This happens on 20.04 as well:
# lsb_release -d
Description:Ubuntu 20.04 LTS
# repeat 10 ldapsearch -x -b cn=config > /dev/null
# journalctl -n 10
-- Logs begin at Thu 2020-04-23 13:12:44 EDT, end at Wed 2020-07-01 12:20:49
EDT. --
Jul 01 12:20:48 hostname ldapsearch[727817]: DIGEST-MD5 commo
I don't think that changing the logcheck regexp will help here. The
logcheck program doesn't actually prevent messages from being logged to
syslog. All it does is scan the existing logs and optionally alert on
certain types of messages. The /etc/logcheck/ignore.d.server/libsasl-
modules file will p
While working on something else recently, I got a hunch for what might
have been happening here. I had configured syncrepl on this server to
use GSSAPI (saslmech=GSSAPI) to authenticate to its provider server. In
this role, slapd ignores the keytab file and behaves like an ordinary
GSSAPI client. I
Hi Lucas, I'm not running that version of slapd or Ubuntu anymore. I've
long since added the local customization to
/etc/apparmor.d/local/usr.sbin.slapd which made the problem go away.
It's possible that this workaround isn't needed anymore, I haven't
tested that.
I just thought I'd share the idea
Public bug reported:
Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate
permissions to the slapd apparmor profile? I'm getting the following
kinds of errors:
apparmor="DENIED" operation="open" profile="/usr/sbin/slapd"
name="/etc/krb5/user/389/client.keytab" pid=19080 comm="slap
The client.keytab path is standard functionality provided by libkrb5.so
in Ubuntu 18.04. Here is the relevant documentation:
http://manpages.ubuntu.com/manpages/bionic/man5/krb5.conf.5.html
default_client_keytab_name
This relation specifies the name of the default key
Just to provide some more background, the specific scenarios in my case
are syncrepl and a chain overlay. I have lines like this in slapd.conf:
syncrepl rid=1 provider=ldap://providerhost starttls=yes bindmethod=sasl
saslmech=GSSAPI
and this:
overlay chain
chain-uri ldap://providerhost
chain-tls
Cool, thanks Andreas!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1783183
Title:
apparmor profile denied for kerberos client keytab and credential
cache files
Statu
Public bug reported:
Would it be possible to include the patch for ITS#8003 in the next build
of the 2.4.40 package?
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363
It fixes a bug that causes slapd to crash when the audit log is enabled
I have run both 2.4.31 and 2.4.40 for a few days, and have only
experienced this type of slapd crash with 2.4.40. That by itself isn't
conclusive though, since memory corruption errors can be sensitive in
how they manifest. Looking at the code briefly, I see that the same off-
by-one error in inclu
This bug can be closed out now in favor of just building a new package
for 2.4.41, since that release is now available and includes the fix:
http://www.openldap.org/software/release/changes.html
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which
Public bug reported:
OpenLDAP version 2.4.41 is now available, and includes the bugfix for
the issue I reported in bug #1461276, as well as many other bugfixes.
Requesting an Ubuntu package for this release.
** Affects: openldap (Ubuntu)
Importance: Undecided
Status: New
--
You re
Public bug reported:
The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l
.kcm-socket which is used by kerberos:
apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd"
name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd"
requested_mask="wr" denied_mask="wr" fsuid=
Any response on this?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1461276
Title:
off-by-one in LDIF length
Status in openldap package in Ubuntu:
New
Bug descriptio
Public bug reported:
I reported ITS#8185 to OpenLDAP which was fixed in the 2.4.43 release.
There have been no OpenLDAP releases since 2.4.44 in February 2016, so
it looks like things have been stable for a while. I'd like to request a
refreshed slapd package for 2.4.44 (the most recent slapd pack
Understood, thanks for the responses Ryan and Hans.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1654416
Title:
Requesting 2.4.44 build which includes fix for ITS#8185
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1654416
Title:
Requesting 2.4.44 build which includes fix for ITS#8185
Status in openldap package in Ubuntu:
Fix
No worries Christian. As far as issues caused by unpredictable complex
interactions go, this one is fairly benign :-) I'm fine with the
workaround -- it's just one more line that gets programmatically added
to a config file that has to be customized anyway. And who knows, it may
well have been reso
I'm not sure if/how exactly I'm using kcm with slapd. I have an
/etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter
defined. Kerberos authentication actually seems to work okay -- for
example, ldapwhoami -Y GSSAPI works properly. I don't know what else may
or may not be working, but I
Hi Ryan,
Thanks for looking into this. Unfortunately I don't have much to add to
my earlier response in this thread. Here are the only kerberos-related
types of lines that I have in slapd.conf:
authz-regexp
uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth
ldap:///dc=example,dc=com??sub?(exampleKr
Not really -- in this case, all of the packages are pretty much
installed at the same time with automated processes.
In #1 above, Ryan Tandy mentions seeing these error messages too -- so I
assumed this was a fairly common sort of occurrence.
I've been working around this issue by adding a line t
21 matches
Mail list logo
