touch-packages team mailing list archive

Thread
Date

[Bug 1392018] Re: apparmor stops /var/run/ldapi from being read causing ldap to fail

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Chris J Arges <1392018@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Jul 2015 13:47:52 -0000
Reply-to: Bug 1392018 <1392018@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hello Arjan.S, or anyone else affected,

Accepted openldap into vivid-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu12.2 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: openldap (Ubuntu Vivid)
       Status: In Progress => Fix Committed

** Tags added: verification-needed

** Changed in: openldap (Ubuntu Utopic)
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1392018

Title:
  apparmor stops /var/run/ldapi from being read causing ldap to fail

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Utopic:
  Won't Fix
Status in openldap source package in Vivid:
  Fix Committed

Bug description:
  [Impact]

  * Changes to AppArmor's unix socket mediation in utopic and later
  require servers to have 'rw' file permissions on socket paths,
  compared to just 'w' previously.

  * This bug breaks any application that tries to communicate with slapd
  via the ldapi:// scheme, for example heimdal-kdc.

  * The recommended way to configure slapd in Ubuntu is to authenticate
  via SASL EXTERNAL over the ldapi socket. This bug prevents online
  configuration of slapd (via ldapmodify) in the default setup.

  [Test Case]

  apt-get install slapd
  ldapwhoami -H ldapi:// -QY EXTERNAL

  Expected result:
  dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

  Actual result:
  ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

  [Regression Potential]

  * Extremely low potential for regression. No code changes, only
  granting an additional permission on contents of two directories. The
  worst possible regression is that slapd might be permitted to read
  some files it shouldn't, but having such files in /run/{slapd,nslcd}
  seems unlikely.

  [Other Info]

  Test packages can be found in ppa:rtandy/lp1392018

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+subscriptions

References

[Bug 1392018] [NEW] apparmor stops /var/run/ldapi from being read causing ldap to fail
From: Arjan.S, 2014-11-12