Bug 802240 - openldap should be using portreserve
openldap should be using portreserve
Status: CLOSED CANTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openldap (Show other bugs)
5.0
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: Jan Vcelak
BaseOS QE Security Team
:
Depends On:
Blocks: 103401
  Show dependency treegraph
 
Reported: 2012-03-12 04:02 EDT by Karel Srot
Modified: 2012-03-14 05:16 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 790687
Environment:
Last Closed: 2012-03-14 05:16:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Karel Srot 2012-03-12 04:02:50 EDT
Cloning for RHEL5.9 since a customer is hitting this bug on RHEL5.

+++ This bug was initially created as a clone of Bug #790687 +++

To avoid port conflicts with services such as CUPS or IMAP 
openldap
should be using portreserve for reserving respective ports
within range 600 - 1023. According to /etc/services openldap
might be using port(s) withing this range.


Typical changes required:

Given a SysV service package that uses a particular port, (say, krb5_prop/tcp -
754):

1) Create a file named after the service, for example 'krb5_prop', which
contains:

krb5_prop/tcp

2) In the spec, install this file in /etc/portreserve, i.e.,
/etc/portreserve/krb5_prop

3) In the spec, add 'Requires: portreserve' to the package that provides the
server.

4) In the init script, in the start() stanza, add:

    [ -x /sbin/portrelease ] && /sbin/portrelease krb5_prop &>/dev/null || :

before starting the daemon.


Some background can be found in bug 103401.


--- Additional comment from jvcelak@redhat.com on 2012-02-21 08:29:09 EST ---

(In reply to comment #5)
> What ports are we talking about? Ports to which openldap server connect to
> answer client its queries?

About the server ports clients connect to. In this case 389/tcp+udp and 636/tcp+udp. And 636 is in within the range.

--- Additional comment from jvcelak@redhat.com on 2012-02-22 07:01:21 EST ---

Committed to Git:
http://pkgs.devel.redhat.com/cgit/rpms/openldap/commit/?h=rhel-6.3&id=9557ae7
Comment 1 Karel Srot 2012-03-12 04:09:54 EDT
Ups, I just realized that portreserve is not available on RHEL5.
Therefore the port reserve conflict cannot be fixed this way. 

@Devel, pls, close this bug if you can't find other way how to avoid the conflict.
Comment 2 Jan Vcelak 2012-03-14 05:16:40 EDT
Unfortunately no easy way to do this without portreserve. I haven't found any reference to this problem in RHEL5 even with other components.

I can only suggest not to use ldaps port (636). Use ldap port (389) which is out of the affected range. And enforce StartTLS by server. See 'require', 'security', and 'sasl-secprops' options in sldap.conf. SSF is the setting you are looking for.

Closing.

Note You need to log in before you can comment on or make changes to this bug.