Privileges for slapd service

Dockerfile: ```Dockerfile FROM debian:buster

ENV container docker

# systemd RUN apt-get update && apt-get install -y \ systemd systemd-sysv && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* RUN systemctl disable systemd-resolved.service RUN systemctl disable systemd-hostnamed.service STOPSIGNAL SIGRTMIN+3 CMD [ "/sbin/init" ]

RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ slapd && \ apt-get clean && rm -rf /var/lib/apt/lists/* RUN systemctl enable slapd.service

# Allow restart of slapd after dpkg-reconfigure (docker forbids this by default) RUN bash -c "install -m755 <(printf '#!/bin/sh\nexit 0') /usr/sbin/policy-rc.d" ```

Build command: ```sh docker build -t tmp . ```

Run command: ```sh docker run \ --name=tmp \ -it \ --tmpfs /run \ --tmpfs /run/lock \ --tmpfs /tmp \ -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ --rm \ tmp ```

Slapd restart (run within container): ```sh service slapd restart ```

Log (journalctl -u slapd): Jun 18 07:14:25 81bb7d58af2b systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:14:25 81bb7d58af2b slapd[39]: @(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org Jun 18 07:14:25 81bb7d58af2b slapd[40]: slapd starting Jun 18 07:14:25 81bb7d58af2b slapd[27]: Starting OpenLDAP: slapd. Jun 18 07:14:25 81bb7d58af2b systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:14:35 81bb7d58af2b systemd[1]: Stopping LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:14:35 81bb7d58af2b slapd[72]: Stopping OpenLDAP: slapd. Jun 18 07:14:35 81bb7d58af2b systemd[1]: slapd.service: Succeeded. Jun 18 07:14:35 81bb7d58af2b systemd[1]: Stopped LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:14:40 81bb7d58af2b systemd[1]: slapd.service: Found left-over process 40 (slapd) in control group while starting unit. Ignoring. Jun 18 07:14:40 81bb7d58af2b systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.

Jun 18 07:14:40 81bb7d58af2b systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:14:40 81bb7d58af2b slapd[99]: Starting OpenLDAP: slapd failed! Jun 18 07:14:40 81bb7d58af2b systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE Jun 18 07:14:40 81bb7d58af2b systemd[1]: slapd.service: Failed with result 'exit-code'. Jun 18 07:14:40 81bb7d58af2b systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).

---

The problem seems to be an unclean stop (left-over process) which still occupies the port. Which capabilities [1] / seccomp [2] is needed by slapd?

[1]: https://linux.die.net/man/7/capabilities [2]: https://docs-stage.docker.com/engine/security/seccomp/

---

My goal is to set the domain to "thisbox".

Running the following code (within container): ```sh cat <<EOF >/tmp/slapd Name: slapd/domain Template: slapd/domain Value: thisbox Owners: slapd

EOF DEBIAN_FRONTEND=noninteractive DEBCONF_DB_OVERRIDE=/tmp/slapd dpkg-reconfigure slapd ```

Log (journalctl -u slapd): -- Logs begin at Thu 2020-06-18 07:43:44 UTC, end at Thu 2020-06-18 07:44:57 UTC. -- Jun 18 07:43:44 fe1ddc01fdaf systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:43:44 fe1ddc01fdaf slapd[38]: @(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org Jun 18 07:43:44 fe1ddc01fdaf slapd[39]: slapd starting Jun 18 07:43:44 fe1ddc01fdaf slapd[28]: Starting OpenLDAP: slapd. Jun 18 07:43:44 fe1ddc01fdaf systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Stopping LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:43:48 fe1ddc01fdaf slapd[160]: Stopping OpenLDAP: slapd. Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: slapd.service: Succeeded. Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Stopped LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: @(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: daemon: bind(8) failed errno=98 (Address already in use) Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: daemon: bind(8) failed errno=98 (Address already in use) Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: slapd stopped. Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: connections_destroy: nothing to destroy. Jun 18 07:43:48 fe1ddc01fdaf slapd[165]: Starting OpenLDAP: slapd failed! Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: slapd.service: Failed with result 'exit-code'. Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).

So the problem indicates that the address is already in use.

---

Setting the configuration within Dockerfile (no need to restart in container): ```Dockerfile RUN echo "" >> /tmp/slapd && \ echo "Name: slapd/domain" >> /tmp/slapd && \ echo "Template: slapd/domain" >> /tmp/slapd && \ echo "Value: thisbox" >> /tmp/slapd && \ echo "Owners: slapd" >> /tmp/slapd && \ echo "" >> /tmp/slapd && \ DEBIAN_FRONTEND=noninteractive \ DEBCONF_DB_OVERRIDE=/tmp/slapd \ dpkg-reconfigure slapd ```

doesn't throw any error, but doesn't seem to work either.

```sh ldapadd -Q -Y EXTERNAL -H ldapi:/// ```

logs to stdout: ``` adding new entry "ou=users,dc=thisbox" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge ```

So for some reason the setup on container creation doesn't seem to be used.

---

I am new to LDAP, so I am apologizing if I am using something completely wrongly. Just trying to fix https://salsa.debian.org/freedombox-team/freedombox/-/issues/1880.

Any help appreciated!