Ubuntu
openldap package

  1. Bug #229252
  2. Comment #3

Comment 3 for bug 229252

Revision history for this message
Ryan Honeyager (rhoneyager-deactivatedaccount) wrote : Re: slapd gssapi failure

AppArmor provided several complaints:

Jun 16 12:30:43 lionel kernel: [ 6122.925033] audit(1213633843.473:17): type=1503 operation="inode_permission" requested_mask="::a" denied_mask="::a" name="/dev/tty" pid=5259 profile="/usr/sbin/slapd" namespace="default"
Jun 16 12:30:43 lionel kernel: [ 6122.927321] audit(1213633843.473:18): type=1503 operation="file_lock" requested_mask="k::" denied_mask="k::" name="/etc/ldap/keytab.ldap" pid=5259 profile="/usr/sbin/slapd" namespace="default"

To fix the top two, I added
  /dev/tty rw,
  /etc/ldap/keytab.ldap kr,
to AppArmor's slapd profile.

Upon restart of AppArmor and slapd, I tried to connect again, and it failed with this log message:

Jun 16 12:38:17 lionel kernel: [ 6577.144098] audit(1213634297.983:19): type=1503 operation="inode_permission" requested_mask="rw::" denied_mask="rw::" name="/var/tmp/ldap_111" pid=5339 profile="/usr/sbin/slapd" namespace="default"

From there, I added
  /var/tmp/ r,
  /var/tmp/* rw,
to the slapd profile.

Restarting AppArmor and slapd again, connecting to the server with gssapi works fine and presents no errors.