Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#32779 - [openldap] systemd unit should default to all net interfaces
Attached to Project:
Arch Linux
Opened by Mantas Mikulėnas (grawity) - Wednesday, 21 November 2012, 08:24 GMT
Last edited by Eric Belanger (Snowman) - Friday, 23 November 2012, 13:15 GMT
Opened by Mantas Mikulėnas (grawity) - Wednesday, 21 November 2012, 08:24 GMT
Last edited by Eric Belanger (Snowman) - Friday, 23 November 2012, 13:15 GMT
|
Details...just like all other Internet servers do.
openldap 2.4.33-2 [testing] changed the systemd unit file to listen on 127.0.0.1 by default. This doesn't make any sense for a service that is almost always published to the LAN, if not to the entire Internet. (Besides, openldap already disallows anonymous access if the admin forgets to configure ACLs in slapd-access.) It also confuses people who expect ldap://localhost/ to work when it resolves to [::1] instead of [127.0.0.1]. IMHO, the entire -h "ldap://127.0.0.1:389/" part should be removed from ExecStart, to use the default ldap:/// URI. Or, if the unit needs an example, it should be replaced with -h "ldap:/// ldapi:///" which not only works better, but also makes it clear for admins that all URIs should be a single argument. |
This task depends upon
Closed by Eric Belanger (Snowman)
Friday, 23 November 2012, 13:15 GMT
Reason for closing: Fixed
Additional comments about closing: openldap-2.4.33-3
I did the easy solution and just removed the:
-h "ldap://127.0.0.1:389/"
Friday, 23 November 2012, 13:15 GMT
Reason for closing: Fixed
Additional comments about closing: openldap-2.4.33-3
I did the easy solution and just removed the:
-h "ldap://127.0.0.1:389/"
FS#32719-h "ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
Would that be OK? That's the full example in the /etc/conf.d/slapd file used by the initscripts daemon.
¹ (Preemptive response regarding security: LDAPS is considered deprecated and LDAP+STARTTLS is the new & shiny thing [as #openldap just informed me again], so even after installing a server certificate, it /still/ makes sense to expose both ldap:// and ldaps:// to the same interfaces, instead of restricting the former to loopback.)