[Bug 1392018] Re: apparmor stops /var/run/ldapi from being read causing ldap to fail
Ryan Tandy
1392018 at bugs.launchpad.net
Thu Jun 25 18:37:38 UTC 2015
** Patch added: "vivid patch v2"
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+attachment/4420527/+files/openldap_2.4.31-1%2Bnmu2ubuntu12.2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1392018
Title:
apparmor stops /var/run/ldapi from being read causing ldap to fail
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Utopic:
New
Status in openldap source package in Vivid:
New
Bug description:
[Impact]
* Changes to AppArmor's unix socket mediation in utopic and later
require servers to have 'rw' file permissions on socket paths,
compared to just 'w' previously.
* This bug breaks any application that tries to communicate with slapd
via the ldapi:// scheme, for example heimdal-kdc.
* The recommended way to configure slapd in Ubuntu is to authenticate
via SASL EXTERNAL over the ldapi socket. This bug prevents online
configuration of slapd (via ldapmodify) in the default setup.
[Test Case]
apt-get install slapd
ldapwhoami -H ldapi:// -QY EXTERNAL
Expected result:
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Actual result:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
[Regression Potential]
* Extremely low potential for regression. No code changes, only
granting an additional permission on contents of two directories. The
worst possible regression is that slapd might be permitted to read
some files it shouldn't, but having such files in /run/{slapd,nslcd}
seems unlikely.
[Other Info]
Test packages can be found in ppa:rtandy/lp1392018
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1392018/+subscriptions
More information about the Ubuntu-sponsors
mailing list