LDAP over OpenVPN and the order of services

[vrurg]

I have a setup in which a remote server is using LDAP auth over an OpenVPN connection. Everything works fine except for when it comes to rebooting where many services attempt to request user database and freeze until LDAP timeout is over. Apparently, this happens due to OpenVPN been started as a rc.local service.

Is it possible to make OpenVPN start at the earlier stages of boot up? Most preferable before netwait as this would be helpful with some other services relying on the VPN connection.

 

[SirDice]

Is it possible to make OpenVPN start at the earlier stages of boot up?

Use the 'regular' openvpn_enable="YES" instead of starting it via rc.local. That file is executed last (see rcorder(8)).

 

[vrurg]

Use the 'regular' openvpn_enable="YES" instead of starting it via rc.local. That file is executed last (see rcorder(8)).

Actually, rc.local was rather nominal term. I do use openvpn_enable in /usr/local/etc/rc.conf.d/openvpn. What was meant is that the startup script itself resides in /usr/local/etc/rc.d which is executed after /etc/rc.d, thus causing all services relying upon user lookups to freeze for the period of LDAP timeout.

 

[SirDice]

What was meant is that the startup script itself resides in /usr/local/etc/rc.d which is executed after /etc/rc.d

No, that's not the cause. You can have a script from /usr/local/etc/rc.d start before a /etc/rc.d script. The location isn't important, the markers for rcorder(8) are. Those dictate the order in which the rc(8) scripts are executed.

 

[PMc]

/usr/local/etc/rc.d/openvpn contains this:

# PROVIDE: openvpn
# REQUIRE: DAEMON
# KEYWORD: shutdown

This is a late stage in the boot sequence:

FILESYSTEMS - completed mounting the disks
NETWORKING - completed configuring the netifs
SERVERS - enabled authentication and logging
DAEMON - activated nfsd etc.
LOGIN - enabled user activity

This is understandable since openvpn itself uses ways for user authentication. If you need openvpn earlier (and shut it down later), you would need to change the # REQUIRE: DAEMON in that file accordingly (and expect unexpected side effects ).

Use rcorder /etc/rc.d/* /usr/local/etc/rc.d/* to see the actual sequence utilized.

 

[vrurg]

Here is what I missed when was looking for a solution: REQUIRE DAEMON has to be REQUIRE NETWORKING. Together with BEFORE nfsuserd the order is what I need it to be.

Thank you!

 

[SirDice]

Keep in mind that changes made to the rc(8) scripts might get undone with an update.

 

[vrurg]

Keep in mind that changes made to the rc(8) scripts might get undone with an update.

As someone who was installing 386bsd from floppies, I'd try not to forget. Seriously, I'm truly ashamed of overlooking the REQUIRE part. But this actually puts things into a different perspective. Configs are installed as samples and only samples are updated with packages. Wish it be similar with the rc scripts. Or make it possible to have daemon_name_BEFORE="other_daemon" in a rc.conf.

 

[PMc]

Or make it possible to have daemon_name_BEFORE="other_daemon" in a rc.conf.

You actually can do this, but only if the port does not already explicitely specify it's demands - so sadly not in Your case.
Otherwise you could do things like this.