Bug 790687 - openldap should be using portreserve
Summary: openldap should be using portreserve
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.2
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Jan Vcelak
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 103401 913509
TreeView+ depends on / blocked
 
Reported: 2012-02-15 08:05 UTC by Karel Srot
Modified: 2018-11-27 20:26 UTC (History)
5 users (show)

Fixed In Version: openldap-2.4.23-21.el6
Doc Type: Bug Fix
Doc Text:
- OpenLDAP server enabled on ldaps port (636) - slapd might not manage to bind to ldaps port, because this port can be already taken by other process using bindresvport() glibc call - added configuration file for portreserve service to reserver ldaps port, updated slapd initscript to remove the reservation before starting slapd service - ldaps port is available for slapd service and cannot be taken by bindresvport() glibc call
Clone Of:
: 802240 913509 (view as bug list)
Environment:
Last Closed: 2012-06-20 07:29:24 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 848414 0 unspecified CLOSED portreserve breaks RHDS 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHSA-2012:0899 0 normal SHIPPED_LIVE Low: openldap security and bug fix update 2012-06-19 19:28:37 UTC

Internal Links: 848414

Description Karel Srot 2012-02-15 08:05:21 UTC 
To avoid port conflicts with services such as CUPS or IMAP 
openldap
should be using portreserve for reserving respective ports
within range 600 - 1023. According to /etc/services openldap
might be using port(s) withing this range.


Typical changes required:

Given a SysV service package that uses a particular port, (say, krb5_prop/tcp -
754):

1) Create a file named after the service, for example 'krb5_prop', which
contains:

krb5_prop/tcp

2) In the spec, install this file in /etc/portreserve, i.e.,
/etc/portreserve/krb5_prop

3) In the spec, add 'Requires: portreserve' to the package that provides the
server.

4) In the init script, in the start() stanza, add:

    [ -x /sbin/portrelease ] && /sbin/portrelease krb5_prop &>/dev/null || :

before starting the daemon.


Some background can be found in bug 103401.
Comment 5 Ondrej Moriš 2012-02-21 12:25:10 UTC 
What ports are we talking about? Ports to which openldap server connect to answer client its queries?
Comment 6 Jan Vcelak 2012-02-21 13:29:09 UTC 
(In reply to comment #5)
> What ports are we talking about? Ports to which openldap server connect to
> answer client its queries?

About the server ports clients connect to. In this case 389/tcp+udp and 636/tcp+udp. And 636 is in within the range.
Comment 10 Jan Vcelak 2012-03-01 15:53:12 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- OpenLDAP server enabled on ldaps port (636)
- slapd might not manage to bind to ldaps port, because this port can be already taken by other process using bindresvport() glibc call
- added configuration file for portreserve service to reserver ldaps port, updated slapd initscript to remove the reservation before starting slapd service
- ldaps port is available for slapd service and cannot be taken by bindresvport() glibc call
Comment 12 Karel Srot 2012-03-12 08:04:27 UTC 
Hi Kevin,
I have cloned the bug for RHEL5.9 as Bug 802240
Comment 14 errata-xmlrpc 2012-06-20 07:29:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0899.html
Note You need to log in before you can comment on or make changes to this bug.