[Bug 1392018] Re: apparmor stops /var/run/ldapi from being read causing ldap to fail

Ryan Tandy 1392018 at bugs.launchpad.net
Fri May 29 17:47:25 UTC 2015 

** Description changed:

- There is a bug in slapd that triggers the profile of apparmor of slapd.
+ [Impact]
  
- When installing a clean ubuntu 14.10 server and installing slapd with :
- apt-get install slapd ldap-utils
- configure it with :
- dpkg-reconfigure slapd
- with ldap address of ldapi://xxx.xxx.xxx
- the following command :
- ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
- gives the following error:
+ * Changes to AppArmor's unix socket mediation in utopic and later
+ require servers to have 'rw' file permissions on socket paths, compared
+ to just 'w' previously.
+ 
+ * This bug breaks any application that tries to communicate with slapd
+ via the ldapi:// scheme, for example heimdal-kdc.
+ 
+ * The recommended way to configure slapd in Ubuntu is to authenticate
+ via SASL EXTERNAL over the ldapi socket. This bug prevents online
+ configuration of slapd (via ldapmodify) in the default setup.
+ 
+ [Test Case]
+ 
+ apt-get install slapd
+ ldapwhoami -H ldapi:// -QY EXTERNAL
+ 
+ Expected result:
+ dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+ 
+ Actual result:
  ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
- Checking syslog :
- apparmor="DENIED" operation="file_perm" profile="/usr/sbin/slapd" name="/run/slapd/ldapi" pid=1137 comm="slapd" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
- we find in apparmor profile :
- /etc/apparmor.d/usr.sbin.slapd reads:
-   # pid files and sockets
-   /{,var/}run/slapd/* w,
  
- /run/slapd/ldapi   has   srwxrwxrwx  attributes and is owned by
- root:root
+ [Regression Potential]
  
- In 14.04 all of this is the same but does not lead to an error.
+ * Extremely low potential for regression. No code changes, only granting
+ an additional permission on contents of two directories. The worst
+ possible regression is that slapd might be permitted to read some files
+ it shouldn't, but having such files in /run/{slapd,nslcd} seems
+ unlikely.
  
- Changing it into :
-   # pid files and sockets
-   /{,var/}run/slapd/* rw,
+ [Other Info]
  
- Solves the issue but does not show me where things actually go wrong.
- Slapd tries to read the file but fails.
+ Test packages can be found in ppa:rtandy/lp1392018

** Patch added: "utopic patch"
   https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+attachment/4406775/+files/openldap_2.4.31-1%2Bnmu2ubuntu11.2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1392018

Title:
  apparmor stops /var/run/ldapi from being read causing ldap to fail

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+subscriptions

More information about the Ubuntu-server-bugs mailing list