#51253 dscreate: Not possible to bind to a unix domain socket
Closed: wontfix 3 years ago by mreynolds. Opened 3 years ago by mreynolds.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1872930

Description of problem:

While 389ds can bind to a unix domain socket (ldapi:), the dscreate tool cannot
configure 389ds to bind to a unix domain socket.

Version-Release number of selected component (if applicable):

389-ds-base-1.4.2.4-8.module_el8.2.0+366+71e3276f.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Try to get dscreate to configure an LDAP server bound to a unix domain
socket.
2.
3.

Actual results:

Not possible.

Expected results:

Possible and easy to achieve.

Additional info:

It looks like dscreate is only able to create one specific type of LDAP server
- a server that binds to all interfaces using TLS and a self signed
certificate. All other options, including give me a bare bones server that I
can suitably configure are not possible or don't work.

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1872930

3 years ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

3 years ago

https://pagure.io/389-ds-base/pull-request/51254

@minfrin - this PR should solve "most" of your issues. There is still the packaging/dependency issue left (#51249), but I think @firstyear might be looking into that...

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

3 years ago

Thank you for this, it's really appreciated.

I have backported the patch below to v1.4.2.4.

dscreate is now running where it didn't before.

There is currently no way to tell 389ds not to bind to the insecure port 389, ideally the port should accept port = False the same way that secure_port does, but this can be fixed separately.

diff -u -r 389-ds-base-1.4.2.4-orig/ldap/admin/src/defaults.inf.in 389-ds-base-1.4.2.4/ldap/admin/src/defaults.inf.in
--- 389-ds-base-1.4.2.4-orig/ldap/admin/src/defaults.inf.in 2019-11-14 21:05:32.000000000 +0000
+++ 389-ds-base-1.4.2.4/ldap/admin/src/defaults.inf.in  2020-08-31 15:53:08.702579284 +0100
@@ -37,6 +37,8 @@
 run_dir = @localstatedir@/run/dirsrv
 # This is the expected location of ldapi.
 ldapi = @localstatedir@/run/slapd-{instance_name}.socket
+ldapi_listen = on
+ldapi_autobind = on
 pid_file = @localstatedir@/run/dirsrv/slapd-{instance_name}.pid
 inst_dir = @serverdir@/slapd-{instance_name}
 plugin_dir = @serverplugindir@
diff -u -r 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/DSCreate.pm.in 389-ds-base-1.4.2.4/ldap/admin/src/scripts/DSCreate.pm.in
--- 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/DSCreate.pm.in  2019-11-14 21:05:32.000000000 +0000
+++ 389-ds-base-1.4.2.4/ldap/admin/src/scripts/DSCreate.pm.in   2020-08-31 15:56:33.858308513 +0100
@@ -952,6 +952,16 @@
         }
     }

+    if (!defined($inf->{slapd}->{ldapi})) {
+        $inf->{slapd}->{ldapi} = "$localstatedir/run/slapd-$servid.socket";
+    }
+    if (!defined($inf->{slapd}->{ldapi_listen})) {
+        $inf->{slapd}->{ldapi_listen} = "on";
+    }
+    if (!defined($inf->{slapd}->{ldapi_autobind})) {
+        $inf->{slapd}->{ldapi_autobind} = "on";
+    }
+
     if (!defined($inf->{slapd}->{bak_dir})) {
         if ("@with_fhs_opt@") {
             $inf->{slapd}->{bak_dir} = "$localstatedir/@PACKAGE_NAME@/slapd-$servid/bak";
diff -u -r 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/DSUtil.pm.in 389-ds-base-1.4.2.4/ldap/admin/src/scripts/DSUtil.pm.in
--- 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/DSUtil.pm.in    2019-11-14 21:05:32.000000000 +0000
+++ 389-ds-base-1.4.2.4/ldap/admin/src/scripts/DSUtil.pm.in 2020-08-31 15:57:27.384237867 +0100
@@ -964,6 +964,9 @@
     $inf->{slapd}->{RootDNPwd} = $ent->getValues('nsslapd-rootpw');
     $inf->{slapd}->{ServerPort} = $ent->getValues('nsslapd-port');
     $inf->{slapd}->{ServerIdentifier} = $id;
+    $inf->{slapd}->{ldapi} = $ent->getValues('nsslapd-ldapifilepath');
+    $inf->{slapd}->{ldapi_listen} = $ent->getValues('nsslapd-ldapilisten');
+    $inf->{slapd}->{ldapi_autobind} = $ent->getValues('nsslapd-ldapiautobind');

     my $suffix = "";
     $ent = $conn->search("cn=ldbm database,cn=plugins,cn=config",
diff -u -r 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/dscreate.map.in 389-ds-base-1.4.2.4/ldap/admin/src/scripts/dscreate.map.in
--- 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/dscreate.map.in 2019-11-14 21:05:32.000000000 +0000
+++ 389-ds-base-1.4.2.4/ldap/admin/src/scripts/dscreate.map.in  2020-08-31 15:59:48.037052228 +0100
@@ -37,3 +37,7 @@
 config_dir =    config_dir
 db_dir =        db_dir
 run_dir =       run_dir
+ldapi_enabled = ldapi_listen
+ldapi =         ldapi
+ldapi_autobind = ldapi_autobind
+
diff -u -r 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/dsupdate.map.in 389-ds-base-1.4.2.4/ldap/admin/src/scripts/dsupdate.map.in
--- 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/dsupdate.map.in 2019-11-14 21:05:32.000000000 +0000
+++ 389-ds-base-1.4.2.4/ldap/admin/src/scripts/dsupdate.map.in  2020-08-31 16:00:43.012979673 +0100
@@ -34,3 +34,7 @@
 config_dir =    config_dir
 db_dir =        db_dir
 run_dir =       run_dir
+ldapi_enabled = ldapi_listen
+ldapi =         ldapi
+ldapi_autobind = ldapi_autobind
+
diff -u -r 389-ds-base-1.4.2.4-orig/ldap/ldif/template-dse-minimal.ldif.in 389-ds-base-1.4.2.4/ldap/ldif/template-dse-minimal.ldif.in
--- 389-ds-base-1.4.2.4-orig/ldap/ldif/template-dse-minimal.ldif.in 2019-11-14 21:05:32.000000000 +0000
+++ 389-ds-base-1.4.2.4/ldap/ldif/template-dse-minimal.ldif.in  2020-08-31 16:01:28.990918989 +0100
@@ -20,6 +20,10 @@
 nsslapd-auditfaillog: %log_dir%/audit
 nsslapd-rootdn: %rootdn%
 nsslapd-rootpw: %ds_passwd%
+nsslapd-ldapilisten: %ldapi_enabled%
+nsslapd-ldapifilepath: %ldapi%
+nsslapd-ldapiautobind: %ldapi_autobind%
+nsslapd-ldapimaprootdn: %rootdn%

 dn: cn=features,cn=config
 objectclass: top
diff -u -r 389-ds-base-1.4.2.4-orig/ldap/ldif/template-dse.ldif.in 389-ds-base-1.4.2.4/ldap/ldif/template-dse.ldif.in
--- 389-ds-base-1.4.2.4-orig/ldap/ldif/template-dse.ldif.in 2019-11-14 21:05:32.000000000 +0000
+++ 389-ds-base-1.4.2.4/ldap/ldif/template-dse.ldif.in  2020-08-31 16:03:25.542765159 +0100
@@ -20,6 +20,10 @@
 nsslapd-auditfaillog: %log_dir%/audit
 nsslapd-rootdn: %rootdn%
 nsslapd-rootpw: %ds_passwd%
+nsslapd-ldapilisten: %ldapi_enabled%
+nsslapd-ldapifilepath: %ldapi%
+nsslapd-ldapiautobind: %ldapi_autobind%
+nsslapd-ldapimaprootdn: %rootdn%

 dn: cn=encryption,cn=config
 objectClass: top
diff -u -r 389-ds-base-1.4.2.4-orig/src/lib389/lib389/instance/setup.py 389-ds-base-1.4.2.4/src/lib389/lib389/instance/setup.py
--- 389-ds-base-1.4.2.4-orig/src/lib389/lib389/instance/setup.py    2020-08-31 15:38:16.181801168 +0100
+++ 389-ds-base-1.4.2.4/src/lib389/lib389/instance/setup.py 2020-08-31 16:09:37.159290107 +0100
@@ -714,6 +714,7 @@
                 dse += line.replace('%', '{', 1).replace('%', '}', 1)

         with open(os.path.join(slapd['config_dir'], 'dse.ldif'), 'w') as file_dse:
+            ldapi_path = os.path.join(slapd['local_state_dir'], "run/slapd-%s.socket" % slapd['instance_name'])
             file_dse.write(dse.format(
                 schema_dir=slapd['schema_dir'],
                 lock_dir=slapd['lock_dir'],
@@ -729,11 +730,14 @@
                 ds_user=slapd['user'],
                 rootdn=slapd['root_dn'],
                 ds_passwd=self._secure_password,  # We set our own password here, so we can connect and mod.
-                # This is because we never know the users input root password as they can validily give
+                # This is because we never know the users input root password as they can validly give
                 # us a *hashed* input.
                 ds_suffix=ds_suffix,
                 config_dir=slapd['config_dir'],
                 db_dir=slapd['db_dir'],
+                ldapi_enabled="on",
+                ldapi=ldapi_path,
+                ldapi_autobind="on",
             ))

         # Create all the needed paths
@@ -815,7 +819,10 @@
             SER_SERVERID_PROP: slapd['instance_name'],
             SER_ROOT_DN: slapd['root_dn'],
             SER_ROOT_PW: self._raw_secure_password,
-            SER_DEPLOYED_DIR: slapd['prefix']
+            SER_DEPLOYED_DIR: slapd['prefix'],
+            SER_LDAPI_ENABLED: 'on',
+            SER_LDAPI_SOCKET: ldapi_path,
+            SER_LDAPI_AUTOBIND: 'on'
         }

         ds_instance.allocate(args)
@@ -901,14 +908,6 @@
                     '(targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");)'
                 ])

-        # Initialise ldapi socket information. IPA expects this ....
-        ldapi_path = os.path.join(slapd['local_state_dir'], "run/slapd-%s.socket" % slapd['instance_name'])
-        ds_instance.config.set('nsslapd-ldapifilepath', ldapi_path)
-        ds_instance.config.set('nsslapd-ldapilisten', 'on')
-        ds_instance.config.set('nsslapd-ldapiautobind', 'on')
-        ds_instance.config.set('nsslapd-ldapimaprootdn', slapd['root_dn'])
-
-
         # Create all required sasl maps: if we have a single backend ...
         # our default maps are really really bad, and we should feel bad.
         # they basically only work with a single backend, and they'll break

There is currently no way to tell 389ds not to bind to the insecure port 389, ideally the port should accept port = False the same way that secure_port does, but this can be fixed separately.

Try setting the port to 0 ;-)

Setting the port to 0 works, thank you again for this!

Commit 01d9def relates to this ticket

Commit 01d9def relates to this ticket

2cd634e..65c01bb 389-ds-base-1.4.3 -> 389-ds-base-1.4.3

f2e70bb..f856e52 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

Thanks @minfrin for testing the patch!

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/4306

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

3 years ago

Login to comment on this ticket.

Metadata
Related Pull Requests