Thank you for the background info and suggestions, Howard and Andrew.
We are thinking auto-bind could be useful for some type of applications and trying to make it co-existing safely with the current features.
Here is the summary of the changes: 436388 (Item 1): --enable-autobind is supported. Unless it's set, the auto-bind code is not compiled in.
436390 (Item 2): I updated the previous proposal based upon the feedbacks: now auto-bind is executed only from the bind code and when the client explicitly sends the SASL/EXTERNAL request to the server. On the server side, it's disabled, by default. To enable it, nsslapd-ldapiautobind needs to be set to "on" by an administrator. Having these changes, e.g., this search request is authenticated as Directory Manager if it's launched by a super user. # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-<ID>.socket -b "cn=config" "(cn=*)" If the EXTERNAL request is not passed, it's bound as anonymous.
436400 (Item 3): Currently, dse.ldif stores extra configuration attributes only necessary for auto-bind, by default. They should not be there unless auto-bind is enabled.
Your comments would be greatly appreciated.
Thanks, --noriko
Item 1)
Summary: LDAPI: introduce --enable-autobind to support AUTOBIND
https://bugzilla.redhat.com/show_bug.cgi?id=436388
------- Additional Comments From nhosoi@redhat.com 2008-05-09 18:35 EST ------- Created an attachment (id=304990) --> (https://bugzilla.redhat.com/attachment.cgi?id=304990&action=view) cvs diff configure.ac Makefile.am
Files: ldapserver/configure.ac ldapserver/Makefile.am
Description: introduced --enable-autobind By default, autobind is off.
Item 2)
Summary: LDAPI: support auto-bind
https://bugzilla.redhat.com/show_bug.cgi?id=436390
------- Additional Comments From nhosoi@redhat.com 2008-05-09 19:52 EST ------- Created an attachment (id=304994) --> (https://bugzilla.redhat.com/attachment.cgi?id=304994&action=view) cvs diff slap.h getsocketpeer.c daemon.c
Files: ldap/servers/slapd/slap.h /getsocketpeer.c /daemon.c
Description: Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9 and HP-UX. The recvmsg call returns an error immediately if no data is waiting to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK). To make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns EAGAIN. But set a retry count not to hang there.
Also introduced c_local_valid in the Connection handle to tell the autobind code that the uid/gid pair is valid or not.
------- Additional Comments From nhosoi@redhat.com 2008-05-13 12:23 EST ------- Created an attachment (id=305257) --> (https://bugzilla.redhat.com/attachment.cgi?id=305257&action=view) cvs diff daemon.c bind.c
Files: ldap/servers/slapd/daemon.c /bind.c
Description: In addition to the previous changes, I'm modifying the code as follows. The change in daemon.c stops the automagic/unconditional auto-bind. In bind.c, slapd_bind_local_user (in which auto-bind is implemented) is called. It was called in do_bind even before, but there was no bind type or method restriction set. I'm proposing to change the code to call it only when SASL/EXTERNAL request is passed.
Item 3)
Summary: LDAPI: cleaning up template-ldapi*.ldif files
https://bugzilla.redhat.com/show_bug.cgi?id=436400
------- Additional Comments From nhosoi@redhat.com 2008-05-09 18:52 EST ------- Created an attachment (id=304993) --> (https://bugzilla.redhat.com/attachment.cgi?id=304993&action=view) cvs diff template-ldapi-default.ldif.in DSCreate.pm.in
Files: ldap/ldif/template-ldapi-default.ldif.in ldap/admin/src/scripts/DSCreate.pm.in
Description: LDAPI itself requires these 2 configuration parameters. nsslapd-ldapifilepath: /var/run/slapd-<ID>.socket nsslapd-ldapilisten: on
The rest is needed only when autobind is enabled. Modified DSCreate to generate the following parameters when the DS is configured with --enable-autobind. nsslapd-ldapiautobind: off nsslapd-ldapimaprootdn: cn=Directory Manager nsslapd-ldapimaptoentries: off nsslapd-ldapiuidnumbertype: uidNumber nsslapd-ldapigidnumbertype: gidNumber nsslapd-ldapientrysearchbase: <your_suffix> nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth
Fixed nsslapd-ldapientrysearchbase value to set the server's suffix (instead of hardcoded dc=example,dc=com).
template-ldapi-default.ldif.in seems not used. But to reduce the confusion, I updated the file, as well, for the future use.