(see in slapd(8) the description on how to enforce file permissions
on sockets in ldapi schema); at present, only user permissions are
used as follows: the url extension x-mod=-rwxrwxrwx is used; only
the user permisisons are considered, e.g. the first set of rwx;
"r" means read is allowed from that listener
"w" means write is allowed on that listener
"x" means bind is not required on that listener
these restrictions ADD to those already present, and are actually
checked AFTER the other restrictions, but BEFORE ACLs, so they can
be used to apply gross restrictions but should not be viewed as
a replacement of ACLs. To compile this, #define SLAP_X_LISTENER_MOD
- use bervals for url and sockname
- pass connection_init() the listener struct pointer instead of each value
- don't copy them in the Connection struct 'cause they're not going to change
- define macros for legacy usage of c_listener_url and c_sockname
- Let write operations return unwilling-to-perform after
'gentle shutdown' has been initiated.
- Change -1 to 2 in slapd_gentle_shutdown and slapd_shutdown, since
sig_atomic_t can be unsigned (ITS#1736). The 'gentle SIGHUP' patch
is older than ITS#1736 but was applied later, so it reintroduced
the problem.
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, June 2002.
URL Syntax:
ldapi://[<path>[/????[!]x-mod=<mod>]]
where <path> is the URL-encoded path of the socket (i.e. use %2F instead
of '/' for UNIX filenames!) and <mod> is 3*[w|-] (all we need is write
permission to the socket, read/execute permissions are ignored; however,
they're set when opening the listener). The critical flag (the optional
'!' if not used ignores the result of the chmod() operation.
LDAP/UDP messages. Slapd marks received CLDAP messages as LDAP_VERSION2.
The client library can generate CLDAP queries if -Protocol 2 is chosen,
otherwise not. LDAPv2 CLDAP cannot query the slapd rootDSE, gets no reply.
Compile with -DLDAP_CONNECTIONLESS to use this code.
For slapd, use "-h cldap://" to listen on UDP.
For ldapsearch, use "-H cldap://" to query on UDP.
Client-side support is very minimal:
no automatic timeout/retries
no basedn wildcard expansion on results
no support for specifying multiple servers at once.
