group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #36235
[Bug 1557157] Re: apparmor profile denied for saslauthd: /run/saslauthd/mux
This bug was fixed in the package openldap - 2.4.42+dfsg-2ubuntu3.9
---------------
openldap (2.4.42+dfsg-2ubuntu3.9) xenial; urgency=medium
[ Andreas Hasenack ]
* d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream
patch to fix slapd crashing in certain configurations when a client
attempts a login to a locked account. (LP: #1866303)
[ Sergio Durigan Junior]
* d/apparmor-profile: Update apparmor profile to grant access to
the saslauthd socket, so that SASL authentication works. (LP: #1557157)
-- Andreas Hasenack <andreas@xxxxxxxxxxxxx> Wed, 01 Jul 2020 16:33:08
-0300
** Changed in: openldap (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1557157
Title:
apparmor profile denied for saslauthd: /run/saslauthd/mux
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Trusty:
Won't Fix
Status in openldap source package in Xenial:
Fix Released
Status in openldap source package in Bionic:
Fix Released
Status in openldap source package in Eoan:
Fix Released
Status in openldap source package in Focal:
Fix Released
Status in openldap source package in Groovy:
Fix Released
Bug description:
[Impact]
When using openldap with sasl authentication, the slapd process will
communicate with the saslauthd daemon via a socket in
{,/var}/run/saslauthd/mux. Unfortunately, this will fail in every
Ubuntu release from trusty onwards, because slapd's apparmor profile
doesn't contain the necessary directive to allow it to read/write
from/to the socket specified above.
The fix is simple: just add the necessary directive to allow slapd to
read/write from/to the saslauthd socket.
[Test Case]
One can reproduce the problem by doing:
$ lxc launch ubuntu-daily:groovy openldap-bugbug1557157-groovy
$ lxc shell openldap-bugbug1557157-groovy
# apt install slapd sasl2-bin ldap-utils apparmor-utils
(As the domain name, use "example.com").
# sed -i -e 's/^START=.*/START=yes/' /etc/default/saslauthd
# cat > /etc/ldap/sasl2/slapd.conf << __EOF__
mech_list: PLAIN
pwcheck_method: saslauthd
__EOF__
# adduser openldap sasl
# aa-enforce /etc/apparmor.d/usr.sbin.slapd
# systemctl restart slapd.service
# systemctl restart saslauthd.service
# passwd root
(You can choose any password here. You will need to type it when
running the next command.)
# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root
-Y PLAIN
The command will fail with something like:
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: Password verification failed
[Regression Potential]
This is an extremely simple and well contained fix, so I don't
envision any possible regressions after applying it. It is important
noticing that, since the problem affects older Ubuntu releases, the
openldap package will have to be rebuilt against possible newer
versions of libraries and other depencencies, which, albeit unlikely,
may cause issues.
[Original Description]
When using slapd with saslauthd the processes communicate via the
{,/var}/run/saslauthd/mux socket (this is the default location for the
saslauthd server from the sasl2-bin package in the
/etc/default/saslauthd config), but the apparmor profile for
usr.sbin.slapd does not allow access to this socket/file.
Syslog message:
apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=1880
4 comm="slapd" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Please add the following line to /etc/apparmor.d/usr.sbin.slapd:
/{,var/}run/saslauthd/mux rw,
Ubuntu version: Ubuntu 14.04.4 LTS
slapd version: 2.4.31-1+nmu2ubu
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1557157/+subscriptions
