Hello, I'm using openldap 2.4.17 on debian, command line for testing purposes is
--- root@host:~# slapd -d16384 -f slapd-1.conf -u openldap -g openldap \ -h "ldapi:///var/run/slapd/foobar/x-mod=-rw-------"
@(#) $OpenLDAP: slapd 2.4.17 (Nov 10 2009 18:29:26) $ root@SD6-Casa:/tmp/buildd/openldap-2.4.17/debian/build/servers/slapd slapd starting --
result:
root@host:~# lsof -U |grep slapd slapd 2971 openldap 3u unix 0xf65cab80 0t0 967834 socket slapd 2971 openldap 7u unix 0xf65ca380 0t0 967836 /var/run/slapd/ldapi root@lena:~#
--- Filesystem directory permissions are fine, well, no matter about x-mod, the problem is I cannot force different file name (location) for socket file, default location seems to be build-dependent, shall I guess it's debian related issue? I expect the socket file to be created where I specify within "ldapi" URI. I tried a few variants of this uri, assuming I misunderstood the triple slash construction, anyway I still have socket file created in the same place. Isn't it supposed to create socket file where specified? What I want, actually, is to start two or more independent slapd servers (completely searated databases), listening on IPC only, on two different IPC sockets on the same machine.
Regards, DT
DT Piotr Wadas pwadas@dtpw.pl writes:
Hello, I'm using openldap 2.4.17 on debian, command line for testing purposes is
root@host:~# slapd -d16384 -f slapd-1.conf -u openldap -g openldap \ -h "ldapi:///var/run/slapd/foobar/x-mod=-rw-------"
[...]
Filesystem directory permissions are fine, well, no matter about x-mod, the problem is I cannot force different file name (location) for socket file, default location seems to be build-dependent, shall I guess it's debian related issue? I expect the socket file to be created where I specify within "ldapi" URI. I tried a few variants of this uri, assuming I misunderstood the triple slash construction, anyway I still have socket file created in the same place. Isn't it supposed to create socket file where specified? What I want, actually, is to start two or more independent slapd servers (completely searated databases), listening on IPC only, on two different IPC sockets on the same machine.
If you want to specify a path, you only should use two slashes prior to the path specification. -h ldapi://var/run/slapd/foobar/
-Dieter
On Tue, 15 Dec 2009, Dieter Kluenter wrote:
If you want to specify a path, you only should use two slashes prior to the path specification. -h ldapi://var/run/slapd/foobar/
-Dieter
Nope :/ None of these worked as expected
slapd -h 'ldapi://test//' -u root -g root -d16384 -f slapd-1.conf slapd -h 'ldapi://test/' -u root -g root -d16384 -f slapd-1.conf slapd -h 'ldapi://test' -u root -g root -d16384 -f slapd-1.conf
All variants:
root@host:~# ls -al /test/ total 8 drwxr-xr-x 2 root root 4096 Nov 24 2007 . drwxr-xr-x 34 root root 4096 Oct 23 12:04 .. root@host:~#
I tried with superuser and dedicated user, and checked all configs ten times. Seems I need to become Jedi and use the source again :)
I also noticed this
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317100
quote: ( "Subject: URI of socket ignored by slapd (in ldap_connect_to_path), it always used /var/run/ldapi (aka ITS#3467, ITS#3518). But this bug was fixed in openldap CVS HEAD. Is it possible to backported it to current slapd (2.2.26-3)?" )
anyway it's quite old, related to previous branch. Maybe with 2.4.17 it's just some debian-related thing.
Regards, DT
DT Piotr Wadas writes:
Nope :/ None of these worked as expected
slapd -h 'ldapi://test//' -u root -g root -d16384 -f slapd-1.conf slapd -h 'ldapi://test/' -u root -g root -d16384 -f slapd-1.conf slapd -h 'ldapi://test' -u root -g root -d16384 -f slapd-1.conf
You must specify the socket filename, not just the directory name, and URL-escape it so it stays in the hostport part of the URL. If the filename is /test/ldapi, use 'ldapi://%2Ftest%2Fldapi/'.
DT Piotr Wadas pwadas@dtpw.pl writes:
On Tue, 15 Dec 2009, Dieter Kluenter wrote:
If you want to specify a path, you only should use two slashes prior to the path specification. -h ldapi://var/run/slapd/foobar/
Nope :/ None of these worked as expected
slapd -h 'ldapi://test//' -u root -g root -d16384 -f slapd-1.conf
[...] All I can say is that it works for me as the output of ps may show: 10352 pts/1 Sl+ 0:00 ./slapd -d-1 -h ldapi://temp/slapd/ -F /opt/openldap/ A search requires LDAPURL like this ldapsearch -x -H ldapi://2%Ftmp2%Fslapd -b "" -s base +
-Dieter
On Tue, 15 Dec 2009, Dieter Kluenter wrote:
DT Piotr Wadas pwadas@dtpw.pl writes:
On Tue, 15 Dec 2009, Dieter Kluenter wrote:
If you want to specify a path, you only should use two slashes prior to the path specification. -h ldapi://var/run/slapd/foobar/
Nope :/ None of these worked as expected
slapd -h 'ldapi://test//' -u root -g root -d16384 -f slapd-1.conf
[...] All I can say is that it works for me as the output of ps may show: 10352 pts/1 Sl+ 0:00 ./slapd -d-1 -h ldapi://temp/slapd/ -F /opt/openldap/ A search requires LDAPURL like this ldapsearch -x -H ldapi://2%Ftmp2%Fslapd -b "" -s base +
-Dieter
It works when I use literally
slapd -h ldapi://%2Ftest%2Ffoobar
I mean literally % sign, then 2F for third (and further if needed) "/"s.
A socket file named "foobar" in filesystem directory /test is created.
It does not work when I use any of these -h ldapi:///test/foobar -h "ldapi:///test/foobar" -h 'ldapi:///test/foobar' -h ldapi:///test/foobar
Whatever causes this, seems that any kind of quotes does not help
Regards, DT
It works when I use literally
slapd -h ldapi://%2Ftest%2Ffoobar
I invigilate the behaviour using various combinations of "%2F" and "/". just two more questions
1) is it possible to change socket permissions and/or active listeners existence via cn=config?
2) What build option enables x-mod= experimental feature ?
Regards - and thanks, DT
It works when I use literally
slapd -h ldapi://%2Ftest%2Ffoobar
I invigilate the behaviour using various combinations of "%2F" and "/".
%2F for '/' is not black magic: it's just URL encoding of chars that have a special meaning in URLs. '/' is the separator between the "host" and the "DN" part, so any '/' in the host part (the socket's path name) need to be escaped.
just two more questions
- is it possible to change socket permissions and/or active
listeners existence via cn=config?
No.
- What build option enables x-mod= experimental feature ?
Don't use it: it's not portable. The right way to use filesystem permission on ldapi consists in protecting access to the directory where the socket is created.
p.
On Tue, 15 Dec 2009, Dieter Kluenter wrote:
DT Piotr Wadas pwadas@dtpw.pl writes:
On Tue, 15 Dec 2009, Dieter Kluenter wrote:
If you want to specify a path, you only should use two slashes prior to the path specification. -h ldapi://var/run/slapd/foobar/
Nope :/ None of these worked as expected
slapd -h 'ldapi://test//' -u root -g root -d16384 -f slapd-1.conf
[...] All I can say is that it works for me as the output of ps may show: 10352 pts/1 Sl+ 0:00 ./slapd -d-1 -h ldapi://temp/slapd/ -F /opt/openldap/ A search requires LDAPURL like this ldapsearch -x -H ldapi://2%Ftmp2%Fslapd -b "" -s base +
-Dieter
The same thing with ldap_url_parse in C code (2.4.17 version), in my application - the problem starts from ldap_url_parse function.
This works:
int connection_res = ldap_initialize(&ldx,"ldapi://%2Ftest%2Fldapsock");
And this doesn't work:
int connection_res = ldap_initialize(&ldx,"ldapi:///test/ldapsock");
ldap_err2string(connection_res) is "Can't contact LDAP server"
When I use ldap_url_parse function, returned urld ( urld->lud_host to be exact ) is wrong - taken string with '%2F' ( "ldapi://%2Ftest%2Fldapsock" ), it returns "ldapi:///test/ldapsock". So next ldap_initialize call failed ldap_initialize works only if I use "ldapi://%2Ftest%2Fldapsock" directly. For now I'm going to "fix" returned ruld->lud_host in my app, I'm still not sure whether it's debian/openldap build related issue, or openldap bug, anyway there IS something WRONG with this.
Regards, merry christmas DT
openldap-technical@openldap.org
-
Dieter Kluenter -
DT Piotr Wadas -
Hallvard B Furuseth -
masarati@aero.polimi.it