Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#32779 - [openldap] systemd unit should default to all net interfaces

Attached to Project: Arch Linux
Opened by Mantas Mikulėnas (grawity) - Wednesday, 21 November 2012, 08:24 GMT
Last edited by Eric Belanger (Snowman) - Friday, 23 November 2012, 13:15 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Eric Belanger (Snowman)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

...just like all other Internet servers do.

openldap 2.4.33-2 [testing] changed the systemd unit file to listen on 127.0.0.1 by default. This doesn't make any sense for a service that is almost always published to the LAN, if not to the entire Internet. (Besides, openldap already disallows anonymous access if the admin forgets to configure ACLs in slapd-access.)

It also confuses people who expect ldap://localhost/ to work when it resolves to [::1] instead of [127.0.0.1].

IMHO, the entire
-h "ldap://127.0.0.1:389/"
part should be removed from ExecStart, to use the default ldap:/// URI.

Or, if the unit needs an example, it should be replaced with
-h "ldap:/// ldapi:///";
which not only works better, but also makes it clear for admins that all URIs should be a single argument.
This task depends upon

Closed by  Eric Belanger (Snowman)
Friday, 23 November 2012, 13:15 GMT
Reason for closing:  Fixed
Additional comments about closing:  openldap-2.4.33-3
I did the easy solution and just removed the:
-h "ldap://127.0.0.1:389/"
Comment by Mantas Mikulėnas (grawity) - Wednesday, 21 November 2012, 08:25 GMT
[typo: the ";" in the second example shouldn't be there...]
Comment by Eric Belanger (Snowman) - Wednesday, 21 November 2012, 14:56 GMT
Allan: I believe you use openldap. What do you think about this?
Comment by Eric Belanger (Snowman) - Wednesday, 21 November 2012, 14:58 GMT
FTR, adding the URI in the unit file was suggested here:  FS#32719 
Comment by Eric Belanger (Snowman) - Wednesday, 21 November 2012, 15:02 GMT
How about:
-h "ldap://127.0.0.1:389/ ldaps:/// ldapi:///";

Would that be OK? That's the full example in the /etc/conf.d/slapd file used by the initscripts daemon.
Comment by Mantas Mikulėnas (grawity) - Wednesday, 21 November 2012, 15:15 GMT
No, it would still be inconsistent, by making slapd listen on all interfaces for LDAPS, but only on IPv4 loopback for LDAP¹... Plus ldaps:/// doesn't work until the admin installs a SSL certificate.

¹ (Preemptive response regarding security: LDAPS is considered deprecated and LDAP+STARTTLS is the new & shiny thing [as #openldap just informed me again], so even after installing a server certificate, it /still/ makes sense to expose both ldap:// and ldaps:// to the same interfaces, instead of restricting the former to loopback.)
Comment by Allan McRae (Allan) - Wednesday, 21 November 2012, 20:45 GMT
I don't use this (I signoff based on very little...)

Loading...