# LDAP over OpenVPN and the order of services



## vrurg (Apr 5, 2022)

I have a setup in which a remote server is using LDAP auth over an OpenVPN connection. Everything works fine except for when it comes to rebooting where many services attempt to request user database and freeze until LDAP timeout is over. Apparently, this happens due to OpenVPN been started as a rc.local service.

Is it possible to make OpenVPN start at the earlier stages of boot up? Most preferable before netwait as this would be helpful with some other services relying on the VPN connection.


----------



## SirDice (Apr 6, 2022)

vrurg said:


> Is it possible to make OpenVPN start at the earlier stages of boot up?


Use the 'regular' `openvpn_enable="YES"` instead of starting it via rc.local. That file is executed _last_ (see rcorder(8)).


----------



## vrurg (Apr 21, 2022)

SirDice said:


> Use the 'regular' `openvpn_enable="YES"` instead of starting it via rc.local. That file is executed _last_ (see rcorder(8)).


Actually, rc.local was rather nominal term. I do use `openvpn_enable` in `/usr/local/etc/rc.conf.d/openvpn`. What was meant is that the startup script itself resides in `/usr/local/etc/rc.d` which is executed after `/etc/rc.d`, thus causing all services relying upon user lookups to freeze for the period of LDAP timeout.


----------



## SirDice (Apr 21, 2022)

vrurg said:


> What was meant is that the startup script itself resides in `/usr/local/etc/rc.d` which is executed after `/etc/rc.d`


No, that's not the cause. You can have a script from /usr/local/etc/rc.d start _before_ a /etc/rc.d script. The location isn't important, the markers for rcorder(8) are. Those dictate the order in which the rc(8) scripts are executed.


----------



## PMc (Apr 21, 2022)

/usr/local/etc/rc.d/openvpn contains this:


```
# PROVIDE: openvpn
# REQUIRE: DAEMON
# KEYWORD: shutdown
```

This is a late stage in the boot sequence:

FILESYSTEMS - completed mounting the disks
NETWORKING - completed configuring the netifs
SERVERS - enabled authentication and logging
DAEMON - activated nfsd etc.
LOGIN - enabled user activity

This is understandable since openvpn itself uses ways for user authentication. If you need openvpn earlier (and shut it down later), you would need to change the # REQUIRE: DAEMON in that file accordingly (and expect unexpected side effects  ).

Use `rcorder /etc/rc.d/* /usr/local/etc/rc.d/*` to see the actual sequence utilized.


----------



## vrurg (Apr 24, 2022)

Here is what I missed when was looking for a solution: `REQUIRE DAEMON` has to be `REQUIRE NETWORKING`. Together with `BEFORE nfsuserd` the order is what I need it to be.

Thank you!


----------



## SirDice (Apr 25, 2022)

Keep in mind that changes made to the rc(8) scripts might get undone with an update.


----------



## vrurg (Apr 28, 2022)

SirDice said:


> Keep in mind that changes made to the rc(8) scripts might get undone with an update.


As someone who was installing 386bsd from floppies, I'd try not to forget.  Seriously, I'm truly ashamed of overlooking the `REQUIRE` part. But this actually puts things into a different perspective. Configs are installed as samples and only samples are updated with packages. Wish it be similar with the rc scripts. Or make it possible to have `daemon_name_BEFORE="other_daemon"` in a rc.conf.


----------



## PMc (Apr 28, 2022)

vrurg said:


> Or make it possible to have `daemon_name_BEFORE="other_daemon"` in a rc.conf.


You actually can do this, but only if the port does not already explicitely specify it's demands - so sadly not in Your case.
Otherwise you could do things like this.


----------

