Bug#892730: nslcd: Please add systemd .service file
Trent W. Buck
trentbuck at gmail.com
Wed Oct 20 19:34:15 BST 2021
Michael Biebl wrote:
> Am 12.03.2018 um 11:26 schrieb Laurent Bigonville:
> > Package: nslcd
> > Version: 0.9.9-1
> > Severity: normal
> > User: pkg-systemd-maintainers at lists.alioth.debian.org
> > Usertags: systemd-units
> >
> > Hi,
> >
> > nslcd currently doesn't provides a systemd .service file.
> >
> > This is a problem as nslcd should order itself with the
> > nss-lookup.target and/or nss-user-lookup.target (see systemd.special(7)
> > manpage).
>
> Well, the SysV init has
>
> # Should-Start: $named
>
> So the generated .service file should already have an
> After=nss-lookup.target ordering. Are you saying this is incorrect?
> If so, is the SysV init script incorrect as well?
I think the current behaviour is wrong.
systemd's sysvinit generator treats any reference to $named as "I depend on named", but
in this case you're trying to say "I am named".
i.e. it should be Before=nss-lookup.target not After=nss-lookup.target.
In any case, I think either is DEFINITELY WRONG for the common case of RFC2307
users and groups, i.e. "passwd: files ldap" &c. In that case it should be nss-user-lookup.target.
Attached is my first rough draft for a native systemd nslcd.service.
I haven't done much testing yet; this ticket isn't a priority for me.
I tested on Debian 11 (pam-nss-ldapd=0.9.11-1).
-------------- next part --------------
# FIXME: can/should nslcd be socket-activated?
# In the typical use case of "passwd: files ldap", this
# allows nslcd to avoid starting until the first remote user login (or similar).
# I don't see an option like "nslcd --inetd" which would implement this.
#
# FIXME: /etc/init.d/nslcd has kerberos integration which I'm not even TRYING to reproduce here.
# Something like this as "nslcd-k5start.service"...
#
# [Unit]
# Description="Keep alive Kerberos ticket"
# PartOf=nslcd.service
# Environment=K5START_BIN=/usr/bin/k5start
# Environment=K5START_PIDFILE=$NSLCD_STATEDIR/k5start_nslcd.pid
# Environment=K5START_MODE=600
# Environment=K5START_KEYTAB=/etc/krb5.keytab
# Environment=K5START_CCREFRESH=60
# Environment=K5START_PRINCIPAL="host/$(hostname -f)"
# Environment=K5START_CCFILE=$(sed -n 's/^krb5_ccname[[:space:]]*\(FILE:\)\?\([^:[:space:]]*\)[[:space:]]*$/\2/ip' $NSLCD_CFG)
# EnvironmentFile=-/etc/default/nslcd
# ConditionEnvironment=K5START_START=yes
# [Install]
# WantedBy=nslcd.service
# [Service]
# User=nslcd
# ExecStart=$K5START_BIN -b -p $K5START_PIDFILE -o $K5START_USER -g $K5START_GROUP -m $K5START_MODE -f $K5START_KEYTAB -K $K5START_CCREFRESH -u $K5START_PRINCIPAL -k $K5START_CCFILE
[Unit]
Description=LDAP connection daemon
# FIXME: I'm really not sure if this is the right place to inject a low-level daemon.
# Need to compare with other stuff like systemd-resolved.service...
[Install]
WantedBy=multi-user.target
# Needed unless your nslcd.conf has a local LDAP server, e.g.
# uri ldapi:///
# uri ldap://localhost
[Unit]
Wants=network-online.target
# Needed if your nsswitch.conf has "ldap" in any of
# passwd group shadow gshadow
# FIXME: is "Wants" right here???
# cf. systemd-user-sessions.service
[Unit]
Before=nss-user-lookup.target
Wants=nss-user-lookup.target
# Needed if your nsswitch.conf has "ldap" in any of
# hosts networks protocols service ethers rpc
# FIXME: is "Wants" right here???
# cf. systemdsystemd-resolved.service
[Unit]
Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=forking
ExecStart=
ExecStart=nslcd
# This replaces "uid nslcd" and "gid nslcd" in /etc/nslcd.conf.
# The "Group=nslcd" is implied as that is nslcd user's default group.
# NOTE: because of this, /etc/nslcd.conf must be readable by user/group nslcd.
# In Debian 11 sysvinit script "root:root 0400 nslcd.conf" works because priv drop happens later.
User=nslcd
# This also has to move into the systemd unit due to early priv drop:
OomScoreAdjust=-1000
# SIGUSR1: Cause nslcd to retry any failing connections to the LDAP server, regardless of the reconnect_sleeptime and reconnect_retrytime options.
# I'm 80% sure this is a confusing and bad idea, since it doesn't reread nslcd.conf.
ExecReload=kill -USR1 $MAINPID
# nslcd listens to /run/nslcd/socket and creates /run/nslcd/nslcd.pid.
# We can tell systemd about this.
RuntimeDirectory=nslcd
WorkingDirectory=/run/nslcd
# Additional security lockdown (optional).
# $ systemd-analyze security nslcd:
# ? Overall exposure level for nslcd.service: 1.2 OK ?
[Service]
CapabilityBoundingSet=
RestrictAddressFamilies=AF_UNIX AF_INET AF_INTE6
DevicePolicy=closed
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
# We can't drop @privileged because we fail with:
# nslcd: wait_for_response(): read_response() returned 0 (expected 4)
# nslcd: unable to daemonize: No data available
#SystemCallFilter=~@privileged
SystemCallFilter=~@resources
RestrictNamespaces=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RemoveIPC=yes
UMask=0077
ProtectHostname=yes
ProcSubset=pid
-------------- next part --------------
# /run/systemd/generator.late/nslcd.service
# Automatically generated by systemd-sysv-generator
[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/init.d/nslcd
Description=LSB: LDAP connection daemon
Before=multi-user.target
Before=multi-user.target
Before=multi-user.target
Before=graphical.target
Before=mail-transport-agent.target
Before=x-display-manager.target
Before=am-utils.service
Before=apache2.service
Before=atd.service
Before=autofs.service
Before=citadel.service
Before=courier-ldap.service
Before=courier-mta.service
Before=courier-mta-ssl.service
Before=courier-pop.service
Before=courier-pop-ssl.service
Before=cron.service
Before=cyrus-imapd.service
Before=dovecot.service
Before=exim4.service
Before=gdm3.service
Before=kdm.service
Before=kolab-cyrus-common.service
Before=mail-transport-agent.service
Before=masqmail.service
Before=nullmailer.service
Before=sendmail.service
Before=slim.service
Before=wdm.service
Before=xdm.service
After=remote-fs.target
After=time-sync.target
After=nss-lookup.target
After=network-online.target
After=slapd.service
After=krb5-kdc.service
After=heimdal-kdc.service
After=heimdal-kcm.service
After=shishi-kdc.service
Wants=network-online.target
[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
SuccessExitStatus=5 6
ExecStart=/etc/init.d/nslcd start
ExecStop=/etc/init.d/nslcd stop
More information about the Pkg-systemd-maintainers
mailing list