Merge ~sergiodj/ubuntu/+source/openldap:bug1557157-focal into ubuntu/+source/openldap:ubuntu/focal-devel

Proposed by Sergio Durigan Junior on 2020-06-15
Status: Merged
Approved by: Christian Ehrhardt  on 2020-07-03
Approved revision: bf0d631a62c756fbdd262f73d4ed95672cf55493
Merge reported by: Andreas Hasenack
Merged at revision: bf0d631a62c756fbdd262f73d4ed95672cf55493
Proposed branch: ~sergiodj/ubuntu/+source/openldap:bug1557157-focal
Merge into: ubuntu/+source/openldap:ubuntu/focal-devel
Diff against target: 34 lines (+9/-1)
2 files modified
debian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2020-06-15 Approve on 2020-06-16
Canonical Server Team 2020-06-16 Pending
Canonical Server Core Reviewers 2020-06-15 Pending
Review via email: mp+385755@code.launchpad.net

Description of the change

When using openldap with sasl authentication, the slapd process will communicate with the saslauthd daemon via a socket in {,/var}/run/saslauthd/mux. Unfortunately, this will fail in every Ubuntu release from trusty onwards, because slapd's apparmor profile doesn't contain the necessary directive to allow it to read/write from/to the socket specified above.

This simple change implements the fix to allow the authentication process to happen.

It's possible to test it by doing:

$ lxc launch ubuntu-daily:focal openldap-bugbug1557157-focal
$ lxc shell openldap-bugbug1557157-focal
# apt install slapd sasl2-bin ldap-utils apparmor-utils

(As the domain name, use "example.com").

# sed -i -e 's/^START=.*/START=yes/' /etc/default/saslauthd
# cat > /etc/ldap/sasl2/slapd.conf << __EOF__
mech_list: PLAIN
pwcheck_method: saslauthd
__EOF__
# adduser openldap sasl
# aa-enforce /etc/apparmor.d/usr.sbin.slapd
# systemctl restart slapd.service
# systemctl restart saslauthd.service
# passwd root

(You can choose any password here. You will need to type it when running the next command.)

# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN

If you are using the fixed package, you will see something like:

SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

There is a PPA here: https://launchpad.net/~sergiodj/+archive/ubuntu/openldap-bug1557157

autopkgtest is still happy:

autopkgtest [11:05:28]: test slapd: -----------------------]
autopkgtest [11:05:29]: test slapd: - - - - - - - - - - results - - - - - - - - - -
slapd PASS (superficial)
autopkgtest [11:05:30]: @@@@@@@@@@@@@@@@@@@@ summary
slapd PASS (superficial)

To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

Change itself LGTM, is is small simple and reasonable.

review: Approve
Christian Ehrhardt  (paelzer) wrote :

This was reviewed but not yet uploaded, should be combined with the SRU for bug 1866303

Andreas Hasenack (ahasenack) wrote :

I will pull this in

Andreas Hasenack (ahasenack) wrote :

Bug #1866303 doesn't affect focal, so this MP here can be used as is. I'll sponsor it now.

Andreas Hasenack (ahasenack) wrote :

Tagging and uploading bf0d631a62c756fbdd262f73d4ed95672cf55493

$ git push pkg upload/2.4.49+dfsg-2ubuntu1.3
Enumerating objects: 18003, done.
Counting objects: 100% (18003/18003), done.
Delta compression using up to 4 threads
Compressing objects: 100% (2885/2885), done.
Writing objects: 100% (18003/18003), 8.47 MiB | 250.00 KiB/s, done.
Total 18003 (delta 15239), reused 17163 (delta 15032)
remote: Resolving deltas: 100% (15239/15239), done.
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openldap
 * [new tag] upload/2.4.49+dfsg-2ubuntu1.3 -> upload/2.4.49+dfsg-2ubuntu1.3

$ dput ubuntu ../openldap_2.4.49+dfsg-2ubuntu1.3_source.changes
Checking signature on .changes
gpg: ../openldap_2.4.49+dfsg-2ubuntu1.3_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../openldap_2.4.49+dfsg-2ubuntu1.3.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.4.49+dfsg-2ubuntu1.3.dsc: done.
  Uploading openldap_2.4.49+dfsg-2ubuntu1.3.debian.tar.xz: done.
  Uploading openldap_2.4.49+dfsg-2ubuntu1.3_source.buildinfo: done.
  Uploading openldap_2.4.49+dfsg-2ubuntu1.3_source.changes: done.
Successfully uploaded packages.

Andreas Hasenack (ahasenack) wrote :

This was released into updates already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index 793fa7b..9e1070f 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -1,5 +1,5 @@
6 # vim:syntax=apparmor
7-# Last Modified: Fri Jan 4 15:18:13 2008
8+# Last Modified: Fri Jun 6 13:51:00 2020
9 # Author: Jamie Strandboge <jamie@ubuntu.com>
10
11 #include <tunables/global>
12@@ -49,6 +49,7 @@
13 /{,var/}run/slapd/* w,
14 /{,var/}run/slapd/ldapi rw,
15 /{,var/}run/nslcd/socket rw,
16+ /{,var/}run/saslauthd/mux rw,
17
18 /usr/lib/ldap/ r,
19 /usr/lib/ldap/* mr,
20diff --git a/debian/changelog b/debian/changelog
21index 3007b6b..6cc5f88 100644
22--- a/debian/changelog
23+++ b/debian/changelog
24@@ -1,3 +1,10 @@
25+openldap (2.4.49+dfsg-2ubuntu1.3) focal; urgency=medium
26+
27+ * d/apparmor-profile: Update apparmor profile to grant access to
28+ the saslauthd socket, so that SASL authentication works. (LP: #1557157)
29+
30+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 12 Jun 2020 18:18:58 -0400
31+
32 openldap (2.4.49+dfsg-2ubuntu1.2) focal-security; urgency=medium
33
34 * SECURITY UPDATE: denial of service via nested search filters

Subscribers

People subscribed via source and target branches