Ubuntu
openldap2.3 package

[SRU]slapd needs apparmor changes for cn=config

Bug #243525 reported by Jeff Strunk on 2008-06-27

	Status	Importance	Assigned to
openldap2.3 (Ubuntu)	Fix Released	Medium	Jamie Strandboge
Hardy	Fix Released	Undecided	Unassigned
Intrepid	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: slapd

/usr/bin/slapd needs write access to /etc/ldap/slap.d if one is going to use the in tree configuration mechanism effectively.

The following line needs to be added to /etc/apparmor.d/usr.sbin.slapd :
/etc/ldap/slapd.d/* rw,

It can go after the line:
/etc/ldap/slapd.conf r,

I found this bug on a Hardy server with slapd 2.4.9-0ubuntu0.8.04 which is made with the openldap2.3 source package. The solution was at http://ubuntuforums.org/showthread.php?t=808097

The consequence of not doing this is that any changes made to the cn=config tree are not saved in /etc/ldap/slapd.d . This defeats the purpose of this new feature.

Tags:

Related branches

lp:ubuntu/karmic/openldap

lp:ubuntu/hardy-proposed/openldap2.3

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-06-27: Re: [Bug 243525] [NEW] slapd needs apparmor changes for cn=config

On Fri, Jun 27, 2008 at 02:11:53PM -0000, Jeff Strunk wrote:
> Public bug reported:
>
> Binary package hint: slapd
>
> /usr/bin/slapd needs write access to /etc/ldap/slap.d if one is going to
> use the in tree configuration mechanism effectively.
>
> The following line needs to be added to /etc/apparmor.d/usr.sbin.slapd :
> /etc/ldap/slapd.d/* rw,
>
> It can go after the line:
> /etc/ldap/slapd.conf r,
>
> I found this bug on a Hardy server with slapd 2.4.9-0ubuntu0.8.04 which
> is made with the openldap2.3 source package. The solution was at
> http://ubuntuforums.org/showthread.php?t=808097
>
> The consequence of not doing this is that any changes made to the
> cn=config tree are not saved in /etc/ldap/slapd.d . This defeats the
> purpose of this new feature.

status triaged
importance medium

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Changed in openldap2.3:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Daniel Paufler (d-paufler-ergomedia) wrote on 2008-07-11: Re: slapd needs apparmor changes for cn=config

please add the line reading:

/etc/ldap/slapd.d/** rw, (double **)

If you want to create an subentry in cn=config, slapd needs to create an directory unter /etc/ldap/slapd.d/cn=config/...

Jamie Strandboge (jdstrand) on 2008-07-25

Changed in openldap2.3:
assignee:	nobody → jdstrand

Jamie Strandboge (jdstrand) on 2008-07-29

Changed in openldap2.3:
status:	Triaged → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-07-29:

openldap2.3_2.4.9-0ubuntu0.8.04.1.debdiff Edit (1.1 KiB, text/plain)

The attached debdiff simply adds 'rw' access to /etc/ldap/slapd.d, and cnconfig importing was tested to work properly. Patch is for Hardy SRU.

Also included in the debdiff is a fix for bug #229252.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-07-29:

Testing consisted of updating the qa-regression-testing scripts to test for cnconfig imports, and the above debdiff passes this test with an apparmor enforcing profile.

Revision history for this message

Chuck Short (zulcss) wrote on 2008-08-05:

cn=config is not availble in hardy because of the way apparmor profile in hardy. This patch fixes the issue. I have attached the debdiff that fixes this issue:

STEPS TO REPRODUCE:

1. Install openldap2.3
2. Enable cn=config
3. Try to use openldap2.3 with cn=config enabled (http://www.zytrax.com/books/ldap/ch6/slapd-config.html)

If you have any questions please feel free to ask.

Regards
chuck

Changed in openldap2.3:
status:	New → In Progress

Revision history for this message

Chuck Short (zulcss) wrote on 2008-08-05:

sru.diff Edit (2.1 KiB, text/x-diff)

Revision history for this message

Steve Langasek (vorlon) wrote on 2008-08-05:

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in openldap2.3:
status:	In Progress → Fix Committed

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-08-29:

Fixed in intrepid with 2.4.11-0ubuntu1.

Changed in openldap2.3:
status:	In Progress → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2008-10-27:

Any testers?

Steve Langasek (vorlon) on 2009-01-27

Changed in openldap2.3:
importance:	Undecided → Medium
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-01-27:

#10

This bug was fixed in the package openldap2.3 - 2.4.9-0ubuntu0.8.04.2

---------------
openldap2.3 (2.4.9-0ubuntu0.8.04.2) hardy-proposed; urgency=low

  [Chuck Short]
  * debian/patches/fix-gnutls-key-strength.patch: fixes ssf matching key
    strength with gnutls 2.3. (LP: #244925)

  [Jamie Strandboge]
  * adjust apparmor profile to allow gssapi (LP: #229252)
  * adjust apparmor profile to allow cnconfig (LP: #243525)

-- Chuck Short <email address hidden> Tue, 05 Aug 2008 14:37:01 +0000

Changed in openldap2.3:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

openldap2.3_2.4.9-0ubuntu0.8.04.1.debdiff Edit

Add patch

Bug attachments

sru.diff Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuopenldap2.3 package

[SRU]slapd needs apparmor changes for cn=config

Bug Description

Related branches

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
openldap2.3 package