Merge ~sergiodj/ubuntu/+source/openldap:bug1557157-bionic into ubuntu/+source/openldap:ubuntu/bionic-devel

Proposed by Sergio Durigan Junior on 2020-06-15
Status: Merged
Approved by: Christian Ehrhardt  on 2020-07-03
Approved revision: bad9e1f9909b883ce6bdb238b3cd20a894e90bf8
Merge reported by: Andreas Hasenack
Merged at revision: bad9e1f9909b883ce6bdb238b3cd20a894e90bf8
Proposed branch: ~sergiodj/ubuntu/+source/openldap:bug1557157-bionic
Merge into: ubuntu/+source/openldap:ubuntu/bionic-devel
Diff against target: 34 lines (+9/-1)
2 files modified
debian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2020-06-15 Approve on 2020-06-16
Canonical Server Team 2020-06-16 Pending
Canonical Server Core Reviewers 2020-06-15 Pending
Review via email: mp+385757@code.launchpad.net

Description of the change

When using openldap with sasl authentication, the slapd process will communicate with the saslauthd daemon via a socket in {,/var}/run/saslauthd/mux. Unfortunately, this will fail in every Ubuntu release from trusty onwards, because slapd's apparmor profile doesn't contain the necessary directive to allow it to read/write from/to the socket specified above.

This simple change implements the fix to allow the authentication process to happen.

It's possible to test it by doing:

$ lxc launch ubuntu-daily:bionic openldap-bugbug1557157-bionic
$ lxc shell openldap-bugbug1557157-bionic
# apt install slapd sasl2-bin ldap-utils apparmor-utils

(As the domain name, use "example.com").

# sed -i -e 's/^START=.*/START=yes/' /etc/default/saslauthd
# cat > /etc/ldap/sasl2/slapd.conf << __EOF__
mech_list: PLAIN
pwcheck_method: saslauthd
__EOF__
# adduser openldap sasl
# aa-enforce /etc/apparmor.d/usr.sbin.slapd
# systemctl restart slapd.service
# systemctl restart saslauthd.service
# passwd root

(You can choose any password here. You will need to type it when running the next command.)

# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN

If you are using the fixed package, you will see something like:

SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

There is a PPA here: https://launchpad.net/~sergiodj/+archive/ubuntu/openldap-bug1557157

autopkgtest is still happy (well, because of a bug, there is no d/tests/control file, so no tests are run):

autopkgtest [11:57:32]: build not needed
* SKIP no tests in this package
autopkgtest [11:57:32]: @@@@@@@@@@@@@@@@@@@@ summary
* SKIP no tests in this package

To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

Change itself LGTM, is is small simple and reasonable.

review: Approve
Christian Ehrhardt  (paelzer) wrote :

This was reviewed but not yet uploaded, should be combined with the SRU for bug 1866303

Andreas Hasenack (ahasenack) wrote :

I'll pull this in

Andreas Hasenack (ahasenack) wrote :

I included it and uploaded together with my fix. I'll leave this MP as is, hoping the importer will close it as soon as the upload is accepted, but if that's not the case, it can be set to "merged" manually at that time.

Andreas Hasenack (ahasenack) wrote :

This was released into updates already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index 793fa7b..9e1070f 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -1,5 +1,5 @@
6 # vim:syntax=apparmor
7-# Last Modified: Fri Jan 4 15:18:13 2008
8+# Last Modified: Fri Jun 6 13:51:00 2020
9 # Author: Jamie Strandboge <jamie@ubuntu.com>
10
11 #include <tunables/global>
12@@ -49,6 +49,7 @@
13 /{,var/}run/slapd/* w,
14 /{,var/}run/slapd/ldapi rw,
15 /{,var/}run/nslcd/socket rw,
16+ /{,var/}run/saslauthd/mux rw,
17
18 /usr/lib/ldap/ r,
19 /usr/lib/ldap/* mr,
20diff --git a/debian/changelog b/debian/changelog
21index ae9f218..57e102c 100644
22--- a/debian/changelog
23+++ b/debian/changelog
24@@ -1,3 +1,10 @@
25+openldap (2.4.45+dfsg-1ubuntu1.6) bionic; urgency=medium
26+
27+ * d/apparmor-profile: Update apparmor profile to grant access to
28+ the saslauthd socket, so that SASL authentication works. (LP: #1557157)
29+
30+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 12 Jun 2020 18:17:06 -0400
31+
32 openldap (2.4.45+dfsg-1ubuntu1.5) bionic-security; urgency=medium
33
34 * SECURITY UPDATE: denial of service via nested search filters

Subscribers

People subscribed via source and target branches