[Bug 1392018] [NEW] apparmor stops /var/run/ldapi from being read causing ldap to fail

[Launchpad Bug Tracker]

You have been subscribed to a public bug by Ryan Tandy (rtandy):

[Impact]

* Changes to AppArmor's unix socket mediation in utopic and later
require servers to have 'rw' file permissions on socket paths, compared
to just 'w' previously.

* This bug breaks any application that tries to communicate with slapd
via the ldapi:// scheme, for example heimdal-kdc.

* The recommended way to configure slapd in Ubuntu is to authenticate
via SASL EXTERNAL over the ldapi socket. This bug prevents online
configuration of slapd (via ldapmodify) in the default setup.

[Test Case]

apt-get install slapd
ldapwhoami -H ldapi:// -QY EXTERNAL

Expected result:
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Actual result:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

[Regression Potential]

* Extremely low potential for regression. No code changes, only granting
an additional permission on contents of two directories. The worst
possible regression is that slapd might be permitted to read some files
it shouldn't, but having such files in /run/{slapd,nslcd} seems
unlikely.

[Other Info]

Test packages can be found in ppa:rtandy/lp1392018

** Affects: openldap (Ubuntu)
     Importance: Undecided
     Assignee: Ryan Tandy (rtandy)
         Status: Fix Released


** Tags: apparmor openldap sasl slapd
-- 
apparmor stops /var/run/ldapi from being read causing ldap to fail
https://bugs.launchpad.net/bugs/1392018
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.