[Touch-packages] [Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Hi Lucas, I'm not running that version of slapd or Ubuntu anymore. I've long since added the local customization to /etc/apparmor.d/local/usr.sbin.slapd which made the problem go away. It's possible that this workaround isn't needed anymore, I haven't tested that. I just thought I'd share the idea that came to mind in case it might be of interest to anyone who worked on this issue or who might otherwise be interested. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket Status in openldap package in Ubuntu: Incomplete Bug description: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
While working on something else recently, I got a hunch for what might have been happening here. I had configured syncrepl on this server to use GSSAPI (saslmech=GSSAPI) to authenticate to its provider server. In this role, slapd ignores the keytab file and behaves like an ordinary GSSAPI client. It just calls whatever GSSAPI functions provided by the available library. I'm guessing that library consulted /run/.heim_org.h5l.kcm-socket as one of the places to check for cached credentials. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket Status in openldap package in Ubuntu: Incomplete Bug description: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"
I don't think that changing the logcheck regexp will help here. The logcheck program doesn't actually prevent messages from being logged to syslog. All it does is scan the existing logs and optionally alert on certain types of messages. The /etc/logcheck/ignore.d.server/libsasl- modules file will prevent logcheck from alerting on certain messages, but the messages are still there in syslog. See the logcheck man page for more info: http://manpages.ubuntu.com/manpages/focal/man8/logcheck.8.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/827151 Title: Annoying log message "DIGEST-MD5 common mech free" Status in Cyrus-sasl2: New Status in cyrus-sasl2 package in Ubuntu: Triaged Status in cyrus-sasl2 source package in Trusty: Won't Fix Status in cyrus-sasl2 source package in Xenial: Incomplete Status in cyrus-sasl2 source package in Yakkety: Fix Released Status in cyrus-sasl2 source package in Focal: Triaged Status in cyrus-sasl2 package in Debian: Unknown Bug description: I recently updated the libsasl2-modules to 2.1.24~rc1.dfsg1+cvs2011-05-23-4ubuntu1 in oneiric. That triggered the bug also described in Debian here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932 The annoying message is logged in auth.log. In my case, it is associated with svnserve: svnserve: DIGEST-MD5 common mech free I'm not exactly sure what action triggers the message, but I can investigate more if required. $ lsb_release -rd Description:Ubuntu oneiric (development branch) Release:11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"
This happens on 20.04 as well: # lsb_release -d Description:Ubuntu 20.04 LTS # repeat 10 ldapsearch -x -b cn=config > /dev/null # journalctl -n 10 -- Logs begin at Thu 2020-04-23 13:12:44 EDT, end at Wed 2020-07-01 12:20:49 EDT. -- Jul 01 12:20:48 hostname ldapsearch[727817]: DIGEST-MD5 common mech free Jul 01 12:20:48 hostname ldapsearch[727818]: DIGEST-MD5 common mech free Jul 01 12:20:48 hostname ldapsearch[727819]: DIGEST-MD5 common mech free Jul 01 12:20:48 hostname ldapsearch[727820]: DIGEST-MD5 common mech free Jul 01 12:20:48 hostname ldapsearch[727821]: DIGEST-MD5 common mech free Jul 01 12:20:49 hostname ldapsearch[727822]: DIGEST-MD5 common mech free Jul 01 12:20:49 hostname ldapsearch[727823]: DIGEST-MD5 common mech free Jul 01 12:20:49 hostname ldapsearch[727824]: DIGEST-MD5 common mech free Jul 01 12:20:49 hostname ldapsearch[727825]: DIGEST-MD5 common mech free Jul 01 12:20:49 hostname ldapsearch[727826]: DIGEST-MD5 common mech free -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/827151 Title: Annoying log message "DIGEST-MD5 common mech free" Status in Cyrus-sasl2: New Status in cyrus-sasl2 package in Ubuntu: Fix Released Status in cyrus-sasl2 source package in Trusty: Triaged Status in cyrus-sasl2 source package in Xenial: Incomplete Status in cyrus-sasl2 source package in Yakkety: Fix Released Status in cyrus-sasl2 package in Debian: Fix Released Bug description: I recently updated the libsasl2-modules to 2.1.24~rc1.dfsg1+cvs2011-05-23-4ubuntu1 in oneiric. That triggered the bug also described in Debian here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932 The annoying message is logged in auth.log. In my case, it is associated with svnserve: svnserve: DIGEST-MD5 common mech free I'm not exactly sure what action triggers the message, but I can investigate more if required. $ lsb_release -rd Description:Ubuntu oneiric (development branch) Release:11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1783183] Re: apparmor profile denied for kerberos client keytab and credential cache files
Cool, thanks Andreas! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1783183 Title: apparmor profile denied for kerberos client keytab and credential cache files Status in openldap package in Ubuntu: Triaged Bug description: Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate permissions to the slapd apparmor profile? I'm getting the following kinds of errors: apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/etc/krb5/user/389/client.keytab" pid=19080 comm="slapd" requested_mask="r" denied_mask="r" fsuid=389 ouid=389 apparmor="DENIED" operation="file_lock" profile="/usr/sbin/slapd" name="/tmp/krb5cc_389" pid=19080 comm="slapd" requested_mask="k" denied_mask="k" fsuid=389 ouid=389 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1783183] Re: apparmor profile denied for kerberos client keytab and credential cache files
Just to provide some more background, the specific scenarios in my case are syncrepl and a chain overlay. I have lines like this in slapd.conf: syncrepl rid=1 provider=ldap://providerhost starttls=yes bindmethod=sasl saslmech=GSSAPI and this: overlay chain chain-uri ldap://providerhost chain-tls start chain-idassert-bind mode=none starttls=yes bindmethod=sasl saslmech=GSSAPI -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1783183 Title: apparmor profile denied for kerberos client keytab and credential cache files Status in openldap package in Ubuntu: Incomplete Bug description: Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate permissions to the slapd apparmor profile? I'm getting the following kinds of errors: apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/etc/krb5/user/389/client.keytab" pid=19080 comm="slapd" requested_mask="r" denied_mask="r" fsuid=389 ouid=389 apparmor="DENIED" operation="file_lock" profile="/usr/sbin/slapd" name="/tmp/krb5cc_389" pid=19080 comm="slapd" requested_mask="k" denied_mask="k" fsuid=389 ouid=389 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1783183] Re: apparmor profile denied for kerberos client keytab and credential cache files
The client.keytab path is standard functionality provided by libkrb5.so
in Ubuntu 18.04. Here is the relevant documentation:
http://manpages.ubuntu.com/manpages/bionic/man5/krb5.conf.5.html
default_client_keytab_name
This relation specifies the name of the default keytab
for obtaining client
credentials. The default is
FILE:/etc/krb5/user/%{euid}/client.keytab.This
relation is subject to parameter expansion (see below). New in
release 1.11.
It gets invoked by slapd when GSSAPI is specified as the sasl mechanism
(e.g. with syncrepl). This was added as a feature to libkrb5 to
streamline the process of automated authentication, so that people don't
have to set up cron jobs to periodically run kinit.
Regarding /tmp/krb5cc_*, that is the standard location for the
credential cache file created by the kinit process. In this case, the
equivalent of "kinit -k /etc/krb5/user/389/client.keytab" is done by
slapd, leading to /tmp/krb5cc_389 being created.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1783183
Title:
apparmor profile denied for kerberos client keytab and credential
cache files
Status in openldap package in Ubuntu:
Incomplete
Bug description:
Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate
permissions to the slapd apparmor profile? I'm getting the following
kinds of errors:
apparmor="DENIED" operation="open" profile="/usr/sbin/slapd"
name="/etc/krb5/user/389/client.keytab" pid=19080 comm="slapd"
requested_mask="r" denied_mask="r" fsuid=389 ouid=389
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/slapd"
name="/tmp/krb5cc_389" pid=19080 comm="slapd" requested_mask="k"
denied_mask="k" fsuid=389 ouid=389
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1783183] [NEW] apparmor profile denied for kerberos client keytab and credential cache files
Public bug reported: Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate permissions to the slapd apparmor profile? I'm getting the following kinds of errors: apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/etc/krb5/user/389/client.keytab" pid=19080 comm="slapd" requested_mask="r" denied_mask="r" fsuid=389 ouid=389 apparmor="DENIED" operation="file_lock" profile="/usr/sbin/slapd" name="/tmp/krb5cc_389" pid=19080 comm="slapd" requested_mask="k" denied_mask="k" fsuid=389 ouid=389 ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Tags: apparmor kerberos keytab -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1783183 Title: apparmor profile denied for kerberos client keytab and credential cache files Status in openldap package in Ubuntu: New Bug description: Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate permissions to the slapd apparmor profile? I'm getting the following kinds of errors: apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/etc/krb5/user/389/client.keytab" pid=19080 comm="slapd" requested_mask="r" denied_mask="r" fsuid=389 ouid=389 apparmor="DENIED" operation="file_lock" profile="/usr/sbin/slapd" name="/tmp/krb5cc_389" pid=19080 comm="slapd" requested_mask="k" denied_mask="k" fsuid=389 ouid=389 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
No worries Christian. As far as issues caused by unpredictable complex interactions go, this one is fairly benign :-) I'm fine with the workaround -- it's just one more line that gets programmatically added to a config file that has to be customized anyway. And who knows, it may well have been resolved by now in newer versions of openldap and kerberos. In any case, I appreciate your empathy -- if only I could channel it to the maintainers of other software where I've reported bugs that are far more painful to deal with :-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket Status in openldap package in Ubuntu: Incomplete Bug description: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1654416] Re: Requesting 2.4.44 build which includes fix for ITS#8185
Understood, thanks for the responses Ryan and Hans. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1654416 Title: Requesting 2.4.44 build which includes fix for ITS#8185 Status in openldap package in Ubuntu: New Bug description: I reported ITS#8185 to OpenLDAP which was fixed in the 2.4.43 release. There have been no OpenLDAP releases since 2.4.44 in February 2016, so it looks like things have been stable for a while. I'd like to request a refreshed slapd package for 2.4.44 (the most recent slapd package available on Ubuntu is 2.4.42 which dates back to August 2015). This would help me remove a manual workaround for the ITS#8185 issue, and users would also benefit from the number of fixes in 2.4.43 and 2.4.44. http://www.openldap.org/software/release/changes.html purging stale pwdFailureTime attributes: http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=8185;selectid=8185 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1654416/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1654416] [NEW] Requesting 2.4.44 build which includes fix for ITS#8185
Public bug reported: I reported ITS#8185 to OpenLDAP which was fixed in the 2.4.43 release. There have been no OpenLDAP releases since 2.4.44 in February 2016, so it looks like things have been stable for a while. I'd like to request a refreshed slapd package for 2.4.44 (the most recent slapd package available on Ubuntu is 2.4.42 which dates back to August 2015). This would help me remove a manual workaround for the ITS#8185 issue, and users would also benefit from the number of fixes in 2.4.43 and 2.4.44. http://www.openldap.org/software/release/changes.html purging stale pwdFailureTime attributes: http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=8185;selectid=8185 ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1654416 Title: Requesting 2.4.44 build which includes fix for ITS#8185 Status in openldap package in Ubuntu: New Bug description: I reported ITS#8185 to OpenLDAP which was fixed in the 2.4.43 release. There have been no OpenLDAP releases since 2.4.44 in February 2016, so it looks like things have been stable for a while. I'd like to request a refreshed slapd package for 2.4.44 (the most recent slapd package available on Ubuntu is 2.4.42 which dates back to August 2015). This would help me remove a manual workaround for the ITS#8185 issue, and users would also benefit from the number of fixes in 2.4.43 and 2.4.44. http://www.openldap.org/software/release/changes.html purging stale pwdFailureTime attributes: http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=8185;selectid=8185 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1654416/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Not really -- in this case, all of the packages are pretty much installed at the same time with automated processes. In #1 above, Ryan Tandy mentions seeing these error messages too -- so I assumed this was a fairly common sort of occurrence. I've been working around this issue by adding a line to /etc/apparmor.d/local/usr.sbin.slapd, and I'm okay with this workaround. I guess I was assuming that the fix would be a simple patch to /etc/apparmor.d/usr.sbin/slapd to permit the socket (i.e. assuming that Kerberos is fairly standard and it seems reasonable to allow a process like slapd to access the socket if it has permissions to do so). Given the amount of complexity that now seems to be involved, I'm reluctant to (even implicitly) ask you guys to spend more time on this. Feel free to pursue this as you want, but definitely don't feel any pressure on my account. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket Status in openldap package in Ubuntu: Incomplete Bug description: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Hi Ryan, Thanks for looking into this. Unfortunately I don't have much to add to my earlier response in this thread. Here are the only kerberos-related types of lines that I have in slapd.conf: authz-regexp uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth ldap:///dc=example,dc=com??sub?(exampleKrb5PrincipalName=$1@$2) sasl-realm EXAMPLE.COM sasl-secprops minssf=0 As I mentioned before, I do have an /etc/krb5.keytab. ldapwhoami -Y GSSAPI works fine. I don't know precisely how slapd ends up using kcm. slapd is linked with libheimbase.so.1, so presumably it ends up calling some heimdal library function that ends up accessing that socket. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket Status in openldap package in Ubuntu: Incomplete Bug description: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
I'm not sure if/how exactly I'm using kcm with slapd. I have an /etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter defined. Kerberos authentication actually seems to work okay -- for example, ldapwhoami -Y GSSAPI works properly. I don't know what else may or may not be working, but I figured that the error message wasn't a good thing to see. Sorry I can't be of more help in isolating why this error is showing up. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket Status in openldap package in Ubuntu: New Bug description: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor=DENIED operation=connect profile=/usr/sbin/slapd name=/run/.heim_org.h5l.kcm-socket pid=61289 comm=slapd requested_mask=wr denied_mask=wr fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1472639] [NEW] apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Public bug reported: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor=DENIED operation=connect profile=/usr/sbin/slapd name=/run/.heim_org.h5l.kcm-socket pid=61289 comm=slapd requested_mask=wr denied_mask=wr fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket Status in openldap package in Ubuntu: New Bug description: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor=DENIED operation=connect profile=/usr/sbin/slapd name=/run/.heim_org.h5l.kcm-socket pid=61289 comm=slapd requested_mask=wr denied_mask=wr fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1461276] Re: off-by-one in LDIF length
This bug can be closed out now in favor of just building a new package for 2.4.41, since that release is now available and includes the fix: http://www.openldap.org/software/release/changes.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1461276 Title: off-by-one in LDIF length Status in openldap package in Ubuntu: New Bug description: Would it be possible to include the patch for ITS#8003 in the next build of the 2.4.40 package? http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363 It fixes a bug that causes slapd to crash when the audit log is enabled and a large base64-encoded attribute is printed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1471831] [NEW] Requesting a package for 2.4.41
Public bug reported: OpenLDAP version 2.4.41 is now available, and includes the bugfix for the issue I reported in bug #1461276, as well as many other bugfixes. Requesting an Ubuntu package for this release. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1471831 Title: Requesting a package for 2.4.41 Status in openldap package in Ubuntu: New Bug description: OpenLDAP version 2.4.41 is now available, and includes the bugfix for the issue I reported in bug #1461276, as well as many other bugfixes. Requesting an Ubuntu package for this release. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1471831/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1461276] Re: off-by-one in LDIF length
Any response on this? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1461276 Title: off-by-one in LDIF length Status in openldap package in Ubuntu: New Bug description: Would it be possible to include the patch for ITS#8003 in the next build of the 2.4.40 package? http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363 It fixes a bug that causes slapd to crash when the audit log is enabled and a large base64-encoded attribute is printed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1461276] Re: off-by-one in LDIF length
I have run both 2.4.31 and 2.4.40 for a few days, and have only experienced this type of slapd crash with 2.4.40. That by itself isn't conclusive though, since memory corruption errors can be sensitive in how they manifest. Looking at the code briefly, I see that the same off- by-one error in include/ldif.h is present in the 2.4.31 code (as well as 2.4.28), so the potential for the bug to be expressed is likely there in the earlier versions as well. I hedge with likely because it seems that there have been many changes made to this part of the code recently, and I've seen that just reading it briefly can be misleading when drawing firm conclusions. The most conservative approach would be just to patch 2.4.40 for now, unless/until people report this bug in earlier versions. A more aggressive approach would be to patch 2.4.31 and 2.4.28 and wait for people to report other things breaking in the earlier versions. As an aside -- I'm actually building/running the 2.4.40 package on 14.04, not on Wily -- and I have verified that adding the patch to the package build fixes the bug. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1461276 Title: off-by-one in LDIF length Status in openldap package in Ubuntu: New Bug description: Would it be possible to include the patch for ITS#8003 in the next build of the 2.4.40 package? http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363 It fixes a bug that causes slapd to crash when the audit log is enabled and a large base64-encoded attribute is printed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1461276] [NEW] Requesting ITS#8003 inclusion in 2.4.40 package
Public bug reported: Would it be possible to include the patch for ITS#8003 in the next build of the 2.4.40 package? http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363 It fixes a bug that causes slapd to crash when the audit log is enabled and a large base64-encoded attribute is printed. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Tags: crash slapd -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1461276 Title: Requesting ITS#8003 inclusion in 2.4.40 package Status in openldap package in Ubuntu: New Bug description: Would it be possible to include the patch for ITS#8003 in the next build of the 2.4.40 package? http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363 It fixes a bug that causes slapd to crash when the audit log is enabled and a large base64-encoded attribute is printed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
