Ubuntu
openldap package

Merge ~sergiodj/ubuntu/+source/openldap:bug1557157-xenial into ubuntu/+source/openldap:ubuntu/xenial-devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/openldap
  3. bug1557157-xenial
  4. Merge into ubuntu/xenial-devel
Proposed by Sergio Durigan Junior
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 8d05b630e70878f06b514d5998ab67f1e8dc96b5
Merge reported by: Andreas Hasenack
Merged at revision: 8d05b630e70878f06b514d5998ab67f1e8dc96b5
Proposed branch: ~sergiodj/ubuntu/+source/openldap:bug1557157-xenial
Merge into: ubuntu/+source/openldap:ubuntu/xenial-devel
Diff against target: 34 lines (+9/-1)
2 files modified
debian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+385758@code.launchpad.net

Description of the change

When using openldap with sasl authentication, the slapd process will communicate with the saslauthd daemon via a socket in {,/var}/run/saslauthd/mux. Unfortunately, this will fail in every Ubuntu release from trusty onwards, because slapd's apparmor profile doesn't contain the necessary directive to allow it to read/write from/to the socket specified above.

This simple change implements the fix to allow the authentication process to happen.

It's possible to test it by doing:

$ lxc launch ubuntu-daily:xenial openldap-bugbug1557157-xenial
$ lxc shell openldap-bugbug1557157-xenial
# apt install slapd sasl2-bin ldap-utils apparmor-utils

(As the domain name, use "example.com").

# sed -i -e 's/^START=.*/START=yes/' /etc/default/saslauthd
# cat > /etc/ldap/sasl2/slapd.conf << __EOF__
mech_list: PLAIN
pwcheck_method: saslauthd
__EOF__
# adduser openldap sasl
# aa-enforce /etc/apparmor.d/usr.sbin.slapd
# systemctl restart slapd.service
# systemctl restart saslauthd.service
# passwd root

(You can choose any password here. You will need to type it when running the next command.)

# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN

If you are using the fixed package, you will see something like:

SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

There is a PPA here: https://launchpad.net/~sergiodj/+archive/ubuntu/openldap-bug1557157

autopkgtest is still happy (well, because of a bug, there is no d/tests/control file, so no tests are run):

autopkgtest [12:05:10]: build not needed
* SKIP no tests in this package
autopkgtest [12:05:11]: @@@@@@@@@@@@@@@@@@@@ summary
* SKIP no tests in this package

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Change itself LGTM, is is small simple and reasonable.

Revision history for this message
Christian Ehrhardt  (paelzer) :
review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This was reviewed but not yet uploaded, should be combined with the SRU for bug 1866303

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I will pull this in

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I included it and uploaded together with my fix. I'll leave this MP as is, hoping the importer will close it as soon as the upload is accepted, but if that's not the case, it can be set to "merged" manually at that time.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This was released into updates already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index 793fa7b..9e1070f 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -1,5 +1,5 @@
6 # vim:syntax=apparmor
7-# Last Modified: Fri Jan 4 15:18:13 2008
8+# Last Modified: Fri Jun 6 13:51:00 2020
9 # Author: Jamie Strandboge <jamie@ubuntu.com>
10
11 #include <tunables/global>
12@@ -49,6 +49,7 @@
13 /{,var/}run/slapd/* w,
14 /{,var/}run/slapd/ldapi rw,
15 /{,var/}run/nslcd/socket rw,
16+ /{,var/}run/saslauthd/mux rw,
17
18 /usr/lib/ldap/ r,
19 /usr/lib/ldap/* mr,
20diff --git a/debian/changelog b/debian/changelog
21index 3cbc80b..2e7f729 100644
22--- a/debian/changelog
23+++ b/debian/changelog
24@@ -1,3 +1,10 @@
25+openldap (2.4.42+dfsg-2ubuntu3.9) xenial; urgency=medium
26+
27+ * d/apparmor-profile: Update apparmor profile to grant access to
28+ the saslauthd socket, so that SASL authentication works. (LP: #1557157)
29+
30+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 12 Jun 2020 18:13:57 -0400
31+
32 openldap (2.4.42+dfsg-2ubuntu3.8) xenial-security; urgency=medium
33
34 * SECURITY UPDATE: denial of service via nested search filters

Subscribers

People subscribed via source and target branches