Bug 436397 - LDAPI: move default LDAPI UNIX socket from /var/run/dirsrv/slapd-ID.socket to /var/run/slapd-ID.socket
Summary: LDAPI: move default LDAPI UNIX socket from /var/run/dirsrv/slapd-ID.socket to...
Alias: None
Product: 389
Classification: Retired
Component: Directory Server
Version: 1.1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Noriko Hosoi
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 249650 FDS1.2.0
TreeView+ depends on / blocked
Reported: 2008-03-06 22:15 UTC by Noriko Hosoi
Modified: 2015-01-04 23:31 UTC (History)
2 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-04-29 23:02:45 UTC

Attachments (Terms of Use)
cvs diff DSCreate.pm.in (1.01 KB, patch)
2008-03-13 20:36 UTC, Noriko Hosoi
no flags Details | Diff
cvs commit message (587 bytes, text/plain)
2008-03-13 21:53 UTC, Noriko Hosoi
no flags Details

Description Noriko Hosoi 2008-03-06 22:15:37 UTC
Description of problem:
* If fedora-ds-base is installed by root, the mode of
  /var/run/dirsrv is 0750, which prevents ordinary users to access
  the UNIX socket.  Should the mode be 0755?  Or we don't allow
  non-root/non-nobody users to use LDAPI?

    drwxr-x---  2 nobody nobody 4096 Mar  5 13:57 /var/run/dirsrv/
    It's set by makeDSDirs in DSCreate.pm.

rmeggins wrote:
> We should see what OpenLDAP does - they use /var/run/ldapi by default - what
mode is that by default?

It's about the intermediate directory's permission.  OpenLDAP just has /var and
/var/run.  ldapi is already the socket, isn't it?

rmeggins wrote:
> Yes.

We have one more level /var/run/dirsrv, which is hiding the socket from non-root
and non-nobody...  But yes, I have to install openldap and investigate more.

rmeggins wrote:
> Hmm - we probably don't want to open up /var/run/dirsrv if we don't have to -
maybe we should move the socket into /var/run?  e.g. /var/run/slapd-instance.socket?

I think that's a good idea.  One thing I'd like to make sure is we have to worry
about RHDS/FDS coexisting with OpenLDAP server on one host?  Something like, if
port 389 is already taken, our setup-ds offers alternative.  Do we need to do
something similar for LDAPI socket?

rmeggins wrote:
> If there is already a /var/run/ldapi and it is in use by openldap (or another
redhat/fedora ds) we probably don't want to use it. 

nalin wrote:
> When OpenLDAP's libldap gets 'ldapi:///' as a URI, it tries to connect
> to '/var/run/ldapi'.  Perhaps we should just use that?
> Nalin

Comment 1 Noriko Hosoi 2008-03-13 20:36:14 UTC
Created attachment 297983 [details]
cvs diff DSCreate.pm.in

Description: create an LDAPI UNIX socket at the parent dir of run_dir
(/var/run/dirsrv, by default).

Test result.
Installed by root and the server's owner is nobody.
# ls -l /var/run/slapd-*socket
srw-rw-rw-  1 root root 0 Mar 13 10:28 /var/run/slapd-laputa1.socket

[..] - Red Hat-Directory/8.0.0 B2008.073.1814 starting up
[..] - slapd started.  Listening on All Interfaces port 10391 for LDAP requests

[..] - Listening on /var/run/slapd-laputa1.socket for LDAPI requests

Comment 2 Rich Megginson 2008-03-13 20:46:02 UTC
Ok.  Is root:root 0666 the correct ownership and mode?  Is that what openldap uses?

Comment 3 Noriko Hosoi 2008-03-13 21:42:55 UTC
I've installed OpenLDAP 2.3.30 on RHEL4.  By default, the prefix is /usr/local.
 And the LDAPI UNIX socket is created at /usr/local/var/run with the mode 0777
owned by root (I started the server as root.  For comparison, I tried to start
the server as myself, which failed.)

[root@laputa openldap-2.3.30]# ls -l /usr/local/var/run
total 20
srwxrwxrwx  1 root root  0 Mar 13 13:29 ldapi
-rw-r--r--  1 root root 39 Mar 13 13:29 slapd.args
-rw-r--r--  1 root root  6 Mar 13 13:29 slapd.pid

Comment 4 Noriko Hosoi 2008-03-13 21:53:19 UTC
Created attachment 297992 [details]
cvs commit message

Reviewed by Rich (Thanks!)

Checked in into CVS HEAD.

Comment 6 Jenny Severance 2009-02-24 19:47:29 UTC
fix verified:

RHEL5 - /var/run/slapd-<instance>.socket

HP-UX - /var/opt/dirsrv/slapd-<instance>/slapd-<instance>.socket

Both in parent directory to the run_dir.

Comment 7 Chandrasekar Kannan 2009-04-29 23:02:45 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.