#51254 Issue 51253 - dscreate should use LDAPI to bootstrap the config
Closed 2 years ago by spichugi. Opened 2 years ago by mreynolds.
mreynolds/389-ds-base LDAPI  into  master

@@ -38,6 +38,8 @@ 

  run_dir = @localstatedir@/run/dirsrv

  # This is the expected location of ldapi.

  ldapi = @localstatedir@/run/slapd-{instance_name}.socket

+ ldapi_listen = on

+ ldapi_autobind = on

  pid_file = @localstatedir@/run/dirsrv/slapd-{instance_name}.pid

  inst_dir = @serverdir@/slapd-{instance_name}

  plugin_dir = @serverplugindir@

@@ -956,6 +956,15 @@ 

      if (!defined($inf->{slapd}->{db_home_dir})) {

          $inf->{slapd}->{db_home_dir} = $inf->{slapd}->{db_dir};

      }

+     if (!defined($inf->{slapd}->{ldapi})) {

+         $inf->{slapd}->{ldapi} = "$localstatedir/run/slapd-$servid.socket";

+     }

+     if (!defined($inf->{slapd}->{ldapi_listen})) {

+         $inf->{slapd}->{ldapi_listen} = "on";

+     }

+     if (!defined($inf->{slapd}->{ldapi_autobind})) {

+         $inf->{slapd}->{ldapi_autobind} = "on";

+     }

  

      if (!defined($inf->{slapd}->{bak_dir})) {

          if ("@with_fhs_opt@") {

@@ -964,6 +964,9 @@ 

      $inf->{slapd}->{RootDNPwd} = $ent->getValues('nsslapd-rootpw');

      $inf->{slapd}->{ServerPort} = $ent->getValues('nsslapd-port');

      $inf->{slapd}->{ServerIdentifier} = $id;

+     $inf->{slapd}->{ldapi} = $ent->getValues('nsslapd-ldapifilepath');

+     $inf->{slapd}->{ldapi_listen} = $ent->getValues('nsslapd-ldapilisten');

+     $inf->{slapd}->{ldapi_autobind} = $ent->getValues('nsslapd-ldapiautobind');

  

      my $suffix = "";

      $ent = $conn->search("cn=ldbm database,cn=plugins,cn=config",

@@ -39,3 +39,6 @@ 

  db_home_dir =   db_home_dir

  run_dir =       run_dir

  instance_name = ServerIdentifier

+ ldapi_enabled = ldapi_listen

+ ldapi =         ldapi

+ ldapi_autobind = ldapi_autobind

@@ -35,3 +35,6 @@ 

  db_dir =        db_dir

  db_home_dir =   db_home_dir

  run_dir =       run_dir

+ ldapi_enabled = ldapi_listen

+ ldapi =         ldapi

+ ldapi_autobind = ldapi_autobind

@@ -20,6 +20,10 @@ 

  nsslapd-auditfaillog: %log_dir%/audit

  nsslapd-rootdn: %rootdn%

  nsslapd-rootpw: %ds_passwd%

+ nsslapd-ldapilisten: %ldapi_enabled%

+ nsslapd-ldapifilepath: %ldapi%

+ nsslapd-ldapiautobind: %ldapi_autobind%

+ nsslapd-ldapimaprootdn: %rootdn%

  

  dn: cn=features,cn=config

  objectclass: top

@@ -20,6 +20,10 @@ 

  nsslapd-auditfaillog: %log_dir%/audit

  nsslapd-rootdn: %rootdn%

  nsslapd-rootpw: %ds_passwd%

+ nsslapd-ldapilisten: %ldapi_enabled%

+ nsslapd-ldapifilepath: %ldapi%

+ nsslapd-ldapiautobind: %ldapi_autobind%

+ nsslapd-ldapimaprootdn: %rootdn%

  

  dn: cn=encryption,cn=config

  objectClass: top

@@ -732,6 +732,7 @@ 

                  dse += line.replace('%', '{', 1).replace('%', '}', 1)

  

          with open(os.path.join(slapd['config_dir'], 'dse.ldif'), 'w') as file_dse:

+             ldapi_path = os.path.join(slapd['local_state_dir'], "run/slapd-%s.socket" % slapd['instance_name'])

              dse_fmt = dse.format(

                  schema_dir=slapd['schema_dir'],

                  lock_dir=slapd['lock_dir'],
@@ -748,12 +749,15 @@ 

                  rootdn=slapd['root_dn'],

                  instance_name=slapd['instance_name'],

                  ds_passwd=self._secure_password,  # We set our own password here, so we can connect and mod.

-                 # This is because we never know the users input root password as they can validily give

+                 # This is because we never know the users input root password as they can validly give

                  # us a *hashed* input.

                  ds_suffix=ds_suffix,

                  config_dir=slapd['config_dir'],

                  db_dir=slapd['db_dir'],

-                 db_home_dir=slapd['db_home_dir']

+                 db_home_dir=slapd['db_home_dir'],

+                 ldapi_enabled="on",

+                 ldapi=ldapi_path,

+                 ldapi_autobind="on",

              )

              file_dse.write(dse_fmt)

  
@@ -843,7 +847,7 @@ 

          # it's the only stable and guaranteed way to connect to the instance

          # at this point.

          #

-         # Alternately, we could use ldapi instead, which would prevent the need

+         # Use ldapi which would prevent the need

          # to configure a temp root pw in the setup phase.

          args = {

              SER_HOST: "localhost",
@@ -851,7 +855,10 @@ 

              SER_SERVERID_PROP: slapd['instance_name'],

              SER_ROOT_DN: slapd['root_dn'],

              SER_ROOT_PW: self._raw_secure_password,

If we are using ldapi we won't need the temp root password then?

-             SER_DEPLOYED_DIR: slapd['prefix']

+             SER_DEPLOYED_DIR: slapd['prefix'],

+             SER_LDAPI_ENABLED: 'on',

+             SER_LDAPI_SOCKET: ldapi_path,

+             SER_LDAPI_AUTOBIND: 'on'

          }

  

          ds_instance.allocate(args)
@@ -923,7 +930,7 @@ 

              ds_instance.config.set('nsslapd-security', 'on')

  

          # Before we create any backends, create any extra default indexes that may be

-         # dynamicly provisioned, rather than from template-dse.ldif. Looking at you

+         # dynamically provisioned, rather than from template-dse.ldif. Looking at you

          # entryUUID (requires rust enabled).

          #

          # Indexes defaults to default_index_dn
@@ -968,14 +975,6 @@ 

                      # Unsupported rdn

                      raise ValueError("Suffix RDN '{}' in '{}' is not supported.  Supported RDN's are: 'c', 'cn', 'dc', 'o', and 'ou'".format(suffix_rdn_attr, backend['nsslapd-suffix']))

  

-         # Initialise ldapi socket information. IPA expects this ....

-         ldapi_path = os.path.join(slapd['local_state_dir'], "run/slapd-%s.socket" % slapd['instance_name'])

-         ds_instance.config.set('nsslapd-ldapifilepath', ldapi_path)

-         ds_instance.config.set('nsslapd-ldapilisten', 'on')

-         ds_instance.config.set('nsslapd-ldapiautobind', 'on')

-         ds_instance.config.set('nsslapd-ldapimaprootdn', slapd['root_dn'])

- 

- 

          # Create all required sasl maps: if we have a single backend ...

          # our default maps are really really bad, and we should feel bad.

          # they basically only work with a single backend, and they'll break

Description:

There are cases where DNS is not setup yet, and trying to automate the installation fails. Using LDAPI bypasses this issue and allows for more robust deployment options

relates: https://pagure.io/389-ds-base/issue/51253

The code looks good to me. Just couple of questions: how are the ldapi mapped entries created ? If it maps with 'cn=directory manager' does that mean that 'root' is running dscreate ?

The code looks good to me. Just couple of questions: how are the ldapi mapped entries created ? If it maps with 'cn=directory manager' does that mean that 'root' is running dscreate ?

You would need to run as root for it to use LDAPI and cn=directory manager. So this is an interesting point, I'm not sure what happens in a prefix build when root is not creating the instance. IU'm not sure lib389 is smart enough to detect it and skip over it. The function "can_autobind()" might need to check if the user is root.

The patch does work on prefix builds!

It's worth noting @tbordaz that any member of the user/group that DS is running as, or root, gain cn=Directory Manager. So if you as tbordaz on your laptop did:

tbordaz# ns-slapd -d 1 ... 

Then your account would imply cn=Directory Manager via LDAPI as well.

If we are using ldapi we won't need the temp root password then?

Beside that one comment, looks really good to me. I think I always had the intent of doing this rather than just the temp DM password if my past comments in the file are anythinng to go by.

If we are using ldapi we won't need the temp root password then?

I thought about removing it actually, but if ldapi is not available (for whatever reason) then it's there to fall back on.

yep fair. :) Ack from me, but may want to wait to check that @tbordaz's concerns are answered :)

Regarding use of this patch in prefix install, @mreynolds did the magic and it works in prefix deployment.
I had no concern, just wondering if the use of 'cn=directory manager' (via ldapi) was limited to 'root'. The patch is looking good to me but the real expert here is @firstyear

rebased onto 01d9def

2 years ago

The patch does work on prefix builds!

Pull-Request has been merged by mreynolds

2 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/4307

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

2 years ago