Normalize and autorestart ldapcivi service
Gitlab was not accepting logins. (Discussion on Mattermost.) It would display this error:
Could not authenticate you from Ldapmain because "Ssl connect returned=1 errno=0 state=error: certificate verify failed".
I confirmed that the live ldaps
service advertised an old/expired certificate -- even while the certificate on disk looked current. Restarting the service brought it back online. LetsEncrypt periodically updates certs, so I strongly suspect the problem is that the ldapcivi
process doesn't automatically recognize the new certs.
In debugging, it appeared that the ldapcivi
process was running as root and launched via tmux. I couldn't figure out how to access the tmux session, so I killed the process and started a new one via systemd
:
# This is an example systemd service which deploys
# ldapcivi.
#
# Pre-req: Install compatible version of nodejs
#
# To use it:
#
# 1. Copy this template, e.g. `cp examples/ldapcivi.service /etc/systemd/system/`
# 2. Edit the file new file. Change values like "WorkingDirectory", "User", "Group".
# 3. Load the new service (`systemctl daemon-reload`)
# 4. Start the new service for immediate use (`systemctl start ldapcivi`)
# 5. Enable the new service to start on reboot (`systemctl enable ldapcivi`)
[Unit]
Description=ldapcivi
After=syslog.target
After=network.target
[Service]
Type=simple
PermissionsStartOnly=true
WorkingDirectory=/opt/ldapciviauth
ExecStart=/usr/bin/node server.js civicrmorg
TimeoutSec=300
PrivateTmp=true
User=aegir
Group=aegir
[Install]
WantedBy=multi-user.target
At the moment, the above service file is available in /etc/systemd/system
and /opt/ldapciviauth/examples
(uncommitted).
Recommended follow-up:
- Put the file somewhere more durable that can survive system rebuilds/migrations. (I don't know where.)
- Add a cron job (or some such) to restart the process once every few days.