Remove root-autobind configuration

The new lib389-based installer configured 389-DS with LDAPI support and autobind for root. nsslapd-ldapiautobind is enabled by lib389. cn=root-autobind,cn=config entry is no longer needed. nsslapd-ldapimaptoentries is kept enabled for future use. Related: https://pagure.io/freeipa/issue/8521 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-09-21 12:52:36 +02:00
parent 9a9cd30255
commit 37a0af6a8c
5 changed files with 10 additions and 43 deletions
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -80,7 +80,6 @@ dist_app_DATA =				\
 	uuid.ldif		\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
 	root-autobind.ldif		\
 	pw-logging-conf.ldif	\
 	sudobind.ldif			\
 	automember.ldif			\
--- a/install/share/root-autobind.ldif
+++ b/install/share/root-autobind.ldif
@@ -1,19 +0,0 @@
 # root-autobind, config
 dn: cn=root-autobind,cn=config
 changetype: add
 objectClass: extensibleObject
 objectClass: top
 cn: root-autobind
 uidNumber: 0
 gidNumber: 0
 dn: cn=config
 changetype: modify
 replace: nsslapd-ldapiautobind
 nsslapd-ldapiautobind: on
 dn: cn=config
 changetype: modify
 replace: nsslapd-ldapimaptoentries
 nsslapd-ldapimaptoentries: on
--- a/install/updates/20-autobind.update
+++ b/install/updates/20-autobind.update
@@ -0,0 +1,7 @@
 # map LDAPI autobind uid/gid to user entries (not used by root autobind)
 dn: cn=config
 only: nsslapd-ldapimaptoentries: on
 # lib389 configures 389-DS for root-autobind. This entry is no longer needed.
 dn: cn=root-autobind,cn=config
 deleteentry: cn=root-autobind,cn=config
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -12,6 +12,7 @@ app_DATA =				\
 	10-uniqueness.update		\
 	19-managed-entries.update	\
 	20-aci.update			\
 	20-autobind.update		\
 	20-dna.update			\
 	20-enable_dirsrv_plugins.update	\
 	20-host_nis_groups.update	\
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -224,7 +224,6 @@ class DsInstance(service.Service):
    def __common_setup(self):
        self.step("creating directory server instance", self.__create_instance)
        self.step("configure autobind for root", self.__root_autobind)
        self.step("tune ldbm plugin", self.__tune_ldbm)
        self.step("stopping directory server", self.__stop_instance)
        self.step("updating configuration in dse.ldif", self.__update_dse_ldif)
@@ -560,25 +559,13 @@ class DsInstance(service.Service):
        sds.create_from_args(general, slapd, backends, None)
        # Now create the new domain root object in the format that IPA expects.
-        # Get the instance ....
+        # Get the instance and setup LDAPI with root autobind.
        inst = DirSrv(verbose=True, external_log=logger)
        inst.local_simple_allocate(
            serverid=self.serverid,
            ldapuri=ipaldap.get_ldap_uri(realm=self.realm, protocol='ldapi'),
            password=self.dm_password
        )
-
+        inst.setup_ldapi()
        # local_simple_allocate() configures LDAPI but doesn't set up the
        # DirSrv object to use LDAPI. Modify the DirSrv() object to use
        # LDAPI with password bind. autobind is not available, yet.
        inst.ldapi_enabled = 'on'
        inst.ldapi_socket = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % (
            self.serverid
        )
        inst.ldapi_autobind = 'off'
        # This actually opens the conn and binds.
        inst.open()
        try:
@@ -1247,14 +1234,6 @@ class DsInstance(service.Service):
        return status
    def __root_autobind(self):
        self._ldap_mod(
            "root-autobind.ldif",
            ldap_uri=ipaldap.get_ldap_uri(realm=self.realm, protocol='ldapi'),
            # must simple bind until auto bind is configured
            dm_password=self.dm_password
        )
    def __add_sudo_binduser(self):
        self._ldap_mod("sudobind.ldif", self.sub_dict)