From 01d9def3122b5e707ddfbecba6fce66a9dd41eb7 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Sep 01 2020 14:06:17 +0000 Subject: Issue 51253 - dscreate should LDAPI to bootstrap the config Description: There are cases where DNS is not setup yet, and trying to automate the installation fails. Using LDAPI bypasses this issue and allows for more robust deployment options relates: https://pagure.io/389-ds-base/issue/51253 Reviewed by: minfrin, firstyear, and tbordaz (Thanks!!!) --- diff --git a/ldap/admin/src/defaults.inf.in b/ldap/admin/src/defaults.inf.in index 2f630f9..e67d65e 100644 --- a/ldap/admin/src/defaults.inf.in +++ b/ldap/admin/src/defaults.inf.in @@ -38,6 +38,8 @@ local_state_dir = @localstatedir@ run_dir = @localstatedir@/run/dirsrv # This is the expected location of ldapi. ldapi = @localstatedir@/run/slapd-{instance_name}.socket +ldapi_listen = on +ldapi_autobind = on pid_file = @localstatedir@/run/dirsrv/slapd-{instance_name}.pid inst_dir = @serverdir@/slapd-{instance_name} plugin_dir = @serverplugindir@ diff --git a/ldap/admin/src/scripts/DSCreate.pm.in b/ldap/admin/src/scripts/DSCreate.pm.in index 6ed2835..b28a769 100644 --- a/ldap/admin/src/scripts/DSCreate.pm.in +++ b/ldap/admin/src/scripts/DSCreate.pm.in @@ -956,6 +956,15 @@ sub setDefaults { if (!defined($inf->{slapd}->{db_home_dir})) { $inf->{slapd}->{db_home_dir} = $inf->{slapd}->{db_dir}; } + if (!defined($inf->{slapd}->{ldapi})) { + $inf->{slapd}->{ldapi} = "$localstatedir/run/slapd-$servid.socket"; + } + if (!defined($inf->{slapd}->{ldapi_listen})) { + $inf->{slapd}->{ldapi_listen} = "on"; + } + if (!defined($inf->{slapd}->{ldapi_autobind})) { + $inf->{slapd}->{ldapi_autobind} = "on"; + } if (!defined($inf->{slapd}->{bak_dir})) { if ("@with_fhs_opt@") { diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in index 197aafa..c994faa 100644 --- a/ldap/admin/src/scripts/DSUtil.pm.in +++ b/ldap/admin/src/scripts/DSUtil.pm.in @@ -964,6 +964,9 @@ sub createInfFromConfig { $inf->{slapd}->{RootDNPwd} = $ent->getValues('nsslapd-rootpw'); $inf->{slapd}->{ServerPort} = $ent->getValues('nsslapd-port'); $inf->{slapd}->{ServerIdentifier} = $id; + $inf->{slapd}->{ldapi} = $ent->getValues('nsslapd-ldapifilepath'); + $inf->{slapd}->{ldapi_listen} = $ent->getValues('nsslapd-ldapilisten'); + $inf->{slapd}->{ldapi_autobind} = $ent->getValues('nsslapd-ldapiautobind'); my $suffix = ""; $ent = $conn->search("cn=ldbm database,cn=plugins,cn=config", diff --git a/ldap/admin/src/scripts/dscreate.map.in b/ldap/admin/src/scripts/dscreate.map.in index 4c47b08..fd6d3e8 100644 --- a/ldap/admin/src/scripts/dscreate.map.in +++ b/ldap/admin/src/scripts/dscreate.map.in @@ -39,3 +39,6 @@ db_dir = db_dir db_home_dir = db_home_dir run_dir = run_dir instance_name = ServerIdentifier +ldapi_enabled = ldapi_listen +ldapi = ldapi +ldapi_autobind = ldapi_autobind diff --git a/ldap/admin/src/scripts/dsupdate.map.in b/ldap/admin/src/scripts/dsupdate.map.in index f6912b6..429b742 100644 --- a/ldap/admin/src/scripts/dsupdate.map.in +++ b/ldap/admin/src/scripts/dsupdate.map.in @@ -35,3 +35,6 @@ config_dir = config_dir db_dir = db_dir db_home_dir = db_home_dir run_dir = run_dir +ldapi_enabled = ldapi_listen +ldapi = ldapi +ldapi_autobind = ldapi_autobind diff --git a/ldap/ldif/template-dse-minimal.ldif.in b/ldap/ldif/template-dse-minimal.ldif.in index 0be9c17..0084e7e 100644 --- a/ldap/ldif/template-dse-minimal.ldif.in +++ b/ldap/ldif/template-dse-minimal.ldif.in @@ -20,6 +20,10 @@ nsslapd-auditlog: %log_dir%/audit nsslapd-auditfaillog: %log_dir%/audit nsslapd-rootdn: %rootdn% nsslapd-rootpw: %ds_passwd% +nsslapd-ldapilisten: %ldapi_enabled% +nsslapd-ldapifilepath: %ldapi% +nsslapd-ldapiautobind: %ldapi_autobind% +nsslapd-ldapimaprootdn: %rootdn% dn: cn=features,cn=config objectclass: top diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in index 19abcf8..2cfc985 100644 --- a/ldap/ldif/template-dse.ldif.in +++ b/ldap/ldif/template-dse.ldif.in @@ -20,6 +20,10 @@ nsslapd-auditlog: %log_dir%/audit nsslapd-auditfaillog: %log_dir%/audit nsslapd-rootdn: %rootdn% nsslapd-rootpw: %ds_passwd% +nsslapd-ldapilisten: %ldapi_enabled% +nsslapd-ldapifilepath: %ldapi% +nsslapd-ldapiautobind: %ldapi_autobind% +nsslapd-ldapimaprootdn: %rootdn% dn: cn=encryption,cn=config objectClass: top diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py index d117292..0c0ff2e 100644 --- a/src/lib389/lib389/instance/setup.py +++ b/src/lib389/lib389/instance/setup.py @@ -732,6 +732,7 @@ class SetupDs(object): dse += line.replace('%', '{', 1).replace('%', '}', 1) with open(os.path.join(slapd['config_dir'], 'dse.ldif'), 'w') as file_dse: + ldapi_path = os.path.join(slapd['local_state_dir'], "run/slapd-%s.socket" % slapd['instance_name']) dse_fmt = dse.format( schema_dir=slapd['schema_dir'], lock_dir=slapd['lock_dir'], @@ -748,12 +749,15 @@ class SetupDs(object): rootdn=slapd['root_dn'], instance_name=slapd['instance_name'], ds_passwd=self._secure_password, # We set our own password here, so we can connect and mod. - # This is because we never know the users input root password as they can validily give + # This is because we never know the users input root password as they can validly give # us a *hashed* input. ds_suffix=ds_suffix, config_dir=slapd['config_dir'], db_dir=slapd['db_dir'], - db_home_dir=slapd['db_home_dir'] + db_home_dir=slapd['db_home_dir'], + ldapi_enabled="on", + ldapi=ldapi_path, + ldapi_autobind="on", ) file_dse.write(dse_fmt) @@ -843,7 +847,7 @@ class SetupDs(object): # it's the only stable and guaranteed way to connect to the instance # at this point. # - # Alternately, we could use ldapi instead, which would prevent the need + # Use ldapi which would prevent the need # to configure a temp root pw in the setup phase. args = { SER_HOST: "localhost", @@ -851,7 +855,10 @@ class SetupDs(object): SER_SERVERID_PROP: slapd['instance_name'], SER_ROOT_DN: slapd['root_dn'], SER_ROOT_PW: self._raw_secure_password, - SER_DEPLOYED_DIR: slapd['prefix'] + SER_DEPLOYED_DIR: slapd['prefix'], + SER_LDAPI_ENABLED: 'on', + SER_LDAPI_SOCKET: ldapi_path, + SER_LDAPI_AUTOBIND: 'on' } ds_instance.allocate(args) @@ -923,7 +930,7 @@ class SetupDs(object): ds_instance.config.set('nsslapd-security', 'on') # Before we create any backends, create any extra default indexes that may be - # dynamicly provisioned, rather than from template-dse.ldif. Looking at you + # dynamically provisioned, rather than from template-dse.ldif. Looking at you # entryUUID (requires rust enabled). # # Indexes defaults to default_index_dn @@ -968,14 +975,6 @@ class SetupDs(object): # Unsupported rdn raise ValueError("Suffix RDN '{}' in '{}' is not supported. Supported RDN's are: 'c', 'cn', 'dc', 'o', and 'ou'".format(suffix_rdn_attr, backend['nsslapd-suffix'])) - # Initialise ldapi socket information. IPA expects this .... - ldapi_path = os.path.join(slapd['local_state_dir'], "run/slapd-%s.socket" % slapd['instance_name']) - ds_instance.config.set('nsslapd-ldapifilepath', ldapi_path) - ds_instance.config.set('nsslapd-ldapilisten', 'on') - ds_instance.config.set('nsslapd-ldapiautobind', 'on') - ds_instance.config.set('nsslapd-ldapimaprootdn', slapd['root_dn']) - - # Create all required sasl maps: if we have a single backend ... # our default maps are really really bad, and we should feel bad. # they basically only work with a single backend, and they'll break