** Description changed:
- There is a bug in slapd that triggers the profile of apparmor of slapd.
+ [Impact]
- When installing a clean ubuntu 14.10 server and installing slapd with :
- apt-get install slapd ldap-utils
- configure it with :
- dpkg-reconfigure slapd
- with ldap address of ldapi://xxx.xxx.xxx
- the following command :
- ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
- gives the following error:
+ * Changes to AppArmor's unix socket mediation in utopic and later
+ require servers to have 'rw' file permissions on socket paths, compared
+ to just 'w' previously.
+
+ * This bug breaks any application that tries to communicate with slapd
+ via the ldapi:// scheme, for example heimdal-kdc.
+
+ * The recommended way to configure slapd in Ubuntu is to authenticate
+ via SASL EXTERNAL over the ldapi socket. This bug prevents online
+ configuration of slapd (via ldapmodify) in the default setup.
+
+ [Test Case]
+
+ apt-get install slapd
+ ldapwhoami -H ldapi:// -QY EXTERNAL
+
+ Expected result:
+ dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+
+ Actual result:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
- Checking syslog :
- apparmor="DENIED" operation="file_perm" profile="/usr/sbin/slapd"
name="/run/slapd/ldapi" pid=1137 comm="slapd" requested_mask="r"
denied_mask="r" fsuid=105 ouid=0
- we find in apparmor profile :
- /etc/apparmor.d/usr.sbin.slapd reads:
- # pid files and sockets
- /{,var/}run/slapd/* w,
- /run/slapd/ldapi has srwxrwxrwx attributes and is owned by
- root:root
+ [Regression Potential]
- In 14.04 all of this is the same but does not lead to an error.
+ * Extremely low potential for regression. No code changes, only granting
+ an additional permission on contents of two directories. The worst
+ possible regression is that slapd might be permitted to read some files
+ it shouldn't, but having such files in /run/{slapd,nslcd} seems
+ unlikely.
- Changing it into :
- # pid files and sockets
- /{,var/}run/slapd/* rw,
+ [Other Info]
- Solves the issue but does not show me where things actually go wrong.
- Slapd tries to read the file but fails.
+ Test packages can be found in ppa:rtandy/lp1392018
** Patch added: "utopic patch"
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+attachment/4406775/+files/openldap_2.4.31-1%2Bnmu2ubuntu11.2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1392018
Title:
apparmor stops /var/run/ldapi from being read causing ldap to fail
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
