Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1872930
Description of problem: While 389ds can bind to a unix domain socket (ldapi:), the dscreate tool cannot configure 389ds to bind to a unix domain socket. Version-Release number of selected component (if applicable): 389-ds-base-1.4.2.4-8.module_el8.2.0+366+71e3276f.x86_64 How reproducible: Always Steps to Reproduce: 1. Try to get dscreate to configure an LDAP server bound to a unix domain socket. 2. 3. Actual results: Not possible. Expected results: Possible and easy to achieve. Additional info: It looks like dscreate is only able to create one specific type of LDAP server - a server that binds to all interfaces using TLS and a self signed certificate. All other options, including give me a bare bones server that I can suitably configure are not possible or don't work.
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1872930
Metadata Update from @mreynolds: - Issue assigned to mreynolds
https://pagure.io/389-ds-base/pull-request/51254
@minfrin - this PR should solve "most" of your issues. There is still the packaging/dependency issue left (#51249), but I think @firstyear might be looking into that...
Metadata Update from @mreynolds: - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None
Thank you for this, it's really appreciated.
I have backported the patch below to v1.4.2.4.
dscreate is now running where it didn't before.
There is currently no way to tell 389ds not to bind to the insecure port 389, ideally the port should accept port = False the same way that secure_port does, but this can be fixed separately.
diff -u -r 389-ds-base-1.4.2.4-orig/ldap/admin/src/defaults.inf.in 389-ds-base-1.4.2.4/ldap/admin/src/defaults.inf.in --- 389-ds-base-1.4.2.4-orig/ldap/admin/src/defaults.inf.in 2019-11-14 21:05:32.000000000 +0000 +++ 389-ds-base-1.4.2.4/ldap/admin/src/defaults.inf.in 2020-08-31 15:53:08.702579284 +0100 @@ -37,6 +37,8 @@ run_dir = @localstatedir@/run/dirsrv # This is the expected location of ldapi. ldapi = @localstatedir@/run/slapd-{instance_name}.socket +ldapi_listen = on +ldapi_autobind = on pid_file = @localstatedir@/run/dirsrv/slapd-{instance_name}.pid inst_dir = @serverdir@/slapd-{instance_name} plugin_dir = @serverplugindir@ diff -u -r 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/DSCreate.pm.in 389-ds-base-1.4.2.4/ldap/admin/src/scripts/DSCreate.pm.in --- 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/DSCreate.pm.in 2019-11-14 21:05:32.000000000 +0000 +++ 389-ds-base-1.4.2.4/ldap/admin/src/scripts/DSCreate.pm.in 2020-08-31 15:56:33.858308513 +0100 @@ -952,6 +952,16 @@ } } + if (!defined($inf->{slapd}->{ldapi})) { + $inf->{slapd}->{ldapi} = "$localstatedir/run/slapd-$servid.socket"; + } + if (!defined($inf->{slapd}->{ldapi_listen})) { + $inf->{slapd}->{ldapi_listen} = "on"; + } + if (!defined($inf->{slapd}->{ldapi_autobind})) { + $inf->{slapd}->{ldapi_autobind} = "on"; + } + if (!defined($inf->{slapd}->{bak_dir})) { if ("@with_fhs_opt@") { $inf->{slapd}->{bak_dir} = "$localstatedir/@PACKAGE_NAME@/slapd-$servid/bak"; diff -u -r 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/DSUtil.pm.in 389-ds-base-1.4.2.4/ldap/admin/src/scripts/DSUtil.pm.in --- 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/DSUtil.pm.in 2019-11-14 21:05:32.000000000 +0000 +++ 389-ds-base-1.4.2.4/ldap/admin/src/scripts/DSUtil.pm.in 2020-08-31 15:57:27.384237867 +0100 @@ -964,6 +964,9 @@ $inf->{slapd}->{RootDNPwd} = $ent->getValues('nsslapd-rootpw'); $inf->{slapd}->{ServerPort} = $ent->getValues('nsslapd-port'); $inf->{slapd}->{ServerIdentifier} = $id; + $inf->{slapd}->{ldapi} = $ent->getValues('nsslapd-ldapifilepath'); + $inf->{slapd}->{ldapi_listen} = $ent->getValues('nsslapd-ldapilisten'); + $inf->{slapd}->{ldapi_autobind} = $ent->getValues('nsslapd-ldapiautobind'); my $suffix = ""; $ent = $conn->search("cn=ldbm database,cn=plugins,cn=config", diff -u -r 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/dscreate.map.in 389-ds-base-1.4.2.4/ldap/admin/src/scripts/dscreate.map.in --- 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/dscreate.map.in 2019-11-14 21:05:32.000000000 +0000 +++ 389-ds-base-1.4.2.4/ldap/admin/src/scripts/dscreate.map.in 2020-08-31 15:59:48.037052228 +0100 @@ -37,3 +37,7 @@ config_dir = config_dir db_dir = db_dir run_dir = run_dir +ldapi_enabled = ldapi_listen +ldapi = ldapi +ldapi_autobind = ldapi_autobind + diff -u -r 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/dsupdate.map.in 389-ds-base-1.4.2.4/ldap/admin/src/scripts/dsupdate.map.in --- 389-ds-base-1.4.2.4-orig/ldap/admin/src/scripts/dsupdate.map.in 2019-11-14 21:05:32.000000000 +0000 +++ 389-ds-base-1.4.2.4/ldap/admin/src/scripts/dsupdate.map.in 2020-08-31 16:00:43.012979673 +0100 @@ -34,3 +34,7 @@ config_dir = config_dir db_dir = db_dir run_dir = run_dir +ldapi_enabled = ldapi_listen +ldapi = ldapi +ldapi_autobind = ldapi_autobind + diff -u -r 389-ds-base-1.4.2.4-orig/ldap/ldif/template-dse-minimal.ldif.in 389-ds-base-1.4.2.4/ldap/ldif/template-dse-minimal.ldif.in --- 389-ds-base-1.4.2.4-orig/ldap/ldif/template-dse-minimal.ldif.in 2019-11-14 21:05:32.000000000 +0000 +++ 389-ds-base-1.4.2.4/ldap/ldif/template-dse-minimal.ldif.in 2020-08-31 16:01:28.990918989 +0100 @@ -20,6 +20,10 @@ nsslapd-auditfaillog: %log_dir%/audit nsslapd-rootdn: %rootdn% nsslapd-rootpw: %ds_passwd% +nsslapd-ldapilisten: %ldapi_enabled% +nsslapd-ldapifilepath: %ldapi% +nsslapd-ldapiautobind: %ldapi_autobind% +nsslapd-ldapimaprootdn: %rootdn% dn: cn=features,cn=config objectclass: top diff -u -r 389-ds-base-1.4.2.4-orig/ldap/ldif/template-dse.ldif.in 389-ds-base-1.4.2.4/ldap/ldif/template-dse.ldif.in --- 389-ds-base-1.4.2.4-orig/ldap/ldif/template-dse.ldif.in 2019-11-14 21:05:32.000000000 +0000 +++ 389-ds-base-1.4.2.4/ldap/ldif/template-dse.ldif.in 2020-08-31 16:03:25.542765159 +0100 @@ -20,6 +20,10 @@ nsslapd-auditfaillog: %log_dir%/audit nsslapd-rootdn: %rootdn% nsslapd-rootpw: %ds_passwd% +nsslapd-ldapilisten: %ldapi_enabled% +nsslapd-ldapifilepath: %ldapi% +nsslapd-ldapiautobind: %ldapi_autobind% +nsslapd-ldapimaprootdn: %rootdn% dn: cn=encryption,cn=config objectClass: top diff -u -r 389-ds-base-1.4.2.4-orig/src/lib389/lib389/instance/setup.py 389-ds-base-1.4.2.4/src/lib389/lib389/instance/setup.py --- 389-ds-base-1.4.2.4-orig/src/lib389/lib389/instance/setup.py 2020-08-31 15:38:16.181801168 +0100 +++ 389-ds-base-1.4.2.4/src/lib389/lib389/instance/setup.py 2020-08-31 16:09:37.159290107 +0100 @@ -714,6 +714,7 @@ dse += line.replace('%', '{', 1).replace('%', '}', 1) with open(os.path.join(slapd['config_dir'], 'dse.ldif'), 'w') as file_dse: + ldapi_path = os.path.join(slapd['local_state_dir'], "run/slapd-%s.socket" % slapd['instance_name']) file_dse.write(dse.format( schema_dir=slapd['schema_dir'], lock_dir=slapd['lock_dir'], @@ -729,11 +730,14 @@ ds_user=slapd['user'], rootdn=slapd['root_dn'], ds_passwd=self._secure_password, # We set our own password here, so we can connect and mod. - # This is because we never know the users input root password as they can validily give + # This is because we never know the users input root password as they can validly give # us a *hashed* input. ds_suffix=ds_suffix, config_dir=slapd['config_dir'], db_dir=slapd['db_dir'], + ldapi_enabled="on", + ldapi=ldapi_path, + ldapi_autobind="on", )) # Create all the needed paths @@ -815,7 +819,10 @@ SER_SERVERID_PROP: slapd['instance_name'], SER_ROOT_DN: slapd['root_dn'], SER_ROOT_PW: self._raw_secure_password, - SER_DEPLOYED_DIR: slapd['prefix'] + SER_DEPLOYED_DIR: slapd['prefix'], + SER_LDAPI_ENABLED: 'on', + SER_LDAPI_SOCKET: ldapi_path, + SER_LDAPI_AUTOBIND: 'on' } ds_instance.allocate(args) @@ -901,14 +908,6 @@ '(targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");)' ]) - # Initialise ldapi socket information. IPA expects this .... - ldapi_path = os.path.join(slapd['local_state_dir'], "run/slapd-%s.socket" % slapd['instance_name']) - ds_instance.config.set('nsslapd-ldapifilepath', ldapi_path) - ds_instance.config.set('nsslapd-ldapilisten', 'on') - ds_instance.config.set('nsslapd-ldapiautobind', 'on') - ds_instance.config.set('nsslapd-ldapimaprootdn', slapd['root_dn']) - - # Create all required sasl maps: if we have a single backend ... # our default maps are really really bad, and we should feel bad. # they basically only work with a single backend, and they'll break
Try setting the port to 0 ;-)
Setting the port to 0 works, thank you again for this!
Commit 01d9def relates to this ticket
2cd634e..65c01bb 389-ds-base-1.4.3 -> 389-ds-base-1.4.3
f2e70bb..f856e52 389-ds-base-1.4.2 -> 389-ds-base-1.4.2
Thanks @minfrin for testing the patch!
Metadata Update from @mreynolds: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/4306
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.