touch-packages team mailing list archive

[Ryan Tandy <1392018@xxxxxxxxxxxxxxxxxx>]

** Tags added: apparmor

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1392018

Title:
  apparmor stops /var/run/ldapi from being read causing ldap to fail

Status in openldap package in Ubuntu:
  Confirmed

Bug description:
  There is a bug in slapd that triggers the profile of apparmor of
  slapd.

  When installing a clean ubuntu 14.10 server and installing slapd with :
  apt-get install slapd ldap-utils
  configure it with :
  dpkg-reconfigure slapd
  with ldap address of ldapi://xxx.xxx.xxx
  the following command :
  ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
  gives the following error:
  ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
  Checking syslog :
  apparmor="DENIED" operation="file_perm" profile="/usr/sbin/slapd" name="/run/slapd/ldapi" pid=1137 comm="slapd" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
  we find in apparmor profile :
  /etc/apparmor.d/usr.sbin.slapd reads:
    # pid files and sockets
    /{,var/}run/slapd/* w,

  /run/slapd/ldapi   has   srwxrwxrwx  attributes and is owned by
  root:root

  In 14.04 all of this is the same but does not lead to an error.

  Changing it into :
    # pid files and sockets
    /{,var/}run/slapd/* rw,

  Solves the issue but does not show me where things actually go wrong.
  Slapd tries to read the file but fails.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+subscriptions