Bug 436397 - LDAPI: move default LDAPI UNIX socket from /var/run/dirsrv/slapd-ID.socket to /var/run/slapd-ID.socket
LDAPI: move default LDAPI UNIX socket from /var/run/dirsrv/slapd-ID.socket to...
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
Reported: 2008-03-06 17:15 EST by Noriko Hosoi
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-29 19:02:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
cvs diff DSCreate.pm.in (1.01 KB, patch)
2008-03-13 16:36 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (587 bytes, text/plain)
2008-03-13 17:53 EDT, Noriko Hosoi
no flags Details

  None (edit)
Description Noriko Hosoi 2008-03-06 17:15:37 EST
Description of problem:
* If fedora-ds-base is installed by root, the mode of
  /var/run/dirsrv is 0750, which prevents ordinary users to access
  the UNIX socket.  Should the mode be 0755?  Or we don't allow
  non-root/non-nobody users to use LDAPI?

    drwxr-x---  2 nobody nobody 4096 Mar  5 13:57 /var/run/dirsrv/
    It's set by makeDSDirs in DSCreate.pm.

rmeggins wrote:
> We should see what OpenLDAP does - they use /var/run/ldapi by default - what
mode is that by default?

It's about the intermediate directory's permission.  OpenLDAP just has /var and
/var/run.  ldapi is already the socket, isn't it?

rmeggins wrote:
> Yes.

We have one more level /var/run/dirsrv, which is hiding the socket from non-root
and non-nobody...  But yes, I have to install openldap and investigate more.

rmeggins wrote:
> Hmm - we probably don't want to open up /var/run/dirsrv if we don't have to -
maybe we should move the socket into /var/run?  e.g. /var/run/slapd-instance.socket?

I think that's a good idea.  One thing I'd like to make sure is we have to worry
about RHDS/FDS coexisting with OpenLDAP server on one host?  Something like, if
port 389 is already taken, our setup-ds offers alternative.  Do we need to do
something similar for LDAPI socket?

rmeggins wrote:
> If there is already a /var/run/ldapi and it is in use by openldap (or another
redhat/fedora ds) we probably don't want to use it. 

nalin wrote:
> When OpenLDAP's libldap gets 'ldapi:///' as a URI, it tries to connect
> to '/var/run/ldapi'.  Perhaps we should just use that?
> Nalin
Comment 1 Noriko Hosoi 2008-03-13 16:36:14 EDT
Created attachment 297983 [details]
cvs diff DSCreate.pm.in

Description: create an LDAPI UNIX socket at the parent dir of run_dir
(/var/run/dirsrv, by default).

Test result.
Installed by root and the server's owner is nobody.
# ls -l /var/run/slapd-*socket
srw-rw-rw-  1 root root 0 Mar 13 10:28 /var/run/slapd-laputa1.socket

[..] - Red Hat-Directory/8.0.0 B2008.073.1814 starting up
[..] - slapd started.  Listening on All Interfaces port 10391 for LDAP requests

[..] - Listening on /var/run/slapd-laputa1.socket for LDAPI requests
Comment 2 Rich Megginson 2008-03-13 16:46:02 EDT
Ok.  Is root:root 0666 the correct ownership and mode?  Is that what openldap uses?
Comment 3 Noriko Hosoi 2008-03-13 17:42:55 EDT
I've installed OpenLDAP 2.3.30 on RHEL4.  By default, the prefix is /usr/local.
 And the LDAPI UNIX socket is created at /usr/local/var/run with the mode 0777
owned by root (I started the server as root.  For comparison, I tried to start
the server as myself, which failed.)

[root@laputa openldap-2.3.30]# ls -l /usr/local/var/run
total 20
srwxrwxrwx  1 root root  0 Mar 13 13:29 ldapi
-rw-r--r--  1 root root 39 Mar 13 13:29 slapd.args
-rw-r--r--  1 root root  6 Mar 13 13:29 slapd.pid

Comment 4 Noriko Hosoi 2008-03-13 17:53:19 EDT
Created attachment 297992 [details]
cvs commit message

Reviewed by Rich (Thanks!)

Checked in into CVS HEAD.
Comment 6 Jenny Galipeau 2009-02-24 14:47:29 EST
fix verified:

RHEL5 - /var/run/slapd-<instance>.socket

HP-UX - /var/opt/dirsrv/slapd-<instance>/slapd-<instance>.socket

Both in parent directory to the run_dir.
Comment 7 Chandrasekar Kannan 2009-04-29 19:02:45 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.