Thank you for the background info and suggestions, Howard and Andrew.
We are thinking auto-bind could be useful for some type of applications
and trying to make it co-existing safely with the current features.
Here is the summary of the changes:
436388 (Item 1): --enable-autobind is supported. Unless it's set, the
auto-bind code is not compiled in.
436390 (Item 2): I updated the previous proposal based upon the
feedbacks: now auto-bind is executed only from the bind code and when
the client explicitly sends the SASL/EXTERNAL request to the server. On
the server side, it's disabled, by default. To enable it,
nsslapd-ldapiautobind needs to be set to "on" by an administrator.
Having these changes, e.g., this search request is authenticated as
Directory Manager if it's launched by a super user.
# ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-<ID>.socket
-b "cn=config" "(cn=*)"
If the EXTERNAL request is not passed, it's bound as anonymous.
436400 (Item 3): Currently, dse.ldif stores extra configuration
attributes only necessary for auto-bind, by default. They should not be
there unless auto-bind is enabled.
Your comments would be greatly appreciated.
Summary: LDAPI: introduce --enable-autobind to support AUTOBIND
------- Additional Comments From nhosoi(a)redhat.com 2008-05-09 18:35
Created an attachment (id=304990)
cvs diff configure.ac Makefile.am
Description: introduced --enable-autobind
By default, autobind is off.
Summary: LDAPI: support auto-bind
------- Additional Comments From nhosoi(a)redhat.com 2008-05-09 19:52
Created an attachment (id=304994)
cvs diff slap.h getsocketpeer.c daemon.c
Debugged the basic code of slapd_get_socket_peer, which is used for
and HP-UX. The recvmsg call returns an error immediately if no data
to be received since the socket is set PR_SockOpt_Nonblocking
make slapd_get_socket_peer more robust, we have to retry recvmsg if it
EAGAIN. But set a retry count not to hang there.
Also introduced c_local_valid in the Connection handle to tell the
code that the uid/gid pair is valid or not.
------- Additional Comments From nhosoi(a)redhat.com 2008-05-13 12:23
Created an attachment (id=305257)
cvs diff daemon.c bind.c
In addition to the previous changes, I'm modifying the code as
change in daemon.c stops the automagic/unconditional auto-bind. In
slapd_bind_local_user (in which auto-bind is implemented) is called.
called in do_bind even before, but there was no bind type or method
set. I'm proposing to change the code to call it only when SASL/EXTERNAL
request is passed.
Summary: LDAPI: cleaning up template-ldapi*.ldif files
------- Additional Comments From nhosoi(a)redhat.com 2008-05-09 18:52
Created an attachment (id=304993)
cvs diff template-ldapi-default.ldif.in DSCreate.pm.in
LDAPI itself requires these 2 configuration parameters.
The rest is needed only when autobind is enabled.
Modified DSCreate to generate the following parameters when the DS is
configured with --enable-autobind.
nsslapd-ldapimaprootdn: cn=Directory Manager
Fixed nsslapd-ldapientrysearchbase value to set the server's suffix
template-ldapi-default.ldif.in seems not used. But to reduce the
updated the file, as well, for the future use.