Merge ~sergiodj/ubuntu/+source/openldap:bug1557157-bionic into ubuntu/+source/openldap:ubuntu/bionic-devel

Proposed by Sergio Durigan Junior
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: bad9e1f9909b883ce6bdb238b3cd20a894e90bf8
Merge reported by: Andreas Hasenack
Merged at revision: bad9e1f9909b883ce6bdb238b3cd20a894e90bf8
Proposed branch: ~sergiodj/ubuntu/+source/openldap:bug1557157-bionic
Merge into: ubuntu/+source/openldap:ubuntu/bionic-devel
Diff against target: 34 lines (+9/-1)
2 files modified
debian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Canonical Server Core Reviewers Pending
Review via email: mp+385757@code.launchpad.net

Description of the change

When using openldap with sasl authentication, the slapd process will communicate with the saslauthd daemon via a socket in {,/var}/run/saslauthd/mux. Unfortunately, this will fail in every Ubuntu release from trusty onwards, because slapd's apparmor profile doesn't contain the necessary directive to allow it to read/write from/to the socket specified above.

This simple change implements the fix to allow the authentication process to happen.

It's possible to test it by doing:

$ lxc launch ubuntu-daily:bionic openldap-bugbug1557157-bionic
$ lxc shell openldap-bugbug1557157-bionic
# apt install slapd sasl2-bin ldap-utils apparmor-utils

(As the domain name, use "example.com").

# sed -i -e 's/^START=.*/START=yes/' /etc/default/saslauthd
# cat > /etc/ldap/sasl2/slapd.conf << __EOF__
mech_list: PLAIN
pwcheck_method: saslauthd
__EOF__
# adduser openldap sasl
# aa-enforce /etc/apparmor.d/usr.sbin.slapd
# systemctl restart slapd.service
# systemctl restart saslauthd.service
# passwd root

(You can choose any password here. You will need to type it when running the next command.)

# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN

If you are using the fixed package, you will see something like:

SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

There is a PPA here: https://launchpad.net/~sergiodj/+archive/ubuntu/openldap-bug1557157

autopkgtest is still happy (well, because of a bug, there is no d/tests/control file, so no tests are run):

autopkgtest [11:57:32]: build not needed
* SKIP no tests in this package
autopkgtest [11:57:32]: @@@@@@@@@@@@@@@@@@@@ summary
* SKIP no tests in this package

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Change itself LGTM, is is small simple and reasonable.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This was reviewed but not yet uploaded, should be combined with the SRU for bug 1866303

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'll pull this in

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I included it and uploaded together with my fix. I'll leave this MP as is, hoping the importer will close it as soon as the upload is accepted, but if that's not the case, it can be set to "merged" manually at that time.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This was released into updates already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/apparmor-profile b/debian/apparmor-profile
index 793fa7b..9e1070f 100644
--- a/debian/apparmor-profile
+++ b/debian/apparmor-profile
@@ -1,5 +1,5 @@
1# vim:syntax=apparmor1# vim:syntax=apparmor
2# Last Modified: Fri Jan 4 15:18:13 20082# Last Modified: Fri Jun 6 13:51:00 2020
3# Author: Jamie Strandboge <jamie@ubuntu.com>3# Author: Jamie Strandboge <jamie@ubuntu.com>
44
5#include <tunables/global>5#include <tunables/global>
@@ -49,6 +49,7 @@
49 /{,var/}run/slapd/* w,49 /{,var/}run/slapd/* w,
50 /{,var/}run/slapd/ldapi rw,50 /{,var/}run/slapd/ldapi rw,
51 /{,var/}run/nslcd/socket rw,51 /{,var/}run/nslcd/socket rw,
52 /{,var/}run/saslauthd/mux rw,
5253
53 /usr/lib/ldap/ r,54 /usr/lib/ldap/ r,
54 /usr/lib/ldap/* mr,55 /usr/lib/ldap/* mr,
diff --git a/debian/changelog b/debian/changelog
index ae9f218..57e102c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1openldap (2.4.45+dfsg-1ubuntu1.6) bionic; urgency=medium
2
3 * d/apparmor-profile: Update apparmor profile to grant access to
4 the saslauthd socket, so that SASL authentication works. (LP: #1557157)
5
6 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 12 Jun 2020 18:17:06 -0400
7
1openldap (2.4.45+dfsg-1ubuntu1.5) bionic-security; urgency=medium8openldap (2.4.45+dfsg-1ubuntu1.5) bionic-security; urgency=medium
29
3 * SECURITY UPDATE: denial of service via nested search filters10 * SECURITY UPDATE: denial of service via nested search filters

Subscribers

People subscribed via source and target branches