[Bug 1392018] Re: apparmor stops /var/run/ldapi from being read causing ldap to fail

Ryan Tandy 1392018 at bugs.launchpad.net
Wed Jun 17 15:24:14 UTC 2015


On Wed, Jun 17, 2015 at 07:28:44AM -0000, Moritz wrote:
>I try to apply the vivid patch, but don't seem to have openldap
>installed, only slapd – is that the same?

openldap is the source package. slapd is one of the binary packages 
built from it.

http://packages.ubuntu.com/source/vivid/openldap

https://www.debian.org/doc/manuals/debian-faq/ch-pkg_basics.en.html

The patch applies to the source package.

>If slapd is correct, what is the proper patch location?

The patch changes one file: /etc/apparmor.d/usr.sbin.slapd

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1392018

Title:
  apparmor stops /var/run/ldapi from being read causing ldap to fail

Status in openldap package in Ubuntu:
  Fix Released

Bug description:
  [Impact]

  * Changes to AppArmor's unix socket mediation in utopic and later
  require servers to have 'rw' file permissions on socket paths,
  compared to just 'w' previously.

  * This bug breaks any application that tries to communicate with slapd
  via the ldapi:// scheme, for example heimdal-kdc.

  * The recommended way to configure slapd in Ubuntu is to authenticate
  via SASL EXTERNAL over the ldapi socket. This bug prevents online
  configuration of slapd (via ldapmodify) in the default setup.

  [Test Case]

  apt-get install slapd
  ldapwhoami -H ldapi:// -QY EXTERNAL

  Expected result:
  dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

  Actual result:
  ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

  [Regression Potential]

  * Extremely low potential for regression. No code changes, only
  granting an additional permission on contents of two directories. The
  worst possible regression is that slapd might be permitted to read
  some files it shouldn't, but having such files in /run/{slapd,nslcd}
  seems unlikely.

  [Other Info]

  Test packages can be found in ppa:rtandy/lp1392018

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+subscriptions



More information about the Ubuntu-sponsors mailing list