[Fedora-directory-devel] Please review: [Bug 436397] New: LDAPI: move default LDAPI UNIX socket from /var/run/dirsrv/slapd-ID.socket to /var/run/slapd-ID.socket

Noriko Hosoi nhosoi at redhat.com
Thu Mar 13 20:42:37 UTC 2008 

After the discussion, we agreed to move the LDAPI UNIX socket from 
RHDS/FDS run_dir (/var/run/dirsrv, by default) to its parent directory.

Thanks,
--noriko

https://bugzilla.redhat.com/show_bug.cgi?id=436397

           Summary: LDAPI: move default LDAPI UNIX socket from
                    /var/run/dirsrv/slapd-ID.socket to /var/run/slapd-
                    ID.socket
           Product: Fedora Directory Server
           Version: 1.1.0
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: low
          Priority: low
         Component: Directory Server
        AssignedTo: nhosoi at redhat.com
        ReportedBy: nhosoi at redhat.com
         QAContact: ckannan at redhat.com
   Estimated Hours: 0.0


Description of problem:
* If fedora-ds-base is installed by root, the mode of
  /var/run/dirsrv is 0750, which prevents ordinary users to access
  the UNIX socket.  Should the mode be 0755?  Or we don't allow
  non-root/non-nobody users to use LDAPI?

    drwxr-x---  2 nobody nobody 4096 Mar  5 13:57 /var/run/dirsrv/
    It's set by makeDSDirs in DSCreate.pm.

rmeggins wrote:

> > We should see what OpenLDAP does - they use /var/run/ldapi by default - what
>   
mode is that by default? It's about the intermediate directory's 
permission. OpenLDAP just has /var and /var/run. ldapi is already the 
socket, isn't it? rmeggins wrote:
> > Yes.
>   
We have one more level /var/run/dirsrv, which is hiding the socket from 
non-root and non-nobody... But yes, I have to install openldap and 
investigate more. rmeggins wrote:
> > Hmm - we probably don't want to open up /var/run/dirsrv if we don't have to -
>   
maybe we should move the socket into /var/run? e.g. 
/var/run/slapd-instance.socket? I think that's a good idea. One thing 
I'd like to make sure is we have to worry about RHDS/FDS coexisting with 
OpenLDAP server on one host? Something like, if port 389 is already 
taken, our setup-ds offers alternative. Do we need to do something 
similar for LDAPI socket? rmeggins wrote:
> > If there is already a /var/run/ldapi and it is in use by openldap (or another
>   
redhat/fedora ds) we probably don't want to use it. nalin wrote:
> > When OpenLDAP's libldap gets 'ldapi:///' as a URI, it tries to connect
> > to '/var/run/ldapi'.  Perhaps we should just use that?
> >
> > Nalin
>   
------- Additional Comments From nhosoi at redhat.com  2008-03-13 16:36 EST -------
Created an attachment (id=297983)
 --> (https://bugzilla.redhat.com/attachment.cgi?id=297983&action=view)
cvs diff DSCreate.pm.in

Description: create an LDAPI UNIX socket at the parent dir of run_dir
(/var/run/dirsrv, by default).

Test result.
Installed by root and the server's owner is nobody.
# ls -l /var/run/slapd-*socket
srw-rw-rw-  1 root root 0 Mar 13 10:28 /var/run/slapd-laputa1.socket

[..] - Red Hat-Directory/8.0.0 B2008.073.1814 starting up
[..] - slapd started.  Listening on All Interfaces port 10391 for LDAP requests

[..] - Listening on /var/run/slapd-laputa1.socket for LDAPI requests

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20080313/17ad9069/attachment.bin>

More information about the Fedora-directory-devel mailing list