[Fedora-directory-commits] ldapserver/ldap/servers/slapd getsocketpeer.c, NONE, 1.1 getsocketpeer.h, NONE, 1.1 bind.c, 1.9, 1.10 configdse.c, 1.6, 1.7 connection.c, 1.13, 1.14 daemon.c, 1.11, 1.12 fe.h, 1.5, 1.6 libglobs.c, 1.14, 1.15 main.c, 1.17, 1.18 passwd_extop.c, 1.14, 1.15 pblock.c, 1.8, 1.9 proto-slap.h, 1.25, 1.26 pw_mgmt.c, 1.7, 1.8 saslbind.c, 1.22, 1.23 slap.h, 1.20, 1.21 slapi-plugin.h, 1.14, 1.15 start_tls_extop.c, 1.8, 1.9

Pete Rowley (prowley) fedora-directory-commits at redhat.com
Tue Feb 27 02:57:32 UTC 2007


Author: prowley

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16258/ldap/servers/slapd

Modified Files:
	bind.c configdse.c connection.c daemon.c fe.h libglobs.c 
	main.c passwd_extop.c pblock.c proto-slap.h pw_mgmt.c 
	saslbind.c slap.h slapi-plugin.h start_tls_extop.c 
Added Files:
	getsocketpeer.c getsocketpeer.h 
Log Message:
Add LDAPI


--- NEW FILE getsocketpeer.c ---
/** BEGIN COPYRIGHT BLOCK
 * This Program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; version 2 of the License.
 *
 * This Program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along with
 * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
 * Place, Suite 330, Boston, MA 02111-1307 USA.
 *
 * In addition, as a special exception, Red Hat, Inc. gives You the additional
 * right to link the code of this Program with code not covered under the GNU
 * General Public License ("Non-GPL Code") and to distribute linked combinations * including the two, subject to the limitations in this paragraph. Non-GPL Code * permitted under this exception must only link to the code of this Program
 * through those well defined interfaces identified in the file named EXCEPTION
 * found in the source code files (the "Approved Interfaces"). The files of
 * Non-GPL Code may instantiate templates or use macros or inline functions from * the Approved Interfaces without causing the resulting work to be covered by
 * the GNU General Public License. Only Red Hat, Inc. may make changes or
 * additions to the list of Approved Interfaces. You must obey the GNU General
 * Public License in all respects for all of the Program code and other code used
 * in conjunction with the Program except the Non-GPL Code covered by this
 * exception. If you modify this file, you may extend this exception to your
 * version of the file, but you are not obligated to do so. If you do not wish to
 * provide this exception without modification, you must delete this exception
 * statement from your version and license this file solely under the GPL without
 * exception.
 *
 *
 * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
 * Copyright (C) 2007 Red Hat, Inc.
 * All rights reserved.
 * END COPYRIGHT BLOCK **/
#ifdef HAVE_CONFIG_H
#  include <config.h>
#endif

#if defined(ENABLE_LDAPI)

#if defined(HAVE_GETPEERUCRED)
#include <ucred.h>
#endif

#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>

/* nspr secrets - we need to do an end run around nspr
   in order to do things it does not support
 */
#include <private/pprio.h>

int slapd_get_socket_peer(PRFileDesc *nspr_fd, uid_t *uid, gid_t *gid)
{
	int ret = -1;
	int fd = PR_FileDesc2NativeHandle(nspr_fd); /* naughty private func */

#if defined(SO_PEERCRED) /* linux */

	struct ucred creds;
	socklen_t len = sizeof(creds);

	if(0 == getsockopt(fd, SOL_SOCKET, SO_PEERCRED, (void*)&creds, &len ))
	{
		if(sizeof(creds) == len)
		{
			if(uid)
				*uid = creds.uid;
			if(gid)
				*gid = creds.gid;

			ret = 0;
		}
	}

#elif 0 /*defined(HAVE_GETPEERUCRED)*/ /* solaris */

	ucred_t *creds = 0;

	if(0 == getpeerucred(fd, &creds))
	{
		if(uid)
		{
			uid = ucred_getruid(creds);
			if(-1 != uid)
				ret = 0;
		}

		if(gid)
		{
			gid = ucred_getrgid(creds);
			if(-1 == gid)
				ret = -1;
			else
				ret = 0;
		}

		ucred_free(creds);
	}

#elif 0 /* defined(HAVE_GETPEEREID) */ /* osx / some BSDs */

	if(0 == getpeereid(fd, &uid, &gid))
		ret = 0;

#else 0 /* hpux / some BSDs - file descriptor cooperative auth */

        struct msghdr msg;
	struct iovec iov;
	char dummy[8];
	int fd[2];

	memset(msg, 0, sizeof(msg));
	
	iov.iov_base = dummy;
	iov.iov_len = sizeof(dummy);
	msg.msg_iov = &iov;
	msg.msg_iovlen = 1;
	msg.msg_accrights = (char*)fd;
	msg.msg_accrightslen = sizeof(fd);

        if(recvmsg(fd, &msg, MSG_PEEK) >= 0 && msg.msg_accrightslen == sizeof(int))
        {
		struct stat st;

		ret = fstat(fd[0], &st);
		close(fd[0]);

		if(0 == ret && S_ISFIFO(st.st_mode) &&
			0 == st.st_mode & (S_IRWXG|S_IRWXO))
		{
			if(uid)
				uid = st.st_uid;

			if(gid)
				gid = st.st_gid;
		}
        }

#endif

	return ret;
}

#endif /* ENABLE_LDAPI */


--- NEW FILE getsocketpeer.h ---
/** BEGIN COPYRIGHT BLOCK
 * This Program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; version 2 of the License.
 *
 * This Program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along with
 * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
 * Place, Suite 330, Boston, MA 02111-1307 USA.
 *
 * In addition, as a special exception, Red Hat, Inc. gives You the additional
 * right to link the code of this Program with code not covered under the GNU
 * General Public License ("Non-GPL Code") and to distribute linked combinations * including the two, subject to the limitations in this paragraph. Non-GPL Code * permitted under this exception must only link to the code of this Program
 * through those well defined interfaces identified in the file named EXCEPTION
 * found in the source code files (the "Approved Interfaces"). The files of
 * Non-GPL Code may instantiate templates or use macros or inline functions from * the Approved Interfaces without causing the resulting work to be covered by
 * the GNU General Public License. Only Red Hat, Inc. may make changes or
 * additions to the list of Approved Interfaces. You must obey the GNU General
 * Public License in all respects for all of the Program code and other code used
 * in conjunction with the Program except the Non-GPL Code covered by this
 * exception. If you modify this file, you may extend this exception to your
 * version of the file, but you are not obligated to do so. If you do not wish to
 * provide this exception without modification, you must delete this exception
 * statement from your version and license this file solely under the GPL without
 * exception.
 *
 *
 * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
 * Copyright (C) 2007 Red Hat, Inc.
 * All rights reserved.
 * END COPYRIGHT BLOCK **/
#ifdef HAVE_CONFIG_H
#  include <config.h>
#endif
#if defined(ENABLE_LDAPI)
#if !defined(GETSOCKETPEER_H)
#define GETSOCKETPEER_H
int slapd_get_socket_peer(PRFileDesc *nspr_fd, uid_t *uid, gid_t *gid);
#endif
#endif /* ENABLE_LDAPI */


Index: bind.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/bind.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- bind.c	10 Nov 2006 23:45:40 -0000	1.9
+++ bind.c	27 Feb 2007 02:57:29 -0000	1.10
@@ -126,6 +126,7 @@
     char **supported, **pmech;
     char authtypebuf[256]; /* >26 (strlen(SLAPD_AUTH_SASL)+SASL_MECHNAMEMAX+1) */
     Slapi_Entry *bind_target_entry = NULL;
+    int auto_bind = 0;
 
     LDAPDebug( LDAP_DEBUG_TRACE, "do_bind\n", 0, 0, 0 );
 
@@ -250,14 +251,31 @@
         slapi_pblock_get (pb, SLAPI_PWPOLICY, &pw_response_requested);
     }
 
-    log_bind_access(pb, dn, method, version, saslmech, NULL);
+    PR_Lock( pb->pb_conn->c_mutex );
 
     /* According to RFC2251,
      * "if the bind fails, the connection will be treated as anonymous".
      */
-    PR_Lock( pb->pb_conn->c_mutex );
-    bind_credentials_clear( pb->pb_conn, PR_FALSE, /* conn is already locked */
+    bind_credentials_clear( pb->pb_conn, PR_FALSE, /* do not lock conn */
                             PR_FALSE /* do not clear external creds. */ );
+
+    /* LDAPI might have auto bind on, binding as anon should
+       mean bind as self in this case
+     */
+#if defined(ENABLE_AUTOBIND)
+    if((0 == dn || 0 == dn[0]) && pb->pb_conn->c_unix_local)
+    {
+        slapd_bind_local_user(pb->pb_conn);
+	
+	if(pb->pb_conn->c_dn)
+	{
+            auto_bind = 1; /* flag the bind method */
+	    dn = slapi_ch_strdup(pb->pb_conn->c_dn);
+	    slapi_sdn_init_dn_passin(&sdn,dn);
+	}
+    }
+#endif /* ENABLE_AUTOBIND */
+
     /* Clear the password policy flag that forbid operation
      * other than Bind, Modify, Unbind :
      * With a new bind, the flag should be reset so that the new
@@ -266,6 +284,8 @@
     pb->pb_conn->c_needpw = 0;
     PR_Unlock( pb->pb_conn->c_mutex );
 
+    log_bind_access(pb, dn, method, version, saslmech, NULL);
+
     switch ( version ) {
     case LDAP_VERSION2:
         if (method == LDAP_AUTH_SIMPLE
@@ -502,22 +522,31 @@
 			/* get the entry now, so that we can give it to check_account_lock and reslimit_update_from_dn */
             if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
 				bind_target_entry = get_entry(pb,  slapi_sdn_get_ndn(&sdn));
-				rc = check_account_lock ( pb, bind_target_entry, pw_response_requested);
+				rc = check_account_lock ( pb, bind_target_entry, pw_response_requested,0);
             }
 
             slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database );
             set_db_default_result_handlers(pb);
-            if ( (rc != 1) && (((rc = (*be->be_bind)( pb ))
+            if ( (rc != 1) && (auto_bind || (((rc = (*be->be_bind)( pb ))
                                 == SLAPI_BIND_SUCCESS ) || rc
-                               == SLAPI_BIND_ANONYMOUS )) {
+                               == SLAPI_BIND_ANONYMOUS ))) {
                 long t;
                 {
                     char* authtype = NULL;
+
+                    if(auto_bind)
+                        rc = SLAPI_BIND_SUCCESS;
+
                     switch ( method ) {
                     case LDAP_AUTH_SIMPLE:
                         if (cred.bv_len != 0) {
                             authtype = SLAPD_AUTH_SIMPLE;
                         }
+#if defined(ENABLE_AUTOBIND)
+                        else if(auto_bind) {
+                            authtype = SLAPD_AUTH_OS;
+                        }
+#endif /* ENABLE_AUTOBIND */
                         break;
                     case LDAP_AUTH_SASL:
                         /* authtype = SLAPD_AUTH_SASL && saslmech: */
@@ -529,7 +558,8 @@
                     }
 
                     if ( rc == SLAPI_BIND_SUCCESS ) {
-                        bind_credentials_set( pb->pb_conn,
+			if(!auto_bind)
+                            bind_credentials_set( pb->pb_conn,
                                               authtype, slapi_ch_strdup(
                                                   slapi_sdn_get_ndn(&sdn)),
                                               NULL, NULL, NULL, bind_target_entry );
@@ -545,7 +575,7 @@
                     }
                 }
 
-                if ( rc != SLAPI_BIND_ANONYMOUS &&
+                if ( 0 == auto_bind && rc != SLAPI_BIND_ANONYMOUS &&
                      ! slapi_be_is_flag_set(be,
                                             SLAPI_BE_FLAG_REMOTE_DATA)) {
                     /* check if need new password before sending 


Index: configdse.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/configdse.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- configdse.c	10 Nov 2006 23:45:40 -0000	1.6
+++ configdse.c	27 Feb 2007 02:57:29 -0000	1.7
@@ -65,6 +65,8 @@
 static const char *requires_restart[] = {
     "cn=config:nsslapd-port",
     "cn=config:nsslapd-secureport",
+    "cn=config:" CONFIG_LDAPI_FILENAME_ATTRIBUTE,
+    "cn=config:" CONFIG_LDAPI_SWITCH_ATTRIBUTE,
     "cn=config:nsslapd-workingdir",
     "cn=config:nsslapd-plugin",
     "cn=config:nsslapd-sslclientauth",


Index: connection.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/connection.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- connection.c	10 Nov 2006 23:45:40 -0000	1.13
+++ connection.c	27 Feb 2007 02:57:29 -0000	1.14
@@ -511,21 +511,27 @@
 	{
 		int i = 1;
 		int ret = 0;
-		/* Set TCP_CORK here */
-		ret = setsockopt(conn->c_sd,IPPROTO_TCP,TCP_CORK,&i,sizeof(i));
-		if (ret < 0) {
-			LDAPDebug(LDAP_DEBUG_ANY, "Failed to set TCP_CORK on connection %d\n",conn->c_connid, 0, 0);
+		/* Set TCP_CORK here but only if this is not LDAPI */
+		if(!conn->c_unix_local)
+		{
+			ret = setsockopt(conn->c_sd,IPPROTO_TCP,TCP_CORK,&i,sizeof(i));
+			if (ret < 0) {
+				LDAPDebug(LDAP_DEBUG_ANY, "Failed to set TCP_CORK on connection %d\n",conn->c_connid, 0, 0);
+			}
 		}
 #endif
 
 		do_search( pb );
 
 #if defined(LINUX)
-		/* Clear TCP_CORK to flush any unsent data */
+		/* Clear TCP_CORK to flush any unsent data but only if not LDAPI*/
 		i = 0;
-		ret = setsockopt(conn->c_sd,IPPROTO_TCP,TCP_CORK,&i,sizeof(i));
-		if (ret < 0) {
-			LDAPDebug(LDAP_DEBUG_ANY, "Failed to clear TCP_CORK on connection %d\n",conn->c_connid, 0, 0);
+		if(!conn->c_unix_local)
+		{
+			ret = setsockopt(conn->c_sd,IPPROTO_TCP,TCP_CORK,&i,sizeof(i));
+			if (ret < 0) {
+				LDAPDebug(LDAP_DEBUG_ANY, "Failed to clear TCP_CORK on connection %d\n",conn->c_connid, 0, 0);
+			}
 		}
 	}
 #endif


Index: daemon.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/daemon.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- daemon.c	10 Nov 2006 23:45:40 -0000	1.11
+++ daemon.c	27 Feb 2007 02:57:30 -0000	1.12
@@ -92,6 +92,10 @@
 
 #include "fe.h"
 
+#if defined(ENABLE_LDAPI)
+#include "getsocketpeer.h"
+#endif /* ENABLE_LDAPI */
+
 /*
  * Define the backlog number for use in listen() call.
  * We use the same definition as in ldapserver/include/base/systems.h
@@ -125,6 +129,7 @@
 #define FDS_SIGNAL_PIPE 0
 #define FDS_N_TCPS      1
 #define FDS_S_TCPS      2
+#define FDS_I_UNIX	3
 
 static int get_configured_connection_table_size();
 #ifdef RESOLVER_NEEDS_LOW_FILE_DESCRIPTORS
@@ -135,11 +140,11 @@
 static int createlistensocket(unsigned short port, const PRNetAddr *listenaddr);
 #endif
 static PRFileDesc *createprlistensocket(unsigned short port,
-	const PRNetAddr *listenaddr, int secure);
+	const PRNetAddr *listenaddr, int secure, int local);
 static const char *netaddr2string(const PRNetAddr *addr, char *addrbuf,
 	size_t addrbuflen);
 static void	set_shutdown (int);
-static void setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRIntn *num_to_read);
+static void setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRFileDesc *i_unix, PRIntn *num_to_read);
 
 #ifdef HPUX10
 static void* catch_signals();
@@ -274,7 +279,7 @@
 
 static int
 accept_and_configure(int s, PRFileDesc *pr_acceptfd, PRNetAddr *pr_netaddr, 
-	int addrlen, int secure, PRFileDesc **pr_clonefd)
+	int addrlen, int secure, int local, PRFileDesc **pr_clonefd)
 {
 	int ns = 0;
 
@@ -290,7 +295,7 @@
 		return(SLAPD_INVALID_SOCKET);
 	}
 
-	ns = configure_pr_socket( pr_clonefd, secure );
+	ns = configure_pr_socket( pr_clonefd, secure, local );
 
 #else /* Windows */
 	if( secure ) {
@@ -316,7 +321,7 @@
 			return(SLAPD_INVALID_SOCKET);
 		}
 
-		ns = configure_pr_socket( pr_clonefd, secure );
+		ns = configure_pr_socket( pr_clonefd, secure, local );
 
 	} else { /* !secure */
 		struct sockaddr *addr; /* NOT IPv6 enabled */
@@ -364,11 +369,11 @@
 #endif
 /* GGOODREPL static void handle_timeout( void ); */
 static void handle_pr_read_ready(Connection_Table *ct, PRIntn num_poll);
-static int handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, int secure );
+static int handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, int secure, int local );
 #ifdef _WIN32
 static void unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, int n_tcps, PRFileDesc *s_tcps);
 #else
-static void unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, PRFileDesc *n_tcps, PRFileDesc *s_tcps);
+static void unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRFileDesc *i_unix);
 #endif
 static int write_pid_file();
 static int init_shutdown_detect();
@@ -392,13 +397,13 @@
 											 &ports->n_listenaddr);
 #else
 		ports->n_socket = createprlistensocket(ports->n_port,
-											 &ports->n_listenaddr, 0);
+											 &ports->n_listenaddr, 0, 0);
 #endif
 	}
 
 	if ( config_get_security() && (0 != ports->s_port) ) {
 		ports->s_socket = createprlistensocket((unsigned short)ports->s_port,
-		    &ports->s_listenaddr, 1);
+		    &ports->s_listenaddr, 1, 0);
 #ifdef XP_WIN32
 		ports->s_socket_native = PR_FileDesc2NativeHandle(ports->s_socket);
 #endif
@@ -409,6 +414,15 @@
 #endif
 	}
 
+#ifndef XP_WIN32
+#if defined(ENABLE_LDAPI)
+	/* ldapi */
+	if(0 != ports->i_port) {
+		ports->i_socket = createprlistensocket(1, &ports->i_listenaddr, 0, 1);
+	}
+#endif /* ENABLE_LDAPI */
+#endif
+
 	return( rc );
 }
 
@@ -460,8 +474,8 @@
 
 void slapd_daemon( daemon_ports_t *ports )
 {
-	/* We are passed a pair of ports---one for regular connections, the
-	 * other for SSL connections.
+	/* We are passed some ports---one for regular connections, one
+	 * for SSL connections, one for ldapi connections.
 	 */
 	/* Previously there was a ton of code #defined on NET_SSL. 
 	 * This looked horrible, so now I'm doing it this way:
@@ -475,6 +489,7 @@
 #else
 	PRFileDesc *n_tcps = NULL; 
 	PRFileDesc *tcps = 0;
+	PRFileDesc *i_unix = 0;
 #endif
 	PRFileDesc *s_tcps = NULL; 
 	PRIntn num_poll = 0;
@@ -504,16 +519,24 @@
 	s_tcps = ports->s_socket;
 #ifdef XP_WIN32
 	s_tcps_native = ports->s_socket_native;
+#else
+#if defined(ENABLE_LDAPI)
+	i_unix = ports->i_socket;
+#endif /* ENABLE_LDAPI */
 #endif
 	
 	createsignalpipe();
 
 	init_shutdown_detect();
 
+	if (
 #if defined( XP_WIN32 )
-	if ( (n_tcps == SLAPD_INVALID_SOCKET) && 
+		(n_tcps == SLAPD_INVALID_SOCKET) && 
 #else
-	if ( (n_tcps == NULL) && 
+		(n_tcps == NULL) &&
+#if defined(ENABLE_LDAPI)
+		(i_unix == NULL) &&
+#endif /* ENABLE_LDAPI */
 #endif
 	    (s_tcps == NULL) ) {	/* nothing to do */
 	    LDAPDebug( LDAP_DEBUG_ANY,
@@ -521,7 +544,7 @@
 	    exit( 1 );
 	}
 
-	unfurl_banners(the_connection_table,ports,n_tcps,s_tcps);
+	unfurl_banners(the_connection_table,ports,n_tcps,s_tcps,i_unix);
 	init_op_threads ();
 	detect_timeout_support();
 
@@ -580,6 +603,21 @@
 		g_set_shutdown( SLAPI_SHUTDOWN_EXIT );
 	}
 
+#if !defined( XP_WIN32 )
+#if defined(ENABLE_LDAPI)
+	if( i_unix != NULL &&
+		PR_Listen(i_unix, DAEMON_LISTEN_SIZE) == PR_FAILURE) {
+		PRErrorCode prerr = PR_GetError();
+		slapi_log_error(SLAPI_LOG_FATAL, "slapd_daemon",
+			"listen() on %s failed: error %d (%s)\n",
+			ports->i_listenaddr.local.path,
+			prerr,
+			slapd_pr_strerror( prerr ));
+		g_set_shutdown( SLAPI_SHUTDOWN_EXIT );
+	}
+#endif /* ENABLE_LDAPI */
+#endif
+
 	/* Now we write the pid file, indicating that the server is finally and listening for connections */
 	write_pid_file();
 
@@ -593,6 +631,8 @@
 #endif
 		int select_return = 0;
 		int secure = 0; /* is a new connection an SSL one ? */
+		int local = 0; /* is new connection an ldapi one? */
+
 #ifndef _WIN32
 		PRErrorCode prerr;
 #endif
@@ -603,7 +643,7 @@
 		/* This select needs to timeout to give the server a chance to test for shutdown */
 		select_return = select(connection_table_size, &readfds, NULL, 0, &wakeup_timer);
 #else
-		setup_pr_read_pds(the_connection_table,n_tcps,s_tcps,&num_poll);
+		setup_pr_read_pds(the_connection_table,n_tcps,s_tcps,i_unix,&num_poll);
 		select_return = POLL_FN(the_connection_table->fd, num_poll, pr_timeout);
 #endif
 		switch (select_return) {
@@ -629,11 +669,11 @@
 #ifdef _WIN32
 			/* If so, then handle a new connection */
 			if ( n_tcps != SLAPD_INVALID_SOCKET && FD_ISSET( n_tcps,&readfds ) ) {
-				handle_new_connection(the_connection_table,n_tcps,NULL,0);
+				handle_new_connection(the_connection_table,n_tcps,NULL,0,0);
 			} 
 			/* If so, then handle a new connection */
 			if ( s_tcps != SLAPD_INVALID_SOCKET && FD_ISSET( s_tcps_native,&readfds ) ) {
-				handle_new_connection(the_connection_table,SLAPD_INVALID_SOCKET,s_tcps,1);
+				handle_new_connection(the_connection_table,SLAPD_INVALID_SOCKET,s_tcps,1,0);
 			} 
 			/* handle new data ready */
 			handle_read_ready(the_connection_table,&readfds);
@@ -650,9 +690,17 @@
 				tcps = s_tcps;
 				secure = 1;
 			}
+#if defined(ENABLE_LDAPI)
+			else if ( i_unix != 0 &&
+				the_connection_table->fd[FDS_I_UNIX].out_flags & SLAPD_POLL_FLAGS ) {
+				tcps = i_unix;
+				local = 1;
+			}
+#endif /* ENABLE_LDAPI */
+
 			/* If so, then handle a new connection */
 			if ( tcps != NULL ) {
-				handle_new_connection(the_connection_table,SLAPD_INVALID_SOCKET,tcps,secure);
+				handle_new_connection(the_connection_table,SLAPD_INVALID_SOCKET,tcps,secure,local);
 			}
 			/* handle new data ready */
 			handle_pr_read_ready(the_connection_table, connection_table_size);
@@ -674,11 +722,18 @@
 #ifdef _WIN32
 	if ( n_tcps != SLAPD_INVALID_SOCKET ) {
 		closesocket( n_tcps );
+	}
 #else
 	if ( n_tcps != NULL ) {
 		PR_Close( n_tcps );
-#endif
 	}
+
+	if ( i_unix != NULL ) {
+		PR_Close( i_unix );
+	}
+
+#endif
+
 	if ( s_tcps != NULL ) {
  		PR_Close( s_tcps );
 	}
@@ -934,7 +989,7 @@
 
 static int first_time_setup_pr_read_pds = 1;
 static void
-setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRIntn *num_to_read)
+setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRFileDesc *i_unix, PRIntn *num_to_read)
 {
 	Connection *c= NULL;
 	Connection *next= NULL;
@@ -999,7 +1054,19 @@
         ct->fd[FDS_S_TCPS].fd = NULL;
     }
 
-#if !defined(_WIN32) 
+#if !defined(_WIN32)
+	/* The fds entry for i_unix is always FDS_I_UNIX */
+	if (i_unix != NULL && accept_new_connections)
+	{
+		ct->fd[FDS_I_UNIX].fd = i_unix;
+		ct->fd[FDS_I_UNIX].in_flags = SLAPD_POLL_FLAGS;
+		ct->fd[FDS_I_UNIX].out_flags = 0;
+		LDAPDebug( LDAP_DEBUG_HOUSE,
+			"listening for LDAPI connections on %d\n", socketdesc, 0, 0 );
+	} else {
+		ct->fd[FDS_S_TCPS].fd = NULL;
+	}
+ 
 	/* The fds entry for the signalpipe is always FDS_SIGNAL_PIPE */
 	ct->fd[FDS_SIGNAL_PIPE].fd = signalpipe[0];
 	ct->fd[FDS_SIGNAL_PIPE].in_flags = SLAPD_POLL_FLAGS;
@@ -1013,8 +1080,9 @@
     /* count is the number of entries we've place in the fds array.
      * we always put n_tcps in slot FDS_N_TCPS, s_tcps in slot
      * FDS_S_TCPS and the signal pipe in slot FDS_SIGNAL_PIPE
-     * so we now set count to 3 */
-    count = 3;
+     * and i_unix in FDS_I_UNIX
+     * so we now set count to 4 */
+    count = 4;
     
     /* Walk down the list of active connections to find 
 	 * out which connections we should poll over.  If a connection
@@ -1798,10 +1866,271 @@
         connection_type= factory_register_type(SLAPI_EXT_CONNECTION,offsetof(Connection,c_extension));
 	}
 }
-	
+
+#if defined(ENABLE_LDAPI)
+int
+slapd_identify_local_user(Connection *conn)
+{
+	int ret = -1;
+	uid_t uid = 0;
+	gid_t gid = 0;
+
+	if(0 == slapd_get_socket_peer(conn->c_prfd, &uid, &gid))
+	{
+		conn->c_local_uid = uid;
+		conn->c_local_gid = gid;
+
+		ret = 0;
+	}
+
+	return ret;
+}
+
+#if defined(ENABLE_AUTOBIND)
+int
+slapd_bind_local_user(Connection *conn)
+{
+	int ret = -1;
+	uid_t uid = conn->c_local_uid;
+	gid_t gid = conn->c_local_gid;
+
+	/* observe configuration for auto binding */
+	/* bind at all? */
+	if(config_get_ldapi_bind_switch())
+	{
+		/* map users to a dn
+		   root may also map to an entry
+		*/
+
+		/* require real entry? */
+		if(config_get_ldapi_map_entries())
+		{
+			/* get uid type to map to (e.g. uidNumber) */
+			char *utype = config_get_ldapi_uidnumber_type();
+			/* get gid type to map to (e.g. gidNumber) */
+			char *gtype = config_get_ldapi_gidnumber_type();
+			/* get base dn for search */
+			char *base_dn = config_get_ldapi_search_base_dn();
+
+			/* search vars */
+			Slapi_PBlock *search_pb = 0;
+			Slapi_Entry **entries = 0;
+			int result;
+
+			/* filter manipulation vars */
+			char *one_type = 0;
+			char *filter_tpl = 0;
+			char *filter = 0;
+
+			/* create filter, matching whatever is given */
+			if(utype && gtype)
+			{
+				filter_tpl = "(&(%s=%u)(%s=%u))";
+			}
+			else
+			{
+				if(utype || gtype)
+				{
+					filter_tpl = "(%s=%u)";
+					if(utype)
+						one_type = utype;
+					else
+						one_type = gtype;
+				}
+				else
+				{
+					goto entry_map_free;
+				}
+			}
+
+			if(one_type)
+			{
+				if(one_type == utype)
+					filter = slapi_ch_smprintf(filter_tpl,
+						utype, uid);
+				else
+					filter = slapi_ch_smprintf(filter_tpl,
+						gtype, gid);
+			}
+			else
+			{
+				filter = slapi_ch_smprintf(filter_tpl, 
+					utype, uid, gtype, gid);
+			}
+
+			/* search for single entry matching types */
+			search_pb = slapi_pblock_new();
+
+			slapi_search_internal_set_pb(
+				search_pb, 
+				base_dn,
+				LDAP_SCOPE_SUBTREE,
+               			filter, 
+				NULL, 0, NULL, NULL, 
+				(void*)plugin_get_default_component_id(), 
+				0);
+
+			slapi_search_internal_pb(search_pb);
+			slapi_pblock_get(
+				search_pb,
+				SLAPI_PLUGIN_INTOP_RESULT, 
+				&result);
+			if(LDAP_SUCCESS == result)
+				 slapi_pblock_get(
+					search_pb,
+					SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
+					&entries);
+
+			if(entries)
+			{
+				/* zero or multiple entries fail */
+				if(entries[0] && 0 == entries[1])
+				{
+					/* observe account locking */
+					ret = check_account_lock(
+						0,  /* pb not req */
+						entries[0],
+						0, /* no response control */
+						1  /* inactivation only */
+						);
+
+					if(0 == ret)
+					{
+						char *auth_dn = slapi_ch_strdup(
+							slapi_entry_get_ndn(
+								entries[0]));
+
+						auth_dn = slapi_dn_normalize(
+							auth_dn);
+
+						bind_credentials_set_nolock(
+							conn,
+							SLAPD_AUTH_OS,
+							auth_dn,
+							NULL, NULL,
+							NULL , entries[0]);
+
+						ret = 0;
+					}
+				}
+			}
+
+entry_map_free:
+			/* auth_dn consumed by bind creds set */
+			slapi_free_search_results_internal(search_pb);
+			slapi_pblock_destroy(search_pb);
+			slapi_ch_free_string(&filter);
+			slapi_ch_free_string(&utype);
+                        slapi_ch_free_string(&gtype);
+                        slapi_ch_free_string(&base_dn);
+		}
+
+		if(ret && 0 == uid)
+		{
+			/* map unix root (uidNumber:0)? */
+			char *root_dn = config_get_ldapi_root_dn();
+
+			if(root_dn)
+			{
+				Slapi_DN *edn = slapi_sdn_new_dn_byref(
+					 slapi_dn_normalize(root_dn));
+				Slapi_Entry *e = 0;
+
+				/* root might be locked too! :) */
+				ret =  slapi_search_internal_get_entry(
+					edn, 0,
+        				&e,
+					(void*)plugin_get_default_component_id()
+
+					);	
+
+				if(0 == ret && e)
+				{
+					ret = check_account_lock(
+						0, /* pb not req */
+						e,
+						0, /* no response control */
+						1  /* inactivation only */
+						);
+
+					if(1 == ret)
+						/* sorry root,
+						 * just not cool enough
+						*/
+						goto root_map_free;
+				}
+
+				/* it's ok not to find the entry,
+				 * dn doesn't have to have an entry
+				 * e.g. cn=Directory Manager
+				 */
+				bind_credentials_set_nolock( 
+					conn, SLAPD_AUTH_OS, root_dn,
+					NULL, NULL, NULL , e);
+
+root_map_free:
+				/* root_dn consumed by bind creds set */
+				slapi_sdn_free(&edn);
+				slapi_entry_free(e);
+				ret = 0;
+			}
+		}
+
+		if(ret) 
+		{
+			/* create phony auth dn? */
+			char *base = config_get_ldapi_auto_dn_suffix();
+			if(base)
+			{
+				char *tpl = "gidNumber=%u+uidNumber=%u,";
+				int len = 
+				strlen(tpl) + 
+					strlen(base) +
+					51 /* uid,gid,null,w/padding */
+					;
+				char *dn_str = (char*)slapi_ch_malloc(
+					len);
+				char *auth_dn = (char*)slapi_ch_malloc(
+					len);
+
+				dn_str[0] = 0;
+				strcpy(dn_str, tpl);
+				strcat(dn_str, base);
+
+				sprintf(auth_dn, dn_str, gid, uid);
+
+				auth_dn = slapi_dn_normalize(auth_dn);
+
+				bind_credentials_set_nolock(
+					conn,
+					SLAPD_AUTH_OS,
+					auth_dn,
+                               		NULL, NULL, NULL , NULL);
+
+				/* auth_dn consumed by bind creds set */
+				slapi_ch_free_string(&dn_str);
+				slapi_ch_free_string(&base);
+				ret = 0;
+			}
+		}
+	}
+
+bail:
+	/* if all fails, the peer is anonymous */
+	if(conn->c_dn)
+	{
+		/* log the auto bind */
+		slapi_log_access(LDAP_DEBUG_STATS, "conn=%d AUTOBIND dn=\"%s\"\n", conn->c_connid, conn->c_dn);
+	}
+
+	return ret;
+}	
+#endif /* ENABLE_AUTOBIND */
+#endif /* ENABLE_LDAPI */
+
 /* NOTE: this routine is not reentrant */
 static int
-handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, int secure)
+handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, int secure, int local)
 {
 	int ns = 0;
 	Connection *conn = NULL;
@@ -1810,7 +2139,7 @@
 	PRFileDesc *pr_clonefd = NULL;
 
 	if ( (ns = accept_and_configure( tcps, pr_acceptfd, &from,
-		sizeof(from), secure, &pr_clonefd)) == SLAPD_INVALID_SOCKET ) {
+		sizeof(from), secure, local, &pr_clonefd)) == SLAPD_INVALID_SOCKET ) {
 		return -1;
 	}
 
@@ -1935,6 +2264,21 @@
 		connection_table_move_connection_on_to_active_list(the_connection_table,conn);
 	}
 
+#if defined(ENABLE_LDAPI)
+#if !defined( XP_WIN32 )
+        /* ldapi */
+        if( local )
+        {
+                conn->c_unix_local = 1;
+		slapd_identify_local_user(conn);
+
+#if defined(ENABLE_AUTOBIND)
+                slapd_bind_local_user(conn);
+#endif /* ENABLE_AUTOBIND */
+        }
+#endif
+#endif /* ENABLE_LDAPI */
+
 	PR_Unlock( conn->c_mutex );
 
 	connection_new_private(conn);
@@ -2019,7 +2363,7 @@
 unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, int n_tcps, PRFileDesc *s_tcps)
 #else
 static void
-unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, PRFileDesc *n_tcps, PRFileDesc *s_tcps)
+unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRFileDesc *i_unix)
 #endif
 {
 	slapdFrontendConfig_t	*slapdFrontendConfig = getFrontendConfig();
@@ -2079,6 +2423,18 @@
 			netaddr2string(&ports->s_listenaddr, addrbuf, sizeof(addrbuf)),
 		    ports->s_port, 0 );
 	}
+
+#if !defined( XP_WIN32 )
+#if defined(ENABLE_LDAPI)
+	if ( i_unix != NULL ) {                                 /* LDAPI */
+		LDAPDebug( LDAP_DEBUG_ANY,
+			"Listening on %s for LDAPI requests\n",
+			ports->i_listenaddr.local.path,
+			0, 0 );
+	}
+#endif /* ENABLE_LDAPI */
+#endif
+
 }
 
 #if defined( _WIN32 )
@@ -2273,7 +2629,7 @@
 
 static PRFileDesc *
 createprlistensocket(PRUint16 port, const PRNetAddr *listenaddr,
-		int secure)
+		int secure, int local)
 {
 	PRFileDesc			*sock;
 	PRNetAddr			sa_server;
@@ -2281,16 +2637,26 @@
 	PRSocketOptionData	pr_socketoption;
 	char				addrbuf[ 256 ];
 	char				*logname = "createprlistensocket";
+	int                             socktype = PR_AF_INET6;
+	char                            *socktype_s = "PR_AF_INET";
 
 	if (!port) goto suppressed;
 
 	PR_ASSERT( listenaddr != NULL );
 
+#if defined(ENABLE_LDAPI)
+	if(local) { /* ldapi */
+		socktype = PR_AF_LOCAL;
+		socktype_s = "PR_AF_LOCAL";
+	}
+#endif /* ENABLE_LDAPI */
+
 	/* create TCP socket */
-	if ((sock = PR_OpenTCPSocket(PR_AF_INET6)) == SLAPD_INVALID_SOCKET) {
+	if ((sock = PR_OpenTCPSocket(socktype)) == SLAPD_INVALID_SOCKET) {
 		prerr = PR_GetError();
 		slapi_log_error(SLAPI_LOG_FATAL, logname,
-		    "PR_OpenTCPSocket(PR_AF_INET6) failed: %s error %d (%s)\n",
+		    "PR_OpenTCPSocket(%s) failed: %s error %d (%s)\n",
+		    socktype_s,
 		    SLAPI_COMPONENT_NAME_NSPR, prerr, slapd_pr_strerror(prerr));
 		goto failed;
 	}
@@ -2307,17 +2673,44 @@
 
 	/* set up listener address, including port */
 	memcpy(&sa_server, listenaddr, sizeof(sa_server));
-	PRLDAP_SET_PORT( &sa_server, port );
+
+	if(!local)
+		PRLDAP_SET_PORT( &sa_server, port );
 
 	if ( PR_Bind(sock, &sa_server) == PR_FAILURE) {
 		prerr = PR_GetError();
-		slapi_log_error(SLAPI_LOG_FATAL, logname,
+		if(!local)
+		{
+			slapi_log_error(SLAPI_LOG_FATAL, logname,
 				"PR_Bind() on %s port %d failed: %s error %d (%s)\n",
 				netaddr2string(&sa_server, addrbuf, sizeof(addrbuf)), port,
 				SLAPI_COMPONENT_NAME_NSPR, prerr, slapd_pr_strerror(prerr));
+		}
+#if defined(ENABLE_LDAPI)
+		else
+		{
+                        slapi_log_error(SLAPI_LOG_FATAL, logname,
+                                "PR_Bind() on %s file %s failed: %s error %d (%s)\n",
+                                netaddr2string(&sa_server, addrbuf, sizeof(addrbuf)),
+				sa_server.local.path,
+                                SLAPI_COMPONENT_NAME_NSPR, prerr, slapd_pr_strerror(prerr));
+		}
+#endif /* ENABLE_LDAPI */
+
 		goto failed;	
 	}
 
+#if defined(ENABLE_LDAPI)
+	if(local)
+	{
+		if(chmod(listenaddr->local.path,
+			S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH))
+		{
+			slapi_log_error(SLAPI_LOG_FATAL, logname, "err: %d", errno);
+		}
+	}
+#endif /* ENABLE_LDAPI */
+
 	return( sock );
 
 failed:
@@ -2536,7 +2929,7 @@
 
 
 
-int configure_pr_socket( PRFileDesc **pr_socket, int secure )
+int configure_pr_socket( PRFileDesc **pr_socket, int secure, int local )
 {
 	int ns = 0;
 	int reservedescriptors = config_get_reservedescriptors();
@@ -2617,7 +3010,7 @@
 	} /* else (secure) */
 
 
-	if ( !enable_nagle ) {
+	if ( !enable_nagle && !local ) {
 
 		 pr_socketoption.option = PR_SockOpt_NoDelay;
 		 pr_socketoption.value.no_delay = 1;
@@ -2628,7 +3021,7 @@
 					SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n",
 					prerr, slapd_pr_strerror( prerr ), 0 );
 		 }
-	} else {
+	} else if( !local) {
 		 pr_socketoption.option = PR_SockOpt_NoDelay;
 		 pr_socketoption.value.no_delay = 0;
 		 if ( PR_SetSocketOption( *pr_socket, &pr_socketoption ) == PR_FAILURE) {


Index: fe.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/fe.h,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- fe.h	10 Nov 2006 23:45:40 -0000	1.5
+++ fe.h	27 Feb 2007 02:57:30 -0000	1.6
@@ -173,7 +173,7 @@
 int read_function(int ignore, void *buffer,  int count, struct lextiof_socket_private *handle );
 int write_function(int ignore, const void *buffer,  int count, struct lextiof_socket_private *handle );
 PRFileDesc * get_ssl_listener_fd();
-int configure_pr_socket( PRFileDesc **pr_socket, int secure );
+int configure_pr_socket( PRFileDesc **pr_socket, int secure, int local );
 void configure_ns_socket( int * ns );
 
 /*


Index: libglobs.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- libglobs.c	10 Nov 2006 23:45:40 -0000	1.14
+++ libglobs.c	27 Feb 2007 02:57:30 -0000	1.15
@@ -459,6 +459,33 @@
 	{CONFIG_LISTENHOST_ATTRIBUTE, config_set_listenhost,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.listenhost, CONFIG_STRING, NULL},
+	{CONFIG_LDAPI_FILENAME_ATTRIBUTE, config_set_ldapi_filename,
+                NULL, 0,
+                (void**)&global_slapdFrontendConfig.ldapi_filename, CONFIG_STRING, NULL},
+        {CONFIG_LDAPI_SWITCH_ATTRIBUTE, config_set_ldapi_switch,
+                NULL, 0,
+		(void**)&global_slapdFrontendConfig.ldapi_switch, CONFIG_ON_OFF, NULL},
+        {CONFIG_LDAPI_BIND_SWITCH_ATTRIBUTE, config_set_ldapi_bind_switch,
+                NULL, 0,
+		(void**)&global_slapdFrontendConfig.ldapi_bind_switch, CONFIG_ON_OFF, NULL},
+        {CONFIG_LDAPI_ROOT_DN_ATTRIBUTE, config_set_ldapi_root_dn,
+                NULL, 0,
+		(void**)&global_slapdFrontendConfig.ldapi_root_dn, CONFIG_STRING, NULL},
+        {CONFIG_LDAPI_MAP_ENTRIES_ATTRIBUTE, config_set_ldapi_map_entries,
+                NULL, 0,
+		(void**)&global_slapdFrontendConfig.ldapi_map_entries, CONFIG_ON_OFF, NULL},
+        {CONFIG_LDAPI_UIDNUMBER_TYPE_ATTRIBUTE, config_set_ldapi_uidnumber_type,
+                NULL, 0,
+		(void**)&global_slapdFrontendConfig.ldapi_uidnumber_type, CONFIG_STRING, NULL},
+        {CONFIG_LDAPI_GIDNUMBER_TYPE_ATTRIBUTE, config_set_ldapi_gidnumber_type,
+                NULL, 0,
+		(void**)&global_slapdFrontendConfig.ldapi_gidnumber_type, CONFIG_STRING, NULL},
+        {CONFIG_LDAPI_SEARCH_BASE_DN_ATTRIBUTE, config_set_ldapi_search_base_dn,
+                NULL, 0,
+		(void**)&global_slapdFrontendConfig.ldapi_search_base_dn, CONFIG_STRING, NULL},
+        {CONFIG_LDAPI_AUTO_DN_SUFFIX_ATTRIBUTE, config_set_ldapi_auto_dn_suffix,
+                NULL, 0,
+		(void**)&global_slapdFrontendConfig.ldapi_auto_dn_suffix, CONFIG_STRING, NULL},
 	{CONFIG_ACCESSLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,
 		log_set_mindiskspace, SLAPD_ACCESS_LOG,
 		(void**)&global_slapdFrontendConfig.accesslog_minfreespace, CONFIG_INT, NULL},
@@ -750,6 +777,15 @@
 				
   cfg->port = LDAP_PORT;
   cfg->secureport = LDAPS_PORT;
+  cfg->ldapi_filename = slapi_ch_strdup(SLAPD_LDAPI_DEFAULT_FILENAME);
+  cfg->ldapi_switch = LDAP_ON;
+  cfg->ldapi_bind_switch = LDAP_OFF;
+  cfg->ldapi_root_dn = slapi_ch_strdup("cn=Directory Manager");
+  cfg->ldapi_map_entries = LDAP_OFF;
+  cfg->ldapi_uidnumber_type = slapi_ch_strdup("uidNumber");
+  cfg->ldapi_gidnumber_type = slapi_ch_strdup("gidNumber");
+  cfg->ldapi_search_base_dn = slapi_ch_strdup("dc=example, dc=com");
+  cfg->ldapi_auto_dn_suffix = slapi_ch_strdup("cn=peercred,cn=external,cn=auth");
   cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
   cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
   cfg->reservedescriptors = SLAPD_DEFAULT_RESERVE_FDS;
@@ -991,7 +1027,7 @@
 
   if ( nPort == 0 ) {
         LDAPDebug( LDAP_DEBUG_ANY,
-                           "Information: Non-Secure Port Disabled, server only contactable via secure port\n", 0, 0, 0 );
+                           "Information: Non-Secure Port Disabled\n", 0, 0, 0 );
   }
   
   if ( apply ) {
@@ -1142,6 +1178,163 @@
 }
 
 int
+config_set_ldapi_filename( const char *attrname, char *value, char *errorbuf, int apply ) {
+  int retVal = LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+        return LDAP_OPERATIONS_ERROR;
+  }
+
+  if ( apply) {
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+
+        slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_filename) );
+        slapdFrontendConfig->ldapi_filename = slapi_ch_strdup ( value );
+         CFG_UNLOCK_WRITE(slapdFrontendConfig);
+  }
+  return retVal;
+}
+
+int
+config_set_ldapi_switch( const char *attrname, char *value, char *errorbuf, int apply ) {
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->ldapi_switch),
+		errorbuf,
+		apply);
+
+	return retVal;
+}
+
+int config_set_ldapi_bind_switch( const char *attrname, char *value, char *errorbuf, int apply )
+{
+        int retVal = LDAP_SUCCESS;
+        slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+        retVal = config_set_onoff(attrname,
+                value,
+                &(slapdFrontendConfig->ldapi_bind_switch),
+                errorbuf,
+                apply);
+
+        return retVal;
+}
+
+int config_set_ldapi_root_dn( const char *attrname, char *value, char *errorbuf, int apply )
+{
+  int retVal = LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+        return LDAP_OPERATIONS_ERROR;
+  }
+
+  if ( apply) {
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+
+        slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_root_dn) );
+        slapdFrontendConfig->ldapi_root_dn = slapi_ch_strdup ( value );
+         CFG_UNLOCK_WRITE(slapdFrontendConfig);
+  }
+  return retVal;
+}
+
+int config_set_ldapi_map_entries( const char *attrname, char *value, char *errorbuf, int apply )
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->ldapi_map_entries),
+		errorbuf,
+		apply);
+
+	return retVal;
+} 
+
+int config_set_ldapi_uidnumber_type( const char *attrname, char *value, char *errorbuf, int apply )
+{
+  int retVal = LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+        return LDAP_OPERATIONS_ERROR;
+  }
+
+  if ( apply) {
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+
+        slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_uidnumber_type) );
+        slapdFrontendConfig->ldapi_uidnumber_type = slapi_ch_strdup ( value );
+         CFG_UNLOCK_WRITE(slapdFrontendConfig);
+  }
+  return retVal;
+} 
+
+int config_set_ldapi_gidnumber_type( const char *attrname, char *value, char *errorbuf, int apply )
+{
+  int retVal = LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+        return LDAP_OPERATIONS_ERROR;
+  }
+
+  if ( apply) {
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+
+        slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_gidnumber_type) );
+        slapdFrontendConfig->ldapi_gidnumber_type = slapi_ch_strdup ( value );
+         CFG_UNLOCK_WRITE(slapdFrontendConfig);
+  }
+  return retVal;
+}
+
+int config_set_ldapi_search_base_dn( const char *attrname, char *value, char *errorbuf, int apply )
+{
+  int retVal = LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+        return LDAP_OPERATIONS_ERROR;
+  }
+
+  if ( apply) {
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+
+        slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_search_base_dn) );
+        slapdFrontendConfig->ldapi_search_base_dn = slapi_ch_strdup ( value );
+         CFG_UNLOCK_WRITE(slapdFrontendConfig);
+  }
+  return retVal;
+}
+
+int config_set_ldapi_auto_dn_suffix( const char *attrname, char *value, char *errorbuf, int apply )
+{
+  int retVal = LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+        return LDAP_OPERATIONS_ERROR;
+  }
+
+  if ( apply) {
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+
+        slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_auto_dn_suffix) );
+        slapdFrontendConfig->ldapi_auto_dn_suffix = slapi_ch_strdup ( value );
+         CFG_UNLOCK_WRITE(slapdFrontendConfig);
+  }
+  return retVal;
+}
+
+
+int
 config_set_securelistenhost( const char *attrname, char *value, char *errorbuf, int apply ) {
   int retVal = LDAP_SUCCESS;
   slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -3066,6 +3259,100 @@
 }
 
 char *
+config_get_ldapi_filename(){
+  char *retVal;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  CFG_LOCK_READ(slapdFrontendConfig);
+  retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_filename);
+  CFG_UNLOCK_READ(slapdFrontendConfig);
+
+  return retVal;
+}
+
+
+int config_get_ldapi_switch(){   
+  int retVal;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); 
+  CFG_LOCK_READ(slapdFrontendConfig);
+  retVal = slapdFrontendConfig->ldapi_switch;
+  CFG_UNLOCK_READ(slapdFrontendConfig);
+
+  return retVal;
+}
+
+int config_get_ldapi_bind_switch(){
+  int retVal;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+  CFG_LOCK_READ(slapdFrontendConfig);
+  retVal = slapdFrontendConfig->ldapi_bind_switch;
+  CFG_UNLOCK_READ(slapdFrontendConfig);
+
+  return retVal;
+}
+
+char *config_get_ldapi_root_dn(){
+  char *retVal;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+  CFG_LOCK_READ(slapdFrontendConfig);
+  retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_root_dn);
+  CFG_UNLOCK_READ(slapdFrontendConfig);
+
+  return retVal;
+}
+
+int config_get_ldapi_map_entries(){
+  int retVal;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+  CFG_LOCK_READ(slapdFrontendConfig);
+  retVal = slapdFrontendConfig->ldapi_map_entries;
+  CFG_UNLOCK_READ(slapdFrontendConfig);
+
+  return retVal;
+}
+
+char *config_get_ldapi_uidnumber_type(){
+  char *retVal;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+  CFG_LOCK_READ(slapdFrontendConfig);
+  retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_uidnumber_type);
+  CFG_UNLOCK_READ(slapdFrontendConfig);
+
+  return retVal;
+}
+
+char *config_get_ldapi_gidnumber_type(){
+  char *retVal;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+  CFG_LOCK_READ(slapdFrontendConfig);
+  retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_gidnumber_type);
+  CFG_UNLOCK_READ(slapdFrontendConfig);
+
+  return retVal;
+}
+
+char *config_get_ldapi_search_base_dn(){
+  char *retVal;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+  CFG_LOCK_READ(slapdFrontendConfig);
+  retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_search_base_dn);
+  CFG_UNLOCK_READ(slapdFrontendConfig);
+
+  return retVal;
+}
+
+char *config_get_ldapi_auto_dn_suffix(){
+  char *retVal;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+  CFG_LOCK_READ(slapdFrontendConfig);
+  retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_auto_dn_suffix);
+  CFG_UNLOCK_READ(slapdFrontendConfig);
+
+  return retVal;
+}
+
+
+char *
 config_get_workingdir() {
   slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
   char *retVal;


Index: main.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/main.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- main.c	14 Dec 2006 23:16:54 -0000	1.17
+++ main.c	27 Feb 2007 02:57:30 -0000	1.18
@@ -453,6 +453,7 @@
 static char *extraname;
 static char *myname;
 static int n_port = 0;
+static int i_port = 0;
 static int s_port = 0;
 static char **ldif_file = NULL;
 static int ldif_files = 0;
@@ -612,6 +613,7 @@
 }
 #endif /* WIN32 */
 
+
 int
 main( int argc, char **argv)
 {
@@ -854,6 +856,19 @@
 			return(1);
 		}
 
+#if defined(ENABLE_LDAPI)
+		if(	config_get_ldapi_switch() &&
+			config_get_ldapi_filename() != 0)
+		{
+			i_port = ports_info.i_port = 1; /* flag ldapi as on */
+			ports_info.i_listenaddr.local.family = PR_AF_LOCAL;
+			PL_strncpyz(ports_info.i_listenaddr.local.path,
+				config_get_ldapi_filename(),
+				sizeof(ports_info.i_listenaddr.local.path));
+			unlink(ports_info.i_listenaddr.local.path);
+		}
+#endif /* ENABLE_LDAPI */
+
 		return_value = daemon_pre_setuid_init(&ports_info);
 		if (0 != return_value) {
 			LDAPDebug( LDAP_DEBUG_ANY, "Failed to init daemon\n",
@@ -1081,6 +1096,7 @@
 		normalize_oc();
 
 		if (n_port) {
+		} else if (i_port) {
 		} else if ( config_get_security()) {
 		} else {
 #ifdef _WIN32	
@@ -1105,6 +1121,10 @@
 				MessageBox(GetDesktopWindow(), szMessage,	" ", MB_ICONEXCLAMATION | MB_OK);
 			}
 #endif
+			LDAPDebug( LDAP_DEBUG_ANY,
+                                "Fatal Error---No ports specified. "
+                                "Exiting now.\n", 0, 0, 0 );
+			
 			exit(1);
 		}
 	}


Index: passwd_extop.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- passwd_extop.c	28 Nov 2006 18:02:07 -0000	1.14
+++ passwd_extop.c	27 Feb 2007 02:57:30 -0000	1.15
@@ -592,7 +592,7 @@
 
 	 if (oldPasswd == NULL || *oldPasswd == '\0') {
      /* If user is authenticated, they already gave their password during
-        the bind operation (or used sasl or client cert auth) */
+        the bind operation (or used sasl or client cert auth or OS creds) */
         slapi_pblock_get(pb, SLAPI_CONN_AUTHMETHOD, &authmethod);
         if (!authmethod || !strcmp(authmethod, SLAPD_AUTH_NONE)) {
             errMesg = "User must be authenticated to the directory server.\n";


Index: pblock.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/pblock.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- pblock.c	10 Nov 2006 23:45:40 -0000	1.8
+++ pblock.c	27 Feb 2007 02:57:30 -0000	1.9
@@ -212,6 +212,8 @@
                     (*(char **)value) = SLAPD_AUTH_SIMPLE;
                 } else if (strcasecmp(authtype, SLAPD_AUTH_SSL) == 0) {
                     (*(char **)value) = SLAPD_AUTH_SSL;
+                } else if (strcasecmp(authtype, SLAPD_AUTH_OS) == 0) {
+                    (*(char **)value) = SLAPD_AUTH_OS;
                 } else if (strncasecmp(authtype, SLAPD_AUTH_SASL, 
                                        strlen(SLAPD_AUTH_SASL)) == 0) {
                     (*(char **)value) = SLAPD_AUTH_SASL;
@@ -2932,7 +2934,15 @@
 		char *extauthtype, char *externaldn, CERTCertificate *clientcert, Slapi_Entry * bind_target_entry )
 {
 	PR_Lock( conn->c_mutex );
+	bind_credentials_set_nolock(conn, authtype, normdn,
+		extauthtype, externaldn, clientcert, bind_target_entry);
+	PR_Unlock( conn->c_mutex );
+}
 
+void
+bind_credentials_set_nolock( Connection *conn, char *authtype, char *normdn,
+                char *extauthtype, char *externaldn, CERTCertificate *clientcert, Slapi_Entry * bind_target_entry )
+{
 	/* clear credentials */
 	bind_credentials_clear( conn, PR_FALSE /* conn is already locked */,
 			( extauthtype != NULL ) /* clear external creds. if requested */ );
@@ -2968,6 +2978,4 @@
 				reslimit_update_from_entry( conn, bind_target_entry );	
 		}
 	}
-
-	PR_Unlock( conn->c_mutex );
 }


Index: proto-slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- proto-slap.h	10 Nov 2006 23:45:40 -0000	1.25
+++ proto-slap.h	27 Feb 2007 02:57:30 -0000	1.26
@@ -239,6 +239,15 @@
 int config_set_localhost( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_listenhost( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_securelistenhost( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_ldapi_filename( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_ldapi_switch( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_ldapi_bind_switch( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_ldapi_root_dn( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_ldapi_map_entries( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_ldapi_uidnumber_type( const char *attrname, char *value, char *errorbuf, int apply );    
+int config_set_ldapi_gidnumber_type( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_ldapi_search_base_dn( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_ldapi_auto_dn_suffix( const char *attrname, char *value, char *errorbuf, int apply );   
 int config_set_srvtab( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_sizelimit( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_lastmod( const char *attrname, char *value, char *errorbuf, int apply );
@@ -334,6 +343,15 @@
 char *config_get_localhost();
 char *config_get_listenhost();
 char *config_get_securelistenhost();
+char *config_get_ldapi_filename();
+int config_get_ldapi_switch(); 
+int config_get_ldapi_bind_switch();
+char *config_get_ldapi_root_dn(); 
+int config_get_ldapi_map_entries(); 
+char *config_get_ldapi_uidnumber_type(); 
+char *config_get_ldapi_gidnumber_type(); 
+char *config_get_ldapi_search_base_dn(); 
+char *config_get_ldapi_auto_dn_suffix(); 
 char *config_get_srvtab();
 int config_get_sizelimit();
 char *config_get_pw_storagescheme();
@@ -738,7 +756,7 @@
 	char **old_pw, Slapi_Entry *e, int mod_op );
 int check_pw_syntax_ext( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
 	char **old_pw, Slapi_Entry *e, int mod_op, Slapi_Mods *smods );
-int check_account_lock( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req);
+int check_account_lock( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req, int account_inactivation_only /*no wire/no pw policy*/);
 int check_pw_minage( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals) ;
 void add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e );
 void mod_allowchange_aci(char *val);
@@ -961,6 +979,9 @@
 void pblock_init_common( Slapi_PBlock *pb, Slapi_Backend *be, Connection *conn, Operation *op );
 void pblock_done( Slapi_PBlock *pb );
 void bind_credentials_set( Connection *conn,
+                char *authtype, char *normdn,
+                char *extauthtype, char *externaldn, CERTCertificate *clientcert , Slapi_Entry * binded);
+void bind_credentials_set_nolock( Connection *conn,
 		char *authtype, char *normdn,
 		char *extauthtype, char *externaldn, CERTCertificate *clientcert , Slapi_Entry * binded);
 void bind_credentials_clear( Connection *conn, PRBool lock_conn,


Index: pw_mgmt.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/pw_mgmt.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- pw_mgmt.c	10 Nov 2006 23:45:40 -0000	1.7
+++ pw_mgmt.c	27 Feb 2007 02:57:30 -0000	1.8
@@ -291,7 +291,7 @@
 
 /* check_account_lock is called before bind opeation; this could be a pre-op. */
 int
-check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req) {
+check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req, int account_inactivation_only) {
 
 	time_t		unlock_time;
 	time_t		cur_time;
@@ -312,8 +312,11 @@
 	if ( bind_target_entry == NULL ) 
 		return -1;
 
-	dn = slapi_entry_get_ndn(bind_target_entry);
-	pwpolicy = new_passwdPolicy(pb, dn);
+	if(!account_inactivation_only)
+	{
+		dn = slapi_entry_get_ndn(bind_target_entry);
+		pwpolicy = new_passwdPolicy(pb, dn);
+	}
 
 	/* kexcoff: account inactivation */
 	/* check if the entry is locked by nsAccountLock attribute - account inactivation feature */
@@ -334,11 +337,12 @@
 			if ( (bvp != NULL) && (strcasecmp(bvp->bv_val, "true") == 0) )
 			{
 				/* account inactivated */
-				if (pwresponse_req) {
+				if (!account_inactivation_only && pwresponse_req) {
 					slapi_pwpolicy_make_response_control ( pb, -1, -1,
 							LDAP_PWPOLICY_ACCTLOCKED );
 				}
-				send_ldap_result ( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+				if(!account_inactivation_only)
+					send_ldap_result ( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
 							"Account inactivated. Contact system administrator.",
 							0, NULL );
 				slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
@@ -354,7 +358,7 @@
 	/*
 	 * Check if the password policy has to be checked or not
 	 */
-	if ( pwpolicy->pw_lockout == 0 ) {
+	if ( account_inactivation_only || pwpolicy->pw_lockout == 0 ) {
 		goto notlocked;
 	}
 
@@ -412,11 +416,13 @@
 	}
 
 notlocked:
-	/* account is not locked. */ 
-	delete_passwdPolicy(&pwpolicy);
+	/* account is not locked. */
+        if(!account_inactivation_only)
+		delete_passwdPolicy(&pwpolicy);
 	return ( 0 );	
 locked:
-	delete_passwdPolicy(&pwpolicy);
+	if(!account_inactivation_only)
+		delete_passwdPolicy(&pwpolicy);
 	return (1);
 
 }


Index: saslbind.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- saslbind.c	5 Dec 2006 21:22:09 -0000	1.22
+++ saslbind.c	27 Feb 2007 02:57:30 -0000	1.23
@@ -917,7 +917,7 @@
             {
                 break;
             } 
-            if ( check_account_lock(pb, bind_target_entry, pwresponse_requested) == 1) {
+            if ( check_account_lock(pb, bind_target_entry, pwresponse_requested, 0) == 1) {
                 slapi_entry_free(bind_target_entry);
                 break;
             }


Index: slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- slap.h	10 Nov 2006 23:45:40 -0000	1.20
+++ slap.h	27 Feb 2007 02:57:30 -0000	1.21
@@ -304,6 +304,10 @@
 /* the default schema sub directory of the config sub directory */
 #define SCHEMA_SUBDIR_NAME "schema"
 
+/* LDAPI default configuration */
+#define SLAPD_LDAPI_DEFAULT_FILENAME "/var/run/ldapi"
+#define SLAPD_LDAPI_DEFAULT_STATUS "off"
+
 struct subfilt {
 	char	*sf_type;
 	char	*sf_initial;
@@ -1249,6 +1253,9 @@
     int				c_enable_sasl_io; /* Flag to tell us to enable SASL I/O on the next read */
     int				c_sasl_io; /* Flag to tell us to enable SASL I/O on the next read */
     int				c_sasl_ssf; /* flag to tell us the SASL SSF */
+    int                         c_unix_local; /* flag true for LDAPI */
+    uid_t                         c_local_uid;  /* uid of connecting process */
+    gid_t                         c_local_gid;  /* gid of connecting process */
 } Connection;
 #define CONN_FLAG_SSL	1	/* Is this connection an SSL connection or not ? 
 							 * Used to direct I/O code when SSL is handled differently 
@@ -1456,6 +1463,11 @@
 	int		s_socket_native;
 #else
 	PRFileDesc	*n_socket;
+	/* ldapi */
+	PRNetAddr       i_listenaddr;
+	int             i_port; /* used as a flag only */
+	PRFileDesc      *i_socket;
+
 #endif
 	PRFileDesc	*s_socket;
 } daemon_ports_t;
@@ -1640,6 +1652,15 @@
 #define CONFIG_PORT_ATTRIBUTE "nsslapd-port"
 #define CONFIG_WORKINGDIR_ATTRIBUTE "nsslapd-workingdir"
 #define CONFIG_LISTENHOST_ATTRIBUTE "nsslapd-listenhost"
+#define CONFIG_LDAPI_FILENAME_ATTRIBUTE "nsslapd-ldapifilepath"
+#define CONFIG_LDAPI_SWITCH_ATTRIBUTE "nsslapd-ldapilisten"
+#define CONFIG_LDAPI_BIND_SWITCH_ATTRIBUTE "nsslapd-ldapiautobind"
+#define CONFIG_LDAPI_ROOT_DN_ATTRIBUTE "nsslapd-ldapimaprootdn"
+#define CONFIG_LDAPI_MAP_ENTRIES_ATTRIBUTE "nsslapd-ldapimaptoentries"
+#define CONFIG_LDAPI_UIDNUMBER_TYPE_ATTRIBUTE "nsslapd-ldapiuidnumbertype"
+#define CONFIG_LDAPI_GIDNUMBER_TYPE_ATTRIBUTE "nsslapd-ldapigidnumbertype"
+#define CONFIG_LDAPI_SEARCH_BASE_DN_ATTRIBUTE "nsslapd-ldapientrysearchbase"
+#define CONFIG_LDAPI_AUTO_DN_SUFFIX_ATTRIBUTE "nsslapd-ldapiautodnsuffix"
 #define CONFIG_SECURITY_ATTRIBUTE "nsslapd-security"
 #define CONFIG_SSL3CIPHERS_ATTRIBUTE "nsslapd-SSL3ciphers"
 #define CONFIG_ACCESSLOG_ATTRIBUTE "nsslapd-accesslog"
@@ -1889,6 +1910,15 @@
   int attrname_exceptions;  /* if true, allow questionable attribute names */
   int rewrite_rfc1274;		/* return attrs for both v2 and v3 names */
   char *schemareplace;		/* see CONFIG_SCHEMAREPLACE_* #defines below */
+  char *ldapi_filename;		/* filename for ldapi socket */
+  int ldapi_switch;             /* switch to turn ldapi on/off */
+  int ldapi_bind_switch;        /* switch to turn ldapi auto binding on/off */
+  char *ldapi_root_dn;          /* DN to map root to over LDAPI */
+  int ldapi_map_entries;        /* turns ldapi entry bind mapping on/off */
+  char *ldapi_uidnumber_type;   /* type that contains uid number */
+  char *ldapi_gidnumber_type;   /* type that contains gid number */
+  char *ldapi_search_base_dn;   /* base dn to search for mapped entries */
+  char *ldapi_auto_dn_suffix;   /* suffix to be appended to auto gen DNs */
 } slapdFrontendConfig_t;
 
 #define SLAPD_FULL	0
@@ -1902,6 +1932,8 @@
  
 slapdFrontendConfig_t *getFrontendConfig();
 
+int slapd_bind_local_user(Connection *conn);
+
 /* LP: NO_TIME cannot be -1, it generates wrong GeneralizedTime
  * And causes some errors on AIX also 
  */


Index: slapi-plugin.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-plugin.h,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- slapi-plugin.h	14 Dec 2006 23:16:54 -0000	1.14
+++ slapi-plugin.h	27 Feb 2007 02:57:30 -0000	1.15
@@ -1367,7 +1367,7 @@
 #define SLAPD_AUTH_SIMPLE "simple"
 #define SLAPD_AUTH_SSL    "SSL"
 #define SLAPD_AUTH_SASL   "SASL " /* followed by the mechanism name */
-
+#define SLAPD_AUTH_OS     "OS"
 
 /* Command Line Arguments */
 #define SLAPI_ARGC				147


Index: start_tls_extop.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/start_tls_extop.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- start_tls_extop.c	10 Nov 2006 23:45:40 -0000	1.8
+++ start_tls_extop.c	27 Feb 2007 02:57:30 -0000	1.9
@@ -275,7 +275,8 @@
 	 * connection ready. */
 
 	secure = 1;
-	ns = configure_pr_socket( &newsocket, secure );
+	ns = configure_pr_socket( &newsocket, secure, 0 /*never local*/ );
+
 
 	/*
 	ber_sockbuf_set_option( conn->c_sb, LBER_SOCKBUF_OPT_DESC, &newsocket );
@@ -417,7 +418,7 @@
 
 #ifndef _WIN32
 	secure = 0;
-	ns = configure_pr_socket( &(c->c_prfd), secure );
+	ns = configure_pr_socket( &(c->c_prfd), secure, 0 /*never local*/ );
 
 	ber_sockbuf_set_option( c->c_sb, LBER_SOCKBUF_OPT_DESC, &(c->c_prfd) );
 




More information about the Fedora-directory-commits mailing list