apparmor stops /var/run/ldapi from being read causing ldap to fail
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Fix Released
|
Undecided
|
Ryan Tandy | ||
Utopic |
Won't Fix
|
Undecided
|
Unassigned | ||
Vivid |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Changes to AppArmor's unix socket mediation in utopic and later require servers to have 'rw' file permissions on socket paths, compared to just 'w' previously.
* This bug breaks any application that tries to communicate with slapd via the ldapi:// scheme, for example heimdal-kdc.
* The recommended way to configure slapd in Ubuntu is to authenticate via SASL EXTERNAL over the ldapi socket. This bug prevents online configuration of slapd (via ldapmodify) in the default setup.
[Test Case]
apt-get install slapd
ldapwhoami -H ldapi:// -QY EXTERNAL
Expected result:
dn:gidNumber=
Actual result:
ldap_sasl_
[Regression Potential]
* Extremely low potential for regression. No code changes, only granting an additional permission on contents of two directories. The worst possible regression is that slapd might be permitted to read some files it shouldn't, but having such files in /run/{slapd,nslcd} seems unlikely.
[Other Info]
Test packages can be found in ppa:rtandy/
tags: | added: apparmor |
Changed in openldap (Ubuntu): | |
assignee: | nobody → Ryan Tandy (rtandy) |
status: | Confirmed → In Progress |
Status changed to 'Confirmed' because the bug affects multiple users.