Michael Biebl wrote: > Am 12.03.2018 um 11:26 schrieb Laurent Bigonville: > > Package: nslcd > > Version: 0.9.9-1 > > Severity: normal > > User: [email protected] > > Usertags: systemd-units > > > > Hi, > > > > nslcd currently doesn't provides a systemd .service file. > > > > This is a problem as nslcd should order itself with the > > nss-lookup.target and/or nss-user-lookup.target (see systemd.special(7) > > manpage). > > Well, the SysV init has > > # Should-Start: $named > > So the generated .service file should already have an > After=nss-lookup.target ordering. Are you saying this is incorrect? > If so, is the SysV init script incorrect as well?
I think the current behaviour is wrong. systemd's sysvinit generator treats any reference to $named as "I depend on named", but in this case you're trying to say "I am named". i.e. it should be Before=nss-lookup.target not After=nss-lookup.target. In any case, I think either is DEFINITELY WRONG for the common case of RFC2307 users and groups, i.e. "passwd: files ldap" &c. In that case it should be nss-user-lookup.target. Attached is my first rough draft for a native systemd nslcd.service. I haven't done much testing yet; this ticket isn't a priority for me. I tested on Debian 11 (pam-nss-ldapd=0.9.11-1).
# FIXME: can/should nslcd be socket-activated? # In the typical use case of "passwd: files ldap", this # allows nslcd to avoid starting until the first remote user login (or similar). # I don't see an option like "nslcd --inetd" which would implement this. # # FIXME: /etc/init.d/nslcd has kerberos integration which I'm not even TRYING to reproduce here. # Something like this as "nslcd-k5start.service"... # # [Unit] # Description="Keep alive Kerberos ticket" # PartOf=nslcd.service # Environment=K5START_BIN=/usr/bin/k5start # Environment=K5START_PIDFILE=$NSLCD_STATEDIR/k5start_nslcd.pid # Environment=K5START_MODE=600 # Environment=K5START_KEYTAB=/etc/krb5.keytab # Environment=K5START_CCREFRESH=60 # Environment=K5START_PRINCIPAL="host/$(hostname -f)" # Environment=K5START_CCFILE=$(sed -n 's/^krb5_ccname[[:space:]]*\(FILE:\)\?\([^:[:space:]]*\)[[:space:]]*$/\2/ip' $NSLCD_CFG) # EnvironmentFile=-/etc/default/nslcd # ConditionEnvironment=K5START_START=yes # [Install] # WantedBy=nslcd.service # [Service] # User=nslcd # ExecStart=$K5START_BIN -b -p $K5START_PIDFILE -o $K5START_USER -g $K5START_GROUP -m $K5START_MODE -f $K5START_KEYTAB -K $K5START_CCREFRESH -u $K5START_PRINCIPAL -k $K5START_CCFILE [Unit] Description=LDAP connection daemon # FIXME: I'm really not sure if this is the right place to inject a low-level daemon. # Need to compare with other stuff like systemd-resolved.service... [Install] WantedBy=multi-user.target # Needed unless your nslcd.conf has a local LDAP server, e.g. # uri ldapi:/// # uri ldap://localhost [Unit] Wants=network-online.target # Needed if your nsswitch.conf has "ldap" in any of # passwd group shadow gshadow # FIXME: is "Wants" right here??? # cf. systemd-user-sessions.service [Unit] Before=nss-user-lookup.target Wants=nss-user-lookup.target # Needed if your nsswitch.conf has "ldap" in any of # hosts networks protocols service ethers rpc # FIXME: is "Wants" right here??? # cf. systemdsystemd-resolved.service [Unit] Before=nss-lookup.target Wants=nss-lookup.target [Service] Type=forking ExecStart= ExecStart=nslcd # This replaces "uid nslcd" and "gid nslcd" in /etc/nslcd.conf. # The "Group=nslcd" is implied as that is nslcd user's default group. # NOTE: because of this, /etc/nslcd.conf must be readable by user/group nslcd. # In Debian 11 sysvinit script "root:root 0400 nslcd.conf" works because priv drop happens later. User=nslcd # This also has to move into the systemd unit due to early priv drop: OomScoreAdjust=-1000 # SIGUSR1: Cause nslcd to retry any failing connections to the LDAP server, regardless of the reconnect_sleeptime and reconnect_retrytime options. # I'm 80% sure this is a confusing and bad idea, since it doesn't reread nslcd.conf. ExecReload=kill -USR1 $MAINPID # nslcd listens to /run/nslcd/socket and creates /run/nslcd/nslcd.pid. # We can tell systemd about this. RuntimeDirectory=nslcd WorkingDirectory=/run/nslcd # Additional security lockdown (optional). # $ systemd-analyze security nslcd: # → Overall exposure level for nslcd.service: 1.2 OK 🙂 [Service] CapabilityBoundingSet= RestrictAddressFamilies=AF_UNIX AF_INET AF_INTE6 DevicePolicy=closed NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes PrivateUsers=yes ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectProc=invisible ProtectSystem=strict RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service # We can't drop @privileged because we fail with: # nslcd: wait_for_response(): read_response() returned 0 (expected 4) # nslcd: unable to daemonize: No data available #SystemCallFilter=~@privileged SystemCallFilter=~@resources RestrictNamespaces=yes RestrictRealtime=yes LockPersonality=yes MemoryDenyWriteExecute=yes RemoveIPC=yes UMask=0077 ProtectHostname=yes ProcSubset=pid
# /run/systemd/generator.late/nslcd.service # Automatically generated by systemd-sysv-generator [Unit] Documentation=man:systemd-sysv-generator(8) SourcePath=/etc/init.d/nslcd Description=LSB: LDAP connection daemon Before=multi-user.target Before=multi-user.target Before=multi-user.target Before=graphical.target Before=mail-transport-agent.target Before=x-display-manager.target Before=am-utils.service Before=apache2.service Before=atd.service Before=autofs.service Before=citadel.service Before=courier-ldap.service Before=courier-mta.service Before=courier-mta-ssl.service Before=courier-pop.service Before=courier-pop-ssl.service Before=cron.service Before=cyrus-imapd.service Before=dovecot.service Before=exim4.service Before=gdm3.service Before=kdm.service Before=kolab-cyrus-common.service Before=mail-transport-agent.service Before=masqmail.service Before=nullmailer.service Before=sendmail.service Before=slim.service Before=wdm.service Before=xdm.service After=remote-fs.target After=time-sync.target After=nss-lookup.target After=network-online.target After=slapd.service After=krb5-kdc.service After=heimdal-kdc.service After=heimdal-kcm.service After=shishi-kdc.service Wants=network-online.target [Service] Type=forking Restart=no TimeoutSec=5min IgnoreSIGPIPE=no KillMode=process GuessMainPID=no RemainAfterExit=yes SuccessExitStatus=5 6 ExecStart=/etc/init.d/nslcd start ExecStop=/etc/init.d/nslcd stop
