Merge ~sergiodj/ubuntu/+source/openldap:bug1557157-groovy into ubuntu/+source/openldap:ubuntu/devel

Proposed by Sergio Durigan Junior on 2020-06-15
Status: Merged
Approved by: Christian Ehrhardt  on 2020-06-17
Approved revision: 325b303a9caa8fab580dadfe663b7fb01cee08d7
Merged at revision: 325b303a9caa8fab580dadfe663b7fb01cee08d7
Proposed branch: ~sergiodj/ubuntu/+source/openldap:bug1557157-groovy
Merge into: ubuntu/+source/openldap:ubuntu/devel
Diff against target: 34 lines (+9/-1)
2 files modified
debian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2020-06-15 Approve on 2020-06-17
Canonical Server Team 2020-06-15 Pending
Review via email: mp+385753@code.launchpad.net

Description of the change

When using openldap with sasl authentication, the slapd process will communicate with the saslauthd daemon via a socket in {,/var}/run/saslauthd/mux. Unfortunately, this will fail in every Ubuntu release from trusty onwards, because slapd's apparmor profile doesn't contain the necessary directive to allow it to read/write from/to the socket specified above.

This simple change implements the fix to allow the authentication process to happen.

It's possible to test it by doing:

$ lxc launch ubuntu-daily:groovy openldap-bugbug1557157-groovy
$ lxc shell openldap-bugbug1557157-groovy
# apt install slapd sasl2-bin ldap-utils apparmor-utils

(As the domain name, use "example.com").

# sed -i -e 's/^START=.*/START=yes/' /etc/default/saslauthd
# cat > /etc/ldap/sasl2/slapd.conf << __EOF__
mech_list: PLAIN
pwcheck_method: saslauthd
__EOF__
# adduser openldap sasl
# aa-enforce /etc/apparmor.d/usr.sbin.slapd
# systemctl restart slapd.service
# systemctl restart saslauthd.service
# passwd root

(You can choose any password here. You will need to type it when running the next command.)

# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN

If you are using the fixed package, you will see something like:

SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

There is a PPA here: https://launchpad.net/~sergiodj/+archive/ubuntu/openldap-bug1557157

autopkgtest is still happy:

autopkgtest [11:05:28]: test slapd: -----------------------]
autopkgtest [11:05:29]: test slapd: - - - - - - - - - - results - - - - - - - - - -
slapd PASS (superficial)
autopkgtest [11:05:30]: @@@@@@@@@@@@@@@@@@@@ summary
slapd PASS (superficial)

To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

Change itself LGTM, is is small simple and reasonable.

But the groovy version number for an upload would need to be 2.4.50+dfsg-1ubuntu2

ultra-non-critical-bonus - double whitespace before the bug () in the changelog

review: Needs Fixing
Sergio Durigan Junior (sergiodj) wrote :

On Tuesday, June 16 2020, Christian Ehrhardt  wrote:

> Review: Needs Fixing
>
> Change itself LGTM, is is small simple and reasonable.
>
> But the groovy version number for an upload would need to be 2.4.50+dfsg-1ubuntu2

Sorry, you are correct. I fixed it and force-pushed, thanks!

> ultra-non-critical-bonus - double whitespace before the bug () in the changelog

"Fixed" as well :-). Years contributing to GNU causes these "side
effects" :-P.

Thanks,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Christian Ehrhardt  (paelzer) wrote :

LGTM now

review: Approve
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/ubuntu/+source/openldap
 * [new tag] upload/2.4.50+dfsg-1ubuntu2 -> upload/2.4.50+dfsg-1ubuntu2

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.4.50+dfsg-1ubuntu2.dsc: done.
  Uploading openldap_2.4.50+dfsg-1ubuntu2.debian.tar.xz: done.
  Uploading openldap_2.4.50+dfsg-1ubuntu2_source.buildinfo: done.
  Uploading openldap_2.4.50+dfsg-1ubuntu2_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index 793fa7b..9e1070f 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -1,5 +1,5 @@
6 # vim:syntax=apparmor
7-# Last Modified: Fri Jan 4 15:18:13 2008
8+# Last Modified: Fri Jun 6 13:51:00 2020
9 # Author: Jamie Strandboge <jamie@ubuntu.com>
10
11 #include <tunables/global>
12@@ -49,6 +49,7 @@
13 /{,var/}run/slapd/* w,
14 /{,var/}run/slapd/ldapi rw,
15 /{,var/}run/nslcd/socket rw,
16+ /{,var/}run/saslauthd/mux rw,
17
18 /usr/lib/ldap/ r,
19 /usr/lib/ldap/* mr,
20diff --git a/debian/changelog b/debian/changelog
21index 504f29f..f8394c2 100644
22--- a/debian/changelog
23+++ b/debian/changelog
24@@ -1,3 +1,10 @@
25+openldap (2.4.50+dfsg-1ubuntu2) groovy; urgency=medium
26+
27+ * d/apparmor-profile: Update apparmor profile to grant access to
28+ the saslauthd socket, so that SASL authentication works. (LP: #1557157)
29+
30+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 12 Jun 2020 18:20:42 -0400
31+
32 openldap (2.4.50+dfsg-1ubuntu1) groovy; urgency=medium
33
34 * Merge with Debian unstable. Remaining changes:

Subscribers

People subscribed via source and target branches