** Description changed: - There is a bug in slapd that triggers the profile of apparmor of slapd. + [Impact] - When installing a clean ubuntu 14.10 server and installing slapd with : - apt-get install slapd ldap-utils - configure it with : - dpkg-reconfigure slapd - with ldap address of ldapi://xxx.xxx.xxx - the following command : - ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config - gives the following error: + * Changes to AppArmor's unix socket mediation in utopic and later + require servers to have 'rw' file permissions on socket paths, compared + to just 'w' previously. + + * This bug breaks any application that tries to communicate with slapd + via the ldapi:// scheme, for example heimdal-kdc. + + * The recommended way to configure slapd in Ubuntu is to authenticate + via SASL EXTERNAL over the ldapi socket. This bug prevents online + configuration of slapd (via ldapmodify) in the default setup. + + [Test Case] + + apt-get install slapd + ldapwhoami -H ldapi:// -QY EXTERNAL + + Expected result: + dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth + + Actual result: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) - Checking syslog : - apparmor="DENIED" operation="file_perm" profile="/usr/sbin/slapd" name="/run/slapd/ldapi" pid=1137 comm="slapd" requested_mask="r" denied_mask="r" fsuid=105 ouid=0 - we find in apparmor profile : - /etc/apparmor.d/usr.sbin.slapd reads: - # pid files and sockets - /{,var/}run/slapd/* w, - /run/slapd/ldapi has srwxrwxrwx attributes and is owned by - root:root + [Regression Potential] - In 14.04 all of this is the same but does not lead to an error. + * Extremely low potential for regression. No code changes, only granting + an additional permission on contents of two directories. The worst + possible regression is that slapd might be permitted to read some files + it shouldn't, but having such files in /run/{slapd,nslcd} seems + unlikely. - Changing it into : - # pid files and sockets - /{,var/}run/slapd/* rw, + [Other Info] - Solves the issue but does not show me where things actually go wrong. - Slapd tries to read the file but fails. + Test packages can be found in ppa:rtandy/lp1392018
** Patch added: "utopic patch" https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+attachment/4406775/+files/openldap_2.4.31-1%2Bnmu2ubuntu11.2.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1392018 Title: apparmor stops /var/run/ldapi from being read causing ldap to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs