Merge ~sergiodj/ubuntu/+source/openldap:bug1557157-xenial into ubuntu/+source/openldap:ubuntu/xenial-devel

Proposed by Sergio Durigan Junior on 2020-06-15
Status: Merged
Approved by: Christian Ehrhardt  on 2020-07-03
Approved revision: 8d05b630e70878f06b514d5998ab67f1e8dc96b5
Merge reported by: Andreas Hasenack
Merged at revision: 8d05b630e70878f06b514d5998ab67f1e8dc96b5
Proposed branch: ~sergiodj/ubuntu/+source/openldap:bug1557157-xenial
Merge into: ubuntu/+source/openldap:ubuntu/xenial-devel
Diff against target: 34 lines (+9/-1)
2 files modified
debian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2020-06-15 Approve on 2020-06-22
Canonical Server Team 2020-06-15 Pending
Review via email:

Description of the change

When using openldap with sasl authentication, the slapd process will communicate with the saslauthd daemon via a socket in {,/var}/run/saslauthd/mux. Unfortunately, this will fail in every Ubuntu release from trusty onwards, because slapd's apparmor profile doesn't contain the necessary directive to allow it to read/write from/to the socket specified above.

This simple change implements the fix to allow the authentication process to happen.

It's possible to test it by doing:

$ lxc launch ubuntu-daily:xenial openldap-bugbug1557157-xenial
$ lxc shell openldap-bugbug1557157-xenial
# apt install slapd sasl2-bin ldap-utils apparmor-utils

(As the domain name, use "").

# sed -i -e 's/^START=.*/START=yes/' /etc/default/saslauthd
# cat > /etc/ldap/sasl2/slapd.conf << __EOF__
mech_list: PLAIN
pwcheck_method: saslauthd
# adduser openldap sasl
# aa-enforce /etc/apparmor.d/usr.sbin.slapd
# systemctl restart slapd.service
# systemctl restart saslauthd.service
# passwd root

(You can choose any password here. You will need to type it when running the next command.)

# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN

If you are using the fixed package, you will see something like:

SASL username: root
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

There is a PPA here:

autopkgtest is still happy (well, because of a bug, there is no d/tests/control file, so no tests are run):

autopkgtest [12:05:10]: build not needed
* SKIP no tests in this package
autopkgtest [12:05:11]: @@@@@@@@@@@@@@@@@@@@ summary
* SKIP no tests in this package

To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

Change itself LGTM, is is small simple and reasonable.

review: Approve
Christian Ehrhardt  (paelzer) wrote :

This was reviewed but not yet uploaded, should be combined with the SRU for bug 1866303

Andreas Hasenack (ahasenack) wrote :

I will pull this in

Andreas Hasenack (ahasenack) wrote :

I included it and uploaded together with my fix. I'll leave this MP as is, hoping the importer will close it as soon as the upload is accepted, but if that's not the case, it can be set to "merged" manually at that time.

Andreas Hasenack (ahasenack) wrote :

This was released into updates already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index 793fa7b..9e1070f 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -1,5 +1,5 @@
6 # vim:syntax=apparmor
7-# Last Modified: Fri Jan 4 15:18:13 2008
8+# Last Modified: Fri Jun 6 13:51:00 2020
9 # Author: Jamie Strandboge <>
11 #include <tunables/global>
12@@ -49,6 +49,7 @@
13 /{,var/}run/slapd/* w,
14 /{,var/}run/slapd/ldapi rw,
15 /{,var/}run/nslcd/socket rw,
16+ /{,var/}run/saslauthd/mux rw,
18 /usr/lib/ldap/ r,
19 /usr/lib/ldap/* mr,
20diff --git a/debian/changelog b/debian/changelog
21index 3cbc80b..2e7f729 100644
22--- a/debian/changelog
23+++ b/debian/changelog
24@@ -1,3 +1,10 @@
25+openldap (2.4.42+dfsg-2ubuntu3.9) xenial; urgency=medium
27+ * d/apparmor-profile: Update apparmor profile to grant access to
28+ the saslauthd socket, so that SASL authentication works. (LP: #1557157)
30+ -- Sergio Durigan Junior <> Fri, 12 Jun 2020 18:13:57 -0400
32 openldap (2.4.42+dfsg-2ubuntu3.8) xenial-security; urgency=medium
34 * SECURITY UPDATE: denial of service via nested search filters


People subscribed via source and target branches