var/run/slapd-instance.socket?
I think that's a good idea. One thing I'd like to make sure is we have to worry
about RHDS/FDS coexisting with OpenLDAP server on one host? Something like, if
port 389 is already taken, our setup-ds offers alternative. Do we need to do
something similar for LDAPI socket?
> If there is already a /var/run/ldapi and it is in use by openldap (or another
redhat/fedora ds) we probably don't want to use it.
> When OpenLDAP's libldap gets 'ldapi:///' as a URI, it tries to connect
> to '/var/run/ldapi'. Perhaps we should just use that?
Created attachment 297983 [details]
cvs diff DSCreate.pm.in
Description: create an LDAPI UNIX socket at the parent dir of run_dir
(/var/run/dirsrv, by default).
Installed by root and the server's owner is nobody.
# ls -l /var/run/slapd-*socket
srw-rw-rw- 1 root root 0 Mar 13 10:28 /var/run/slapd-laputa1.socket
[..] - Red Hat-Directory/8.0.0 B2008.073.1814 starting up
[..] - slapd started. Listening on All Interfaces port 10391 for LDAP requests
[..] - Listening on /var/run/slapd-laputa1.socket for LDAPI requests
Ok. Is root:root 0666 the correct ownership and mode? Is that what openldap uses?
I've installed OpenLDAP 2.3.30 on RHEL4. By default, the prefix is /usr/local.
And the LDAPI UNIX socket is created at /usr/local/var/run with the mode 0777
owned by root (I started the server as root. For comparison, I tried to start
the server as myself, which failed.)
[root@laputa openldap-2.3.30]# ls -l /usr/local/var/run
srwxrwxrwx 1 root root 0 Mar 13 13:29 ldapi
-rw-r--r-- 1 root root 39 Mar 13 13:29 slapd.args
-rw-r--r-- 1 root root 6 Mar 13 13:29 slapd.pid
Created attachment 297992 [details]
cvs commit message
Reviewed by Rich (Thanks!)
Checked in into CVS HEAD.
RHEL5 - /var/run/slapd-<instance>.socket
HP-UX - /var/opt/dirsrv/slapd-<instance>/slapd-<instance>.socket
Both in parent directory to the run_dir.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.