Bug 436400 - LDAPI: cleaning up template-ldapi-default.ldif.in and DSCreate.pm.in
LDAPI: cleaning up template-ldapi-default.ldif.in and DSCreate.pm.in
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
Reported: 2008-03-06 17:21 EST by Noriko Hosoi
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-29 19:02:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in (2.44 KB, patch)
2008-05-09 18:52 EDT, Noriko Hosoi
no flags Details | Diff
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in (985 bytes, text/plain)
2008-05-16 12:28 EDT, Noriko Hosoi
no flags Details

  None (edit)
Description Noriko Hosoi 2008-03-06 17:21:03 EST
Description of problem:

LDAPI Configuration Parameters (cn=config):

    nsslapd-ldapifilepath: <full_path_of_the_UNIX_socket>
    example> nsslapd-ldapifilepath: /var/run/dirsrv/slapd-fds.socket

    nsslapd-ldapilisten: on | off
    main parameter to turn on and off LDAPI, by default off

The rest are introduced to support AUTOBIND, which maps the UNIX uid and gid to
the corresponding entry stored in the Directory Server and bind the server with
the entry.

    nsslapd-ldapiautobind: on | off
    Parameter to turn on and off AUTOBIND

    nsslapd-ldapimaprootdn: <dn_which_is_used_for_root_uid>
    Entry to be mapped when the bind uid number is 0.  Specify "cn=Directory
Manager" or a highly privileged user.

    nsslapd-ldapimaptoentries: on | off
    If this parameter is on, uid and gid are mapped to the dn which is
dynamically searched with the values defined below.

    nsslapd-ldapiuidnumbertype: uidNumber
    This value is used in the search filter (uidNumber=<local_uid>)

    nsslapd-ldapigidnumbertype: gidNumber
    This value is used in the search filter (gidNumber=<local_gid>)

    nsslapd-ldapientrysearchbase: dc=example, dc=com
    This value is used for the search base.

    nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth
    Introduced for the safety net, when mapping entry fails, use this special
user to allow to bind.

Note: All of the parameters except nsslapd-ldapiautobind are included in
template-ldapi-default.ldif and added to dse.ldif.  But they are not really
used.  Plus, template  I think we can remove nsslapd-ldapimaprootdn,
nsslapd-ldapimaptoentries, nsslapd-ldapiuidnumbertype,
nsslapd-ldapigidnumbertype, sslapd-ldapientrysearchbase,
nsslapd-ldapiautodnsuffix from template-ldapi-default.ldif.
Comment 1 Noriko Hosoi 2008-03-06 17:31:58 EST
These template files may not be used to initialize the ldapi configuration
parameters.  Rather, createConfigFile (DSCreate.pm.in) hardcoded them:

    337         if ("@enable_autobind@") {
    338             $ent->setValues("nsslapd-ldapiautobind", "on");
    339         }
    340         $ent->setValues("nsslapd-ldapimaprootdn", $inf->{slapd}->{RootDN
    341         $ent->setValues("nsslapd-ldapimaptoentries", "off");
    342         $ent->setValues("nsslapd-ldapiuidnumbertype", "uidNumber");
    343         $ent->setValues("nsslapd-ldapigidnumbertype", "gidNumber");    
344         $ent->setValues("nsslapd-ldapientrysearchbase", "dc=example, dc=   
    345         $ent->setValues("nsslapd-ldapiautodnsuffix", "cn=peercred,cn=ext
Comment 3 Noriko Hosoi 2008-05-09 18:52:13 EDT
Created attachment 304993 [details]
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in


LDAPI itself requires these 2 configuration parameters.
   nsslapd-ldapifilepath: /var/run/slapd-<ID>.socket
   nsslapd-ldapilisten: on

The rest is needed only when autobind is enabled.
Modified DSCreate to generate the following parameters when the DS is
configured with --enable-autobind.
   nsslapd-ldapiautobind: off
   nsslapd-ldapimaprootdn: cn=Directory Manager
   nsslapd-ldapimaptoentries: off
   nsslapd-ldapiuidnumbertype: uidNumber
   nsslapd-ldapigidnumbertype: gidNumber
   nsslapd-ldapientrysearchbase: <your_suffix>
   nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth

Fixed nsslapd-ldapientrysearchbase value to set the server's suffix (instead of
hardcoded dc=example,dc=com).

template-ldapi-default.ldif.in seems not used.	But to reduce the confusion, I
updated the file, as well, for the future use.
Comment 4 Noriko Hosoi 2008-05-16 12:28:43 EDT
Created attachment 305706 [details]
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in

Reviewed and commented by Rich, Andrew, and Howard (Thank you!!)

Checked in into CVS HEAD.
Comment 5 Noriko Hosoi 2008-05-16 12:50:27 EDT
(In reply to comment #4)
s/cvs diff template-ldapi-default.ldif.in DSCreate.pm.in/cvs commit message/
Comment 6 Jenny Galipeau 2009-03-12 12:54:23 EDT
This seems more like a task reminder than a bug.  Can we just close it since LDAPI in now implemented?
Comment 7 Noriko Hosoi 2009-03-12 14:25:23 EDT
Default LDAP related config attributes in the installed dse.ldif:
nsslapd-ldapifilepath: /var/run/slapd-m0.socket
nsslapd-ldapilisten: off
nsslapd-ldapiautobind: off
nsslapd-ldapimaprootdn: cn=Directory Manager
nsslapd-ldapimaptoentries: off
nsslapd-ldapiuidnumbertype: uidNumber
nsslapd-ldapigidnumbertype: gidNumber
nsslapd-ldapientrysearchbase: dc=example,dc=com

These attribute value set is reflecting template-ldapi-default.ldif.in. 

Corresponding section of installed DSCreate.pm
    370             $ent->setValues("nsslapd-ldapilisten", "off");
    371         }
    372         if ("1") {
    373             $ent->setValues("nsslapd-ldapiautobind", "off");
    374             $ent->setValues("nsslapd-ldapimaprootdn", $inf->{slapd}->{Ro        otDN});
    375             $ent->setValues("nsslapd-ldapimaptoentries", "off");
    376             $ent->setValues("nsslapd-ldapiuidnumbertype", "uidNumber");
    377             $ent->setValues("nsslapd-ldapigidnumbertype", "gidNumber");
    378             $ent->setValues("nsslapd-ldapientrysearchbase", $inf->{slapd        }->{Suffix});
    379             if ("") {
    380                 $ent->setValues("nsslapd-ldapiautodnsuffix", "cn=peercred,cn=external,cn=auth");
    381             }
    382         }
    383         if (!$conn->update($ent)) {
    384             $conn->close();
    385             return ("error_enabling_feature", "ldapi", $conn->getErrorString());
    386         }

These code is reflecting DSCreate.pm.in.
Comment 8 Chandrasekar Kannan 2009-04-29 19:02:48 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.