← Back to team overview

touch-packages team mailing list archive

[Bug 1392018] [NEW] apparmor stops /var/run/ldapi from being read causing ldap to fail

 

Public bug reported:

There is a bug in slapd that triggers the profile of apparmor of slapd.

When installing a clean ubuntu 14.10 server and installing slapd with :
apt-get install slapd ldap-utils
configure it with :
dpkg-reconfigure slapd
with ldap address of ldapi://xxx.xxx.xxx
the following command :
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
gives the following error:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Checking syslog :
apparmor="DENIED" operation="file_perm" profile="/usr/sbin/slapd" name="/run/slapd/ldapi" pid=1137 comm="slapd" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
we find in apparmor profile :
/etc/apparmor.d/usr.sbin.slapd reads:
  # pid files and sockets
  /{,var/}run/slapd/* w,

/run/slapd/ldapi   has   srwxrwxrwx  attributes and is owned by
root:root

In 14.04 all of this is the same but does not lead to an error.

Changing it into :
  # pid files and sockets
  /{,var/}run/slapd/* rw,

Solves the issue but does not show me where things actually go wrong.
Slapd tries to read the file but fails.

** Affects: openldap (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: openldap sasl slapd

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1392018

Title:
  apparmor stops /var/run/ldapi from being read causing ldap to fail

Status in “openldap” package in Ubuntu:
  New

Bug description:
  There is a bug in slapd that triggers the profile of apparmor of
  slapd.

  When installing a clean ubuntu 14.10 server and installing slapd with :
  apt-get install slapd ldap-utils
  configure it with :
  dpkg-reconfigure slapd
  with ldap address of ldapi://xxx.xxx.xxx
  the following command :
  ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
  gives the following error:
  ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
  Checking syslog :
  apparmor="DENIED" operation="file_perm" profile="/usr/sbin/slapd" name="/run/slapd/ldapi" pid=1137 comm="slapd" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
  we find in apparmor profile :
  /etc/apparmor.d/usr.sbin.slapd reads:
    # pid files and sockets
    /{,var/}run/slapd/* w,

  /run/slapd/ldapi   has   srwxrwxrwx  attributes and is owned by
  root:root

  In 14.04 all of this is the same but does not lead to an error.

  Changing it into :
    # pid files and sockets
    /{,var/}run/slapd/* rw,

  Solves the issue but does not show me where things actually go wrong.
  Slapd tries to read the file but fails.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+subscriptions


Follow ups

References