[Fedora-directory-devel] Please review: [Bug 436397] New: LDAPI: move default LDAPI UNIX socket from /var/run/dirsrv/slapd-ID.socket to /var/run/slapd-ID.socket
Noriko Hosoi
nhosoi at redhat.com
Thu Mar 13 20:42:37 UTC 2008
After the discussion, we agreed to move the LDAPI UNIX socket from
RHDS/FDS run_dir (/var/run/dirsrv, by default) to its parent directory.
Thanks,
--noriko
https://bugzilla.redhat.com/show_bug.cgi?id=436397
Summary: LDAPI: move default LDAPI UNIX socket from
/var/run/dirsrv/slapd-ID.socket to /var/run/slapd-
ID.socket
Product: Fedora Directory Server
Version: 1.1.0
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: low
Component: Directory Server
AssignedTo: nhosoi at redhat.com
ReportedBy: nhosoi at redhat.com
QAContact: ckannan at redhat.com
Estimated Hours: 0.0
Description of problem:
* If fedora-ds-base is installed by root, the mode of
/var/run/dirsrv is 0750, which prevents ordinary users to access
the UNIX socket. Should the mode be 0755? Or we don't allow
non-root/non-nobody users to use LDAPI?
drwxr-x--- 2 nobody nobody 4096 Mar 5 13:57 /var/run/dirsrv/
It's set by makeDSDirs in DSCreate.pm.
rmeggins wrote:
> > We should see what OpenLDAP does - they use /var/run/ldapi by default - what
>
mode is that by default? It's about the intermediate directory's
permission. OpenLDAP just has /var and /var/run. ldapi is already the
socket, isn't it? rmeggins wrote:
> > Yes.
>
We have one more level /var/run/dirsrv, which is hiding the socket from
non-root and non-nobody... But yes, I have to install openldap and
investigate more. rmeggins wrote:
> > Hmm - we probably don't want to open up /var/run/dirsrv if we don't have to -
>
maybe we should move the socket into /var/run? e.g.
/var/run/slapd-instance.socket? I think that's a good idea. One thing
I'd like to make sure is we have to worry about RHDS/FDS coexisting with
OpenLDAP server on one host? Something like, if port 389 is already
taken, our setup-ds offers alternative. Do we need to do something
similar for LDAPI socket? rmeggins wrote:
> > If there is already a /var/run/ldapi and it is in use by openldap (or another
>
redhat/fedora ds) we probably don't want to use it. nalin wrote:
> > When OpenLDAP's libldap gets 'ldapi:///' as a URI, it tries to connect
> > to '/var/run/ldapi'. Perhaps we should just use that?
> >
> > Nalin
>
------- Additional Comments From nhosoi at redhat.com 2008-03-13 16:36 EST -------
Created an attachment (id=297983)
--> (https://bugzilla.redhat.com/attachment.cgi?id=297983&action=view)
cvs diff DSCreate.pm.in
Description: create an LDAPI UNIX socket at the parent dir of run_dir
(/var/run/dirsrv, by default).
Test result.
Installed by root and the server's owner is nobody.
# ls -l /var/run/slapd-*socket
srw-rw-rw- 1 root root 0 Mar 13 10:28 /var/run/slapd-laputa1.socket
[..] - Red Hat-Directory/8.0.0 B2008.073.1814 starting up
[..] - slapd started. Listening on All Interfaces port 10391 for LDAP requests
[..] - Listening on /var/run/slapd-laputa1.socket for LDAPI requests
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20080313/17ad9069/attachment.bin>
More information about the Fedora-directory-devel
mailing list