Bug 436400 - LDAPI: cleaning up template-ldapi-default.ldif.in and DSCreate.pm.in
Summary: LDAPI: cleaning up template-ldapi-default.ldif.in and DSCreate.pm.in
Alias: None
Product: 389
Classification: Retired
Component: Directory Server
Version: 1.1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Noriko Hosoi
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 249650 FDS1.2.0
TreeView+ depends on / blocked
Reported: 2008-03-06 22:21 UTC by Noriko Hosoi
Modified: 2015-01-04 23:31 UTC (History)
2 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-04-29 23:02:48 UTC

Attachments (Terms of Use)
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in (2.44 KB, patch)
2008-05-09 22:52 UTC, Noriko Hosoi
no flags Details | Diff
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in (985 bytes, text/plain)
2008-05-16 16:28 UTC, Noriko Hosoi
no flags Details

Description Noriko Hosoi 2008-03-06 22:21:03 UTC
Description of problem:

LDAPI Configuration Parameters (cn=config):

    nsslapd-ldapifilepath: <full_path_of_the_UNIX_socket>
    example> nsslapd-ldapifilepath: /var/run/dirsrv/slapd-fds.socket

    nsslapd-ldapilisten: on | off
    main parameter to turn on and off LDAPI, by default off

The rest are introduced to support AUTOBIND, which maps the UNIX uid and gid to
the corresponding entry stored in the Directory Server and bind the server with
the entry.

    nsslapd-ldapiautobind: on | off
    Parameter to turn on and off AUTOBIND

    nsslapd-ldapimaprootdn: <dn_which_is_used_for_root_uid>
    Entry to be mapped when the bind uid number is 0.  Specify "cn=Directory
Manager" or a highly privileged user.

    nsslapd-ldapimaptoentries: on | off
    If this parameter is on, uid and gid are mapped to the dn which is
dynamically searched with the values defined below.

    nsslapd-ldapiuidnumbertype: uidNumber
    This value is used in the search filter (uidNumber=<local_uid>)

    nsslapd-ldapigidnumbertype: gidNumber
    This value is used in the search filter (gidNumber=<local_gid>)

    nsslapd-ldapientrysearchbase: dc=example, dc=com
    This value is used for the search base.

    nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth
    Introduced for the safety net, when mapping entry fails, use this special
user to allow to bind.

Note: All of the parameters except nsslapd-ldapiautobind are included in
template-ldapi-default.ldif and added to dse.ldif.  But they are not really
used.  Plus, template  I think we can remove nsslapd-ldapimaprootdn,
nsslapd-ldapimaptoentries, nsslapd-ldapiuidnumbertype,
nsslapd-ldapigidnumbertype, sslapd-ldapientrysearchbase,
nsslapd-ldapiautodnsuffix from template-ldapi-default.ldif.

Comment 1 Noriko Hosoi 2008-03-06 22:31:58 UTC
These template files may not be used to initialize the ldapi configuration
parameters.  Rather, createConfigFile (DSCreate.pm.in) hardcoded them:

    337         if ("@enable_autobind@") {
    338             $ent->setValues("nsslapd-ldapiautobind", "on");
    339         }
    340         $ent->setValues("nsslapd-ldapimaprootdn", $inf->{slapd}->{RootDN
    341         $ent->setValues("nsslapd-ldapimaptoentries", "off");
    342         $ent->setValues("nsslapd-ldapiuidnumbertype", "uidNumber");
    343         $ent->setValues("nsslapd-ldapigidnumbertype", "gidNumber");    
344         $ent->setValues("nsslapd-ldapientrysearchbase", "dc=example, dc=   
    345         $ent->setValues("nsslapd-ldapiautodnsuffix", "cn=peercred,cn=ext

Comment 3 Noriko Hosoi 2008-05-09 22:52:13 UTC
Created attachment 304993 [details]
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in


LDAPI itself requires these 2 configuration parameters.
   nsslapd-ldapifilepath: /var/run/slapd-<ID>.socket
   nsslapd-ldapilisten: on

The rest is needed only when autobind is enabled.
Modified DSCreate to generate the following parameters when the DS is
configured with --enable-autobind.
   nsslapd-ldapiautobind: off
   nsslapd-ldapimaprootdn: cn=Directory Manager
   nsslapd-ldapimaptoentries: off
   nsslapd-ldapiuidnumbertype: uidNumber
   nsslapd-ldapigidnumbertype: gidNumber
   nsslapd-ldapientrysearchbase: <your_suffix>
   nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth

Fixed nsslapd-ldapientrysearchbase value to set the server's suffix (instead of
hardcoded dc=example,dc=com).

template-ldapi-default.ldif.in seems not used.	But to reduce the confusion, I
updated the file, as well, for the future use.

Comment 4 Noriko Hosoi 2008-05-16 16:28:43 UTC
Created attachment 305706 [details]
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in

Reviewed and commented by Rich, Andrew, and Howard (Thank you!!)

Checked in into CVS HEAD.

Comment 5 Noriko Hosoi 2008-05-16 16:50:27 UTC
(In reply to comment #4)
s/cvs diff template-ldapi-default.ldif.in DSCreate.pm.in/cvs commit message/

Comment 6 Jenny Severance 2009-03-12 16:54:23 UTC
This seems more like a task reminder than a bug.  Can we just close it since LDAPI in now implemented?

Comment 7 Noriko Hosoi 2009-03-12 18:25:23 UTC
Default LDAP related config attributes in the installed dse.ldif:
nsslapd-ldapifilepath: /var/run/slapd-m0.socket
nsslapd-ldapilisten: off
nsslapd-ldapiautobind: off
nsslapd-ldapimaprootdn: cn=Directory Manager
nsslapd-ldapimaptoentries: off
nsslapd-ldapiuidnumbertype: uidNumber
nsslapd-ldapigidnumbertype: gidNumber
nsslapd-ldapientrysearchbase: dc=example,dc=com

These attribute value set is reflecting template-ldapi-default.ldif.in. 

Corresponding section of installed DSCreate.pm
    370             $ent->setValues("nsslapd-ldapilisten", "off");
    371         }
    372         if ("1") {
    373             $ent->setValues("nsslapd-ldapiautobind", "off");
    374             $ent->setValues("nsslapd-ldapimaprootdn", $inf->{slapd}->{Ro        otDN});
    375             $ent->setValues("nsslapd-ldapimaptoentries", "off");
    376             $ent->setValues("nsslapd-ldapiuidnumbertype", "uidNumber");
    377             $ent->setValues("nsslapd-ldapigidnumbertype", "gidNumber");
    378             $ent->setValues("nsslapd-ldapientrysearchbase", $inf->{slapd        }->{Suffix});
    379             if ("") {
    380                 $ent->setValues("nsslapd-ldapiautodnsuffix", "cn=peercred,cn=external,cn=auth");
    381             }
    382         }
    383         if (!$conn->update($ent)) {
    384             $conn->close();
    385             return ("error_enabling_feature", "ldapi", $conn->getErrorString());
    386         }

These code is reflecting DSCreate.pm.in.

Comment 8 Chandrasekar Kannan 2009-04-29 23:02:48 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.