Ubuntu
openldap package

Merge ~ahasenack/ubuntu/+source/openldap:trusty-slapd-gssapi-apparmor-1783183 into ubuntu/+source/openldap:ubuntu/trusty-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/openldap
  3. trusty-slapd-gssapi-apparmor-1783183
  4. Merge into ubuntu/trusty-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 18dac35d1930ea61bdff726f68d20914ddc12b36
Merged at revision: 18dac35d1930ea61bdff726f68d20914ddc12b36
Proposed branch: ~ahasenack/ubuntu/+source/openldap:trusty-slapd-gssapi-apparmor-1783183
Merge into: ubuntu/+source/openldap:ubuntu/trusty-devel
Diff against target: 29 lines (+10/-0)
2 files modified
debian/apparmor-profile (+2/-0)
debian/changelog (+8/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+357715@code.launchpad.net

Description of the change

Add two rules to the slapd apparmor profile to allow for ldap replication using gssapi/kerberos authentication via the default_client_keytab_name feature present in the MIT kerberos package since v1.11, which for Ubuntu means since Trusty.

Testing this setup is complicated, so I wrote scripts to help and configure each of the services involved in this: the kerberos server (KDC), openldap provider, and openldap consumer. The instructions are in the linked bug.

This can't land anywhere until ubnutu-DD is open, but reviews can be done already in preparation for that. As soon as DD opens, I'll make an MP for it as well.

I want to push this to Debian too, but I'd like reviews here first before doing that. Since it's not a quilt patch, there is no need to update a DEP3 header. But I'll update our changelog to close the upcoming debian bug when I have that.

The security team's review is in the cosmic mp at https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/357712

Bileto ticket and PPA: https://bileto.ubuntu.com/#/ticket/3490

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I did only test cosmic, but the changes are small and ok to me.
There is next to no risk that it would not fix it here and in addition I assume you have done the tests on all releases already when you wrote the scripts.

Packaging review +1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, tagged and uploaded.

There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index eeb68ad..69b4174 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -30,6 +30,8 @@
6 # kerberos/gssapi
7 /dev/tty rw,
8 /etc/krb5.keytab kr,
9+ /etc/krb5/user/*/client.keytab kr,
10+ owner /tmp/krb5cc_* rwk,
11 /var/tmp/ rw,
12 /var/tmp/** rw,
13
14diff --git a/debian/changelog b/debian/changelog
15index 7fbd880..a97e7f3 100644
16--- a/debian/changelog
17+++ b/debian/changelog
18@@ -1,3 +1,11 @@
19+openldap (2.4.31-1+nmu2ubuntu8.5) trusty; urgency=medium
20+
21+ * d/apparmor-profile: update apparmor profile to allow reading of
22+ files needed when slapd is behaving as a kerberos/gssapi client
23+ and acquiring its own ticket. (LP: #1783183)
24+
25+ -- Andreas Hasenack <andreas@canonical.com> Mon, 22 Oct 2018 09:49:38 -0300
26+
27 openldap (2.4.31-1+nmu2ubuntu8.4) trusty-security; urgency=medium
28
29 * SECURITY UPDATE: denial of service via search with page size of 0

Subscribers

People subscribed via source and target branches