Description of problem: LDAPI Configuration Parameters (cn=config): nsslapd-ldapifilepath: <full_path_of_the_UNIX_socket> example> nsslapd-ldapifilepath: /var/run/dirsrv/slapd-fds.socket nsslapd-ldapilisten: on | off main parameter to turn on and off LDAPI, by default off The rest are introduced to support AUTOBIND, which maps the UNIX uid and gid to the corresponding entry stored in the Directory Server and bind the server with the entry. nsslapd-ldapiautobind: on | off Parameter to turn on and off AUTOBIND nsslapd-ldapimaprootdn: <dn_which_is_used_for_root_uid> Entry to be mapped when the bind uid number is 0. Specify "cn=Directory Manager" or a highly privileged user. nsslapd-ldapimaptoentries: on | off If this parameter is on, uid and gid are mapped to the dn which is dynamically searched with the values defined below. nsslapd-ldapiuidnumbertype: uidNumber This value is used in the search filter (uidNumber=<local_uid>) nsslapd-ldapigidnumbertype: gidNumber This value is used in the search filter (gidNumber=<local_gid>) nsslapd-ldapientrysearchbase: dc=example, dc=com This value is used for the search base. nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth Introduced for the safety net, when mapping entry fails, use this special user to allow to bind. Note: All of the parameters except nsslapd-ldapiautobind are included in template-ldapi-default.ldif and added to dse.ldif. But they are not really used. Plus, template I think we can remove nsslapd-ldapimaprootdn, nsslapd-ldapimaptoentries, nsslapd-ldapiuidnumbertype, nsslapd-ldapigidnumbertype, sslapd-ldapientrysearchbase, nsslapd-ldapiautodnsuffix from template-ldapi-default.ldif.
These template files may not be used to initialize the ldapi configuration parameters. Rather, createConfigFile (DSCreate.pm.in) hardcoded them: 337 if ("@enable_autobind@") { 338 $ent->setValues("nsslapd-ldapiautobind", "on"); 339 } 340 $ent->setValues("nsslapd-ldapimaprootdn", $inf->{slapd}->{RootDN }); 341 $ent->setValues("nsslapd-ldapimaptoentries", "off"); 342 $ent->setValues("nsslapd-ldapiuidnumbertype", "uidNumber"); 343 $ent->setValues("nsslapd-ldapigidnumbertype", "gidNumber"); 344 $ent->setValues("nsslapd-ldapientrysearchbase", "dc=example, dc= com"); 345 $ent->setValues("nsslapd-ldapiautodnsuffix", "cn=peercred,cn=ext ernal,cn=auth");
Created attachment 304993 [details] cvs diff template-ldapi-default.ldif.in DSCreate.pm.in Files: ldap/ldif/template-ldapi-default.ldif.in ldap/admin/src/scripts/DSCreate.pm.in Description: LDAPI itself requires these 2 configuration parameters. nsslapd-ldapifilepath: /var/run/slapd-<ID>.socket nsslapd-ldapilisten: on The rest is needed only when autobind is enabled. Modified DSCreate to generate the following parameters when the DS is configured with --enable-autobind. nsslapd-ldapiautobind: off nsslapd-ldapimaprootdn: cn=Directory Manager nsslapd-ldapimaptoentries: off nsslapd-ldapiuidnumbertype: uidNumber nsslapd-ldapigidnumbertype: gidNumber nsslapd-ldapientrysearchbase: <your_suffix> nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth Fixed nsslapd-ldapientrysearchbase value to set the server's suffix (instead of hardcoded dc=example,dc=com). template-ldapi-default.ldif.in seems not used. But to reduce the confusion, I updated the file, as well, for the future use.
Created attachment 305706 [details] cvs diff template-ldapi-default.ldif.in DSCreate.pm.in Reviewed and commented by Rich, Andrew, and Howard (Thank you!!) Checked in into CVS HEAD.
(In reply to comment #4) s/cvs diff template-ldapi-default.ldif.in DSCreate.pm.in/cvs commit message/
This seems more like a task reminder than a bug. Can we just close it since LDAPI in now implemented?
Default LDAP related config attributes in the installed dse.ldif: nsslapd-ldapifilepath: /var/run/slapd-m0.socket nsslapd-ldapilisten: off nsslapd-ldapiautobind: off nsslapd-ldapimaprootdn: cn=Directory Manager nsslapd-ldapimaptoentries: off nsslapd-ldapiuidnumbertype: uidNumber nsslapd-ldapigidnumbertype: gidNumber nsslapd-ldapientrysearchbase: dc=example,dc=com These attribute value set is reflecting template-ldapi-default.ldif.in. ======================================================================= Corresponding section of installed DSCreate.pm 370 $ent->setValues("nsslapd-ldapilisten", "off"); 371 } 372 if ("1") { 373 $ent->setValues("nsslapd-ldapiautobind", "off"); 374 $ent->setValues("nsslapd-ldapimaprootdn", $inf->{slapd}->{Ro otDN}); 375 $ent->setValues("nsslapd-ldapimaptoentries", "off"); 376 $ent->setValues("nsslapd-ldapiuidnumbertype", "uidNumber"); 377 $ent->setValues("nsslapd-ldapigidnumbertype", "gidNumber"); 378 $ent->setValues("nsslapd-ldapientrysearchbase", $inf->{slapd }->{Suffix}); 379 if ("") { 380 $ent->setValues("nsslapd-ldapiautodnsuffix", "cn=peercred,cn=external,cn=auth"); 381 } 382 } 383 if (!$conn->update($ent)) { 384 $conn->close(); 385 return ("error_enabling_feature", "ldapi", $conn->getErrorString()); 386 } These code is reflecting DSCreate.pm.in.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html