touch-packages team mailing list archive

Thread
Date

[Bug 1452087] Re: slapd [or its init script] does not create necessary directory for nssov socket and fails to start

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: ben thielsen <btb@xxxxxxxxxxx>
Date: Thu, 07 May 2015 03:10:00 -0000
Reply-to: Bug 1452087 <1452087@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

there was an apparmor message logged:

May  6 22:52:05 server kernel: audit: type=1400
audit(1430967118.381:12): apparmor="DENIED" operation="mkdir"
profile="/usr/sbin/slapd" name="/run/nslcd/" pid=1419 comm="slapd"
requested_mask="c" denied_mask="c" fsuid=108 ouid=108

adding to /etc/apparmor.d/local/usr.sbin.slapd [among some other
things]:

  /etc/ldap/pki/** rw,
  /{,var/}run/slapd/* rw,
  /{,var/}run/nslcd/ rw,
  /{,var/}run/nslcd/* rw,

seems to have addressed that, but the directory still isn't created.

temporarily changing /run/ to 777 seem to reinforce rtandy's reference.
the directory is then created, but not with adequate permissions:

dr-xr-xr-x  2 openldap openldap   40 May  6 23:01 nslcd/

slapd[2357]: nssov: bind() to /var/run/nslcd/socket failed: Permission
denied

adjusting them manually after creation confirms this, and slapd then
starts.

at the moment, i've added the following to the init script:

NSSOV_SOCKETDIR='/var/run/nslcd'

start_slapd() {
    [ -d "${NSSOV_SOCKETDIR}" ] || ( mkdir -m 755 "${NSSOV_SOCKETDIR}" ; \
        chown openldap.openldap "${NSSOV_SOCKETDIR}" )

which solves the problem for me [albeit the wrong way, imo], since it's
blindly doing it regardless of if the overlay is actually in use.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1452087

Title:
  slapd [or its init script] does not create necessary directory for
  nssov socket and fails to start

Status in openldap package in Ubuntu:
  New

Bug description:
  when used with the nss overlay, slapd fails to start, because
  /var/run/nslcd/ does not exist, and slap cannot then create the socket
  for this.  additionally, creating the directory manually does not
  help, because it disappears after every reboot.

  1] >lsb_release -rd
  Description:	Ubuntu 15.04
  Release:	15.04

  2] >apt-cache policy slapd
  slapd:
    Installed: 2.4.31-1+nmu2ubuntu12
    Candidate: 2.4.31-1+nmu2ubuntu12
    Version table:
   *** 2.4.31-1+nmu2ubuntu12 0
          500 http://us.archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages
          100 /var/lib/dpkg/status

  3] i expected the necessary directory to be created when starting slapd if the nss overlay is in use
  4] it was not

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1452087/+subscriptions

References

[Bug 1452087] [NEW] slapd [or its init script] does not create necessary directory for nssov socket and fails to start
From: ben thielsen, 2015-05-06