Enable ldapi connections in the management framework.

If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/

install/share/ldapi.ldif

@@ -0,0 +1,6 @@
+# Enable the ldapi listener
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapilisten
+nsslapd-ldapilisten: on
+

install/tools/ipa-replica-install

@@ -332,6 +332,7 @@ def main():
     fd.write("realm=" + config.realm_name + "\n")
     fd.write("domain=" + config.domain_name + "\n")
     fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
+    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
     if ipautil.file_exists(config.dir + "/ca.p12"):
         fd.write("enable_ra=True\n")
     fd.close()

install/tools/ipa-server-install

@@ -575,6 +575,7 @@ def main():
     fd.write("realm=" + realm_name + "\n")
     fd.write("domain=" + domain_name + "\n")
     fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
+    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
     if options.ca:
         fd.write("enable_ra=True\n")
     fd.close()

ipalib/constants.py

@@ -103,8 +103,6 @@ DEFAULT_CONFIG = (
     ('lite_webui_port', 9999),
     ('xmlrpc_uri', 'http://localhost:8888'),
     ('ldap_uri', 'ldap://localhost:389'),
-    ('ldap_host', 'localhost'),
-    ('ldap_port', 389),
 
     # Debugging:
     ('verbose', False),

ipaserver/install/dsinstance.py

@@ -169,6 +169,7 @@ class DsInstance(service.Service):
         self.step("enabling memberof plugin", self.__add_memberof_module)
         self.step("enabling referential integrity plugin", self.__add_referint_module)
         self.step("enabling winsync plugin", self.__add_winsync_module)
+        self.step("enabling ldapi", self.__enable_ldapi)
         self.step("configuring uniqueness plugin", self.__set_unique_attrs)
         self.step("creating indices", self.__create_indices)
         self.step("configuring ssl for ds instance", self.__enable_ssl)
@@ -374,6 +375,9 @@ class DsInstance(service.Service):
         shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
                         config_dirname(self.serverid) + "certmap.conf")
 
+    def __enable_ldapi(self):
+        self._ldap_mod("ldapi.ldif", self.sub_dict)
+
     def change_admin_password(self, password):
         logging.debug("Changing admin password")
         dirname = config_dirname(self.serverid)

ipaserver/plugins/ldap2.py

@@ -115,9 +115,7 @@ def _get_url(host, port, using_cacert=False):
     return 'ldap://%s:%d' % (host, port)
 
 # retrieves LDAP schema from server
-def _load_schema(host, port):
-    url = _get_url(host, port)
-
+def _load_schema(url):
     try:
         conn = _ldap.initialize(url)
         # assume anonymous access is enabled
@@ -136,7 +134,7 @@ def _load_schema(host, port):
     return _ldap.schema.SubSchema(schema_entry[1])
 
 # cache schema when importing module
-_schema = _load_schema(api.env.ldap_host, api.env.ldap_port)
+_schema = _load_schema(api.env.ldap_uri)
 
 def _get_syntax(attr, value):
     schema = api.Backend.ldap2._schema
@@ -164,28 +162,25 @@ class ldap2(CrudBackend, Encoder):
         self.encoder_settings.decode_dict_vals_table = _syntax_mapping
         self.encoder_settings.decode_dict_vals_table_keygen = _get_syntax
         self.encoder_settings.decode_postprocessor = lambda x: string.lower(x)
-        self._host = api.env.ldap_host
-        self._port = api.env.ldap_port
+        self._ldapuri = api.env.ldap_uri
         self._schema = _schema
-        self._ssl = False
         CrudBackend.__init__(self)
 
     def __del__(self):
         self.disconnect()
 
     def __str__(self):
-        return _get_url(self._host, self._port, self._ssl)
+        return self._ldapuri
 
     @encode_args(3, 4, 'bind_dn', 'bind_pw')
-    def create_connection(self, host=None, port=None, ccache=None,
+    def create_connection(self, ldapuri=None, ccache=None,
             bind_dn='', bind_pw='', debug_level=255,
             tls_cacertfile=None, tls_certfile=None, tls_keyfile=None):
         """
         Connect to LDAP server.
 
         Keyword arguments:
-        host -- hostname or IP of the server.
-        port -- port number
+        ldapuri -- the LDAP server to connect to
         ccache -- Kerberos V5 ccache name
         bind_dn -- dn used to bind to the server
         bind_pw -- password used to bind to the server
@@ -196,25 +191,21 @@ class ldap2(CrudBackend, Encoder):
 
         Extends backend.Connectible.create_connection.
         """
-        if host is not None:
-            self._host = host
-        if port is not None:
-            self._port = port
+        if ldapuri is not None:
+            self._ldapuri = ldapuri
 
         # if we don't have this server's schema cached, do it now
-        if self._host != api.env.ldap_host or self._port != api.env.ldap_port:
-            self._schema = _load_schema(self._host, self._port)
+        if self._ldapuri != api.env.ldap_uri:
+            self._schema = _load_schema(self._ldapuri)
 
         if tls_cacertfile is not None:
             _ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile)
-            self._ssl = True
         if tls_certfile is not None:
             _ldap.set_option(_ldap.OPT_X_TLS_CERTFILE, tls_certfile)
-            self._ssl = True
         if tls_keyfile is not None:
             _ldap.set_option(_ldap.OPT_X_TLS_KEYFILE, tls_keyfile)
 
-        conn = _ldap.initialize(str(self))
+        conn = _ldap.initialize(self._ldapuri)
         if ccache is not None:
             os.environ['KRB5CCNAME'] = ccache
             conn.sasl_interactive_bind_s('', _sasl_auth)