[SRU]slapd needs apparmor changes for cn=config

Bug #243525 reported by Jeff Strunk
6
Affects Status Importance Assigned to Milestone
openldap2.3 (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: slapd

/usr/bin/slapd needs write access to /etc/ldap/slap.d if one is going to use the in tree configuration mechanism effectively.

The following line needs to be added to /etc/apparmor.d/usr.sbin.slapd :
  /etc/ldap/slapd.d/* rw,

It can go after the line:
  /etc/ldap/slapd.conf r,

I found this bug on a Hardy server with slapd 2.4.9-0ubuntu0.8.04 which is made with the openldap2.3 source package. The solution was at http://ubuntuforums.org/showthread.php?t=808097

The consequence of not doing this is that any changes made to the cn=config tree are not saved in /etc/ldap/slapd.d . This defeats the purpose of this new feature.

Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 243525] [NEW] slapd needs apparmor changes for cn=config

On Fri, Jun 27, 2008 at 02:11:53PM -0000, Jeff Strunk wrote:
> Public bug reported:
>
> Binary package hint: slapd
>
> /usr/bin/slapd needs write access to /etc/ldap/slap.d if one is going to
> use the in tree configuration mechanism effectively.
>
> The following line needs to be added to /etc/apparmor.d/usr.sbin.slapd :
> /etc/ldap/slapd.d/* rw,
>
> It can go after the line:
> /etc/ldap/slapd.conf r,
>
> I found this bug on a Hardy server with slapd 2.4.9-0ubuntu0.8.04 which
> is made with the openldap2.3 source package. The solution was at
> http://ubuntuforums.org/showthread.php?t=808097
>
> The consequence of not doing this is that any changes made to the
> cn=config tree are not saved in /etc/ldap/slapd.d . This defeats the
> purpose of this new feature.

  status triaged
  importance medium

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Changed in openldap2.3:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Daniel Paufler (d-paufler-ergomedia) wrote : Re: slapd needs apparmor changes for cn=config

please add the line reading:

/etc/ldap/slapd.d/** rw, (double **)

If you want to create an subentry in cn=config, slapd needs to create an directory unter /etc/ldap/slapd.d/cn=config/...

Changed in openldap2.3:
assignee: nobody → jdstrand
Changed in openldap2.3:
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The attached debdiff simply adds 'rw' access to /etc/ldap/slapd.d, and cnconfig importing was tested to work properly. Patch is for Hardy SRU.

Also included in the debdiff is a fix for bug #229252.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Testing consisted of updating the qa-regression-testing scripts to test for cnconfig imports, and the above debdiff passes this test with an apparmor enforcing profile.

Revision history for this message
Chuck Short (zulcss) wrote :

cn=config is not availble in hardy because of the way apparmor profile in hardy. This patch fixes the issue. I have attached the debdiff that fixes this issue:

STEPS TO REPRODUCE:

1. Install openldap2.3
2. Enable cn=config
3. Try to use openldap2.3 with cn=config enabled (http://www.zytrax.com/books/ldap/ch6/slapd-config.html)

If you have any questions please feel free to ask.

Regards
chuck

Changed in openldap2.3:
status: New → In Progress
Revision history for this message
Chuck Short (zulcss) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in openldap2.3:
status: In Progress → Fix Committed
Revision history for this message
Mathias Gug (mathiaz) wrote :

Fixed in intrepid with 2.4.11-0ubuntu1.

Changed in openldap2.3:
status: In Progress → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Any testers?

Steve Langasek (vorlon)
Changed in openldap2.3:
importance: Undecided → Medium
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap2.3 - 2.4.9-0ubuntu0.8.04.2

---------------
openldap2.3 (2.4.9-0ubuntu0.8.04.2) hardy-proposed; urgency=low

  [Chuck Short]
  * debian/patches/fix-gnutls-key-strength.patch: fixes ssf matching key
    strength with gnutls 2.3. (LP: #244925)

  [Jamie Strandboge]
  * adjust apparmor profile to allow gssapi (LP: #229252)
  * adjust apparmor profile to allow cnconfig (LP: #243525)

 -- Chuck Short <email address hidden> Tue, 05 Aug 2008 14:37:01 +0000

Changed in openldap2.3:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.