After the discussion, we agreed to move the LDAPI UNIX socket from
RHDS/FDS run_dir (/var/run/dirsrv, by default) to its parent directory.
Summary: LDAPI: move default LDAPI UNIX socket from
/var/run/dirsrv/slapd-ID.socket to /var/run/slapd-
Product: Fedora Directory Server
Component: Directory Server
Estimated Hours: 0.0
Description of problem:
* If fedora-ds-base is installed by root, the mode of
/var/run/dirsrv is 0750, which prevents ordinary users to access
the UNIX socket. Should the mode be 0755? Or we don't allow
non-root/non-nobody users to use LDAPI?
drwxr-x--- 2 nobody nobody 4096 Mar 5 13:57 /var/run/dirsrv/
It's set by makeDSDirs in DSCreate.pm.
> We should see what OpenLDAP does - they use /var/run/ldapi by
default - what
mode is that by default? It's about the intermediate directory's
permission. OpenLDAP just has /var and /var/run. ldapi is already the
socket, isn't it? rmeggins wrote:
We have one more level /var/run/dirsrv, which is hiding the socket from
non-root and non-nobody... But yes, I have to install openldap and
investigate more. rmeggins wrote:
> Hmm - we probably don't want to open up /var/run/dirsrv if
we don't have to -
maybe we should move the socket into /var/run? e.g.
/var/run/slapd-instance.socket? I think that's a good idea. One thing
I'd like to make sure is we have to worry about RHDS/FDS coexisting with
OpenLDAP server on one host? Something like, if port 389 is already
taken, our setup-ds offers alternative. Do we need to do something
similar for LDAPI socket? rmeggins wrote:
> If there is already a /var/run/ldapi and it is in use by
openldap (or another
redhat/fedora ds) we probably don't want to use it. nalin wrote:
> When OpenLDAP's libldap gets 'ldapi:///' as a URI,
it tries to connect
> to '/var/run/ldapi'. Perhaps we should just use that?
------- Additional Comments From nhosoi(a)redhat.com 2008-03-13 16:36 EST
Created an attachment (id=297983)
cvs diff DSCreate.pm.in
Description: create an LDAPI UNIX socket at the parent dir of run_dir
(/var/run/dirsrv, by default).
Installed by root and the server's owner is nobody.
# ls -l /var/run/slapd-*socket
srw-rw-rw- 1 root root 0 Mar 13 10:28 /var/run/slapd-laputa1.socket
[..] - Red Hat-Directory/8.0.0 B2008.073.1814 starting up
[..] - slapd started. Listening on All Interfaces port 10391 for LDAP requests
[..] - Listening on /var/run/slapd-laputa1.socket for LDAPI requests