This bug was fixed in the package openldap - 2.4.31-1+nmu2ubuntu8.5
---
openldap (2.4.31-1+nmu2ubuntu8.5) trusty; urgency=medium
* d/apparmor-profile: update apparmor profile to allow reading of
files needed when slapd is behaving as a kerberos/gssapi client
and acquiring
This bug was fixed in the package openldap - 2.4.42+dfsg-2ubuntu3.4
---
openldap (2.4.42+dfsg-2ubuntu3.4) xenial; urgency=medium
* d/apparmor-profile: update apparmor profile to allow reading of
files needed when slapd is behaving as a kerberos/gssapi client
and acquiring
This bug was fixed in the package openldap - 2.4.45+dfsg-1ubuntu1.1
---
openldap (2.4.45+dfsg-1ubuntu1.1) bionic; urgency=medium
* d/apparmor-profile: update apparmor profile to allow reading of
files needed when slapd is behaving as a kerberos/gssapi client
and acquiring
This bug was fixed in the package openldap - 2.4.46+dfsg-5ubuntu1.1
---
openldap (2.4.46+dfsg-5ubuntu1.1) cosmic; urgency=medium
* d/apparmor-profile: update apparmor profile to allow reading of
files needed when slapd is behaving as a kerberos/gssapi client
and acquiring
trusty verification
reproducing the bug:
slapd:
Installed: 2.4.31-1+nmu2ubuntu8.4
Candidate: 2.4.31-1+nmu2ubuntu8.4
Version table:
*** 2.4.31-1+nmu2ubuntu8.4 0
500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
As soon as the consumer is setup, the provider
trusty verification
reproducing the bug:
slapd:
Installed: 2.4.31-1+nmu2ubuntu8.4
Candidate: 2.4.31-1+nmu2ubuntu8.4
Version table:
*** 2.4.31-1+nmu2ubuntu8.4 0
500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
As soon as the consumer is setup, the provider
xenial verification
First confirming the bug
Package on the consumer:
root@xenial-consumer:~# apt-cache policy slapd
slapd:
Installed: 2.4.42+dfsg-2ubuntu3.3
Candidate: 2.4.42+dfsg-2ubuntu3.3
Version table:
*** 2.4.42+dfsg-2ubuntu3.3 500
500 http://br.archive.ubuntu.com/ubuntu
xenial verification
First confirming the bug
Package on the consumer:
root@xenial-consumer:~# apt-cache policy slapd
slapd:
Installed: 2.4.42+dfsg-2ubuntu3.3
Candidate: 2.4.42+dfsg-2ubuntu3.3
Version table:
*** 2.4.42+dfsg-2ubuntu3.3 500
500 http://br.archive.ubuntu.com/ubuntu
Bionic verification
Reproducing the bug with:
root@bionic-consumer:~# apt-cache policy slapd
slapd:
Installed: 2.4.45+dfsg-1ubuntu1
Candidate: 2.4.45+dfsg-1ubuntu1
Version table:
*** 2.4.45+dfsg-1ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
Bionic verification
Reproducing the bug with:
root@bionic-consumer:~# apt-cache policy slapd
slapd:
Installed: 2.4.45+dfsg-1ubuntu1
Candidate: 2.4.45+dfsg-1ubuntu1
Version table:
*** 2.4.45+dfsg-1ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
Cosmic verification
slapd package on the consumer:
Installed: 2.4.46+dfsg-5ubuntu1
Candidate: 2.4.46+dfsg-5ubuntu1
Version table:
*** 2.4.46+dfsg-5ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
Confirming failed replication attempt:
provider:
Nov 16
Cosmic verification
slapd package on the consumer:
Installed: 2.4.46+dfsg-5ubuntu1
Candidate: 2.4.46+dfsg-5ubuntu1
Version table:
*** 2.4.46+dfsg-5ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
Confirming failed replication attempt:
provider:
Nov 16
Hello Kartik, or anyone else affected,
Accepted openldap into trusty-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu8.5 in
a few hours, and then in the -proposed repository.
Please help us by testing this new package.
Hello Kartik, or anyone else affected,
Accepted openldap into cosmic-proposed. The package will build now and
be available at https://launchpad.net/ubuntu/+source/openldap/2.4.46
+dfsg-5ubuntu1.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package.
trusty, xenial, bionic and cosmic packages uploaded to proposed, pending
approval from the sru team.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1783183
Title:
apparmor profile denied
trusty, xenial, bionic and cosmic packages uploaded to proposed, pending
approval from the sru team.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1783183
Title:
apparmor profile denied for
This bug was fixed in the package openldap - 2.4.46+dfsg-5ubuntu3
---
openldap (2.4.46+dfsg-5ubuntu3) disco; urgency=medium
* d/apparmor-profile: update apparmor profile to allow reading of
files needed when slapd is behaving as a kerberos/gssapi client
and acquiring its
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/358586
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1783183
Title:
apparmor profile
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/357713
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/357714
** Merge proposal linked:
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/357712
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1783183
Title:
apparmor profile
** Attachment added: "setup-consumer.sh"
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+attachment/5204631/+files/setup-consumer.sh
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
[Impact]
When using syncrepl replication with openldap, the consumer needs to
authenticate to the provider in order to perform the searches and fetch the
data. When this authentication is a simple bind, a simple username/password
pair is used and that can be easily
** Description changed:
[Impact]
When using syncrepl replication with openldap, the consumer needs to
authenticate to the provider in order to perform the searches and fetch the
data. When this authentication is a simple bind, a simple username/password
pair is used and that can be easily
** Attachment added: "setup-consumer.sh"
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+attachment/5204631/+files/setup-consumer.sh
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
** Attachment added: "setup-provider.sh"
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+attachment/5204630/+files/setup-provider.sh
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Attachment added: "setup-provider.sh"
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+attachment/5204630/+files/setup-provider.sh
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
** Description changed:
[Impact]
When using syncrepl replication with openldap, the consumer needs to
authenticate to the provider in order to perform the searches and fetch the
data. When this authentication is a simple bind, a simple username/password
pair is used and that can be easily
** Description changed:
[Impact]
When using syncrepl replication with openldap, the consumer needs to
authenticate to the provider in order to perform the searches and fetch the
data. When this authentication is a simple bind, a simple username/password
pair is used and that can be easily
** Description changed:
[Impact]
+ When using syncrepl replication with openldap, the consumer needs to
authenticate to the provider in order to perform the searches and fetch the
data. When this authentication is a simple bind, a simple username/password
pair is used and that can be easily
** Description changed:
[Impact]
+ When using syncrepl replication with openldap, the consumer needs to
authenticate to the provider in order to perform the searches and fetch the
data. When this authentication is a simple bind, a simple username/password
pair is used and that can be easily
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [Test
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [Test
I used this for now:
root@bionic-slapd-consumer:/etc/apparmor.d# cat local/usr.sbin.slapd
# Site-specific additions and overrides for usr.sbin.slapd.
# For more details, please see /etc/apparmor.d/local/README.
/etc/krb5/user/[0-9]*/client.keytab rk,
/tmp/krb5cc_[0-9]* rwk,
I'm checking if
I used this for now:
root@bionic-slapd-consumer:/etc/apparmor.d# cat local/usr.sbin.slapd
# Site-specific additions and overrides for usr.sbin.slapd.
# For more details, please see /etc/apparmor.d/local/README.
/etc/krb5/user/[0-9]*/client.keytab rk,
/tmp/krb5cc_[0-9]* rwk,
I'm checking if
Confirmed finally, sorry for the delay. I'll get this fixed.
** Changed in: openldap (Ubuntu)
Status: Triaged => In Progress
** Changed in: openldap (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of
Confirmed finally, sorry for the delay. I'll get this fixed.
** Changed in: openldap (Ubuntu)
Status: Triaged => In Progress
** Changed in: openldap (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of
Cool, thanks Andreas!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1783183
Title:
apparmor profile denied for kerberos client keytab and credential
cache files
To manage notifications about
I didn't know about default_client_keytab_name. That's definitely handy,
so no more k5start needed!
Thanks for your explanation, it makes sense. I'll give it a whirl,
because I'll need to add testing instructions to the change that will be
proposed.
** Changed in: openldap (Ubuntu)
I didn't know about default_client_keytab_name. That's definitely handy,
so no more k5start needed!
Thanks for your explanation, it makes sense. I'll give it a whirl,
because I'll need to add testing instructions to the change that will be
proposed.
** Changed in: openldap (Ubuntu)
Just to provide some more background, the specific scenarios in my case
are syncrepl and a chain overlay. I have lines like this in slapd.conf:
syncrepl rid=1 provider=ldap://providerhost starttls=yes bindmethod=sasl
saslmech=GSSAPI
and this:
overlay chain
chain-uri ldap://providerhost
The client.keytab path is standard functionality provided by libkrb5.so
in Ubuntu 18.04. Here is the relevant documentation:
http://manpages.ubuntu.com/manpages/bionic/man5/krb5.conf.5.html
default_client_keytab_name
This relation specifies the name of the default
"/etc/krb5/user/389/client.keytab" feels like a local modification you
made, to store keytab files somewhere under /etc/krb5. I suggest you add
an apparmor exception in /etc/apparmor.d/local/usr.sbin.slapd.
Unless I'm wrong and that directory is being used as a standard location
by some package.
"/etc/krb5/user/389/client.keytab" feels like a local modification you
made, to store keytab files somewhere under /etc/krb5. I suggest you add
an apparmor exception in /etc/apparmor.d/local/usr.sbin.slapd.
Unless I'm wrong and that directory is being used as a standard location
by some package.
43 matches
Mail list logo