touch-packages team mailing list archive

[Ryan Tandy <1392018@xxxxxxxxxxxxxxxxxx>]

** Description changed:

- There is a bug in slapd that triggers the profile of apparmor of slapd.
+ [Impact]
  
- When installing a clean ubuntu 14.10 server and installing slapd with :
- apt-get install slapd ldap-utils
- configure it with :
- dpkg-reconfigure slapd
- with ldap address of ldapi://xxx.xxx.xxx
- the following command :
- ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
- gives the following error:
+ * Changes to AppArmor's unix socket mediation in utopic and later
+ require servers to have 'rw' file permissions on socket paths, compared
+ to just 'w' previously.
+ 
+ * This bug breaks any application that tries to communicate with slapd
+ via the ldapi:// scheme, for example heimdal-kdc.
+ 
+ * The recommended way to configure slapd in Ubuntu is to authenticate
+ via SASL EXTERNAL over the ldapi socket. This bug prevents online
+ configuration of slapd (via ldapmodify) in the default setup.
+ 
+ [Test Case]
+ 
+ apt-get install slapd
+ ldapwhoami -H ldapi:// -QY EXTERNAL
+ 
+ Expected result:
+ dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+ 
+ Actual result:
  ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
- Checking syslog :
- apparmor="DENIED" operation="file_perm" profile="/usr/sbin/slapd" name="/run/slapd/ldapi" pid=1137 comm="slapd" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
- we find in apparmor profile :
- /etc/apparmor.d/usr.sbin.slapd reads:
-   # pid files and sockets
-   /{,var/}run/slapd/* w,
  
- /run/slapd/ldapi   has   srwxrwxrwx  attributes and is owned by
- root:root
+ [Regression Potential]
  
- In 14.04 all of this is the same but does not lead to an error.
+ * Extremely low potential for regression. No code changes, only granting
+ an additional permission on contents of two directories. The worst
+ possible regression is that slapd might be permitted to read some files
+ it shouldn't, but having such files in /run/{slapd,nslcd} seems
+ unlikely.
  
- Changing it into :
-   # pid files and sockets
-   /{,var/}run/slapd/* rw,
+ [Other Info]
  
- Solves the issue but does not show me where things actually go wrong.
- Slapd tries to read the file but fails.
+ Test packages can be found in ppa:rtandy/lp1392018

** Patch added: "utopic patch"
   https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+attachment/4406775/+files/openldap_2.4.31-1%2Bnmu2ubuntu11.2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1392018

Title:
  apparmor stops /var/run/ldapi from being read causing ldap to fail

Status in openldap package in Ubuntu:
  Fix Released

Bug description:
  [Impact]

  * Changes to AppArmor's unix socket mediation in utopic and later
  require servers to have 'rw' file permissions on socket paths,
  compared to just 'w' previously.

  * This bug breaks any application that tries to communicate with slapd
  via the ldapi:// scheme, for example heimdal-kdc.

  * The recommended way to configure slapd in Ubuntu is to authenticate
  via SASL EXTERNAL over the ldapi socket. This bug prevents online
  configuration of slapd (via ldapmodify) in the default setup.

  [Test Case]

  apt-get install slapd
  ldapwhoami -H ldapi:// -QY EXTERNAL

  Expected result:
  dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

  Actual result:
  ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

  [Regression Potential]

  * Extremely low potential for regression. No code changes, only
  granting an additional permission on contents of two directories. The
  worst possible regression is that slapd might be permitted to read
  some files it shouldn't, but having such files in /run/{slapd,nslcd}
  seems unlikely.

  [Other Info]

  Test packages can be found in ppa:rtandy/lp1392018

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+subscriptions