Bug #1392018 “apparmor stops /var/run/ldapi from being read caus...” : Bugs : openldap package : Ubuntu

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-11-17:

#1

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openldap (Ubuntu):
status:	New → Confirmed

Revision history for this message

Jayesh Bhoot (bhoot-jayesh) wrote on 2014-11-17:

#2

I confirm that the bug is present on Kubuntu 14.10 as well.

When installing a clean ubuntu 14.10 server and installing slapd with :
apt-get install slapd ldap-utils
configure it with :
dpkg-reconfigure slapd
with ldap address of ldapi://xxx.xxx.xxx
the following command :
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
gives the following error:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Also, the provided solution of modifying apparmor config for slapd worked.

Revision history for this message

Mats Luspa (matsl) wrote on 2015-04-27:

#3

This bug can also be found in Ubuntu 15.04 vivid. The workaround of modifying apparmor works.

Ryan Tandy (rtandy) on 2015-05-25

tags:

added: apparmor

Ryan Tandy (rtandy) on 2015-05-26

Changed in openldap (Ubuntu):
assignee:	nobody → Ryan Tandy (rtandy)
status:	Confirmed → In Progress

Revision history for this message

Ryan Tandy (rtandy) wrote on 2015-05-26:

#4

Based on reading apparmor code and changes, it sounds like changing 'w' to 'rw' actually is the correct fix (f.ex. [1]). My proposed merge (bug 1395098) includes that change.

This should probably be SRUed to U and V after getting fixed in the development release. Considering that ldapi is our default and recommended way of doing config changes, this is certainly a grave bug.

[1] http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/tests/regression/apparmor/unix_socket_pathname.sh#L40

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-05-29:

#5

Download full text (10.3 KiB)

This bug was fixed in the package openldap - 2.4.40+dfsg-1ubuntu1

---------------
openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low

  * Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
    - Enable AppArmor support:
      - d/apparmor-profile: add AppArmor profile
      - d/rules: use dh_apparmor
      - d/control: Build-Depends on dh-apparmor
      - d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support:
      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      - d/configure.options: Configure with --with-gssapi
      - d/control: Added heimdal-dev as a build depend
    - Enable ufw support:
      - d/control: suggest ufw.
      - d/rules: install ufw profile.
      - d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      - d/{patches/nssov-build,rules}: Apply, build and package the
        nss overlay.
    - d/{rules,slapd.py}: Add apport hook.
    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
      either the default DIT nor via an Authn mapping.
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
      - Remove unused variable new_conf.
      - Fix backup directory naming for multiple reconfiguration.
    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
      in the openldap library, as required by Likewise-Open
    - Show distribution in version:
      - d/control: added lsb-release
      - d/patches/fix-ldap-distribution.patch: show distribution in version
  * Drop patches included upstream:
    - d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
    - d/patches/bdb-deadlock.patch
    - d/patches/its-7354-fix-delta-sync-mmr.diff
  * Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
  * debian/patches/nssov-build: Adjust for upstream changes.
  * debian/apparmor-profile:
    - Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
      kernel ABI v7 (utopic and later). (LP: #1392018)
    - Reduce permissions on /run/nslcd to just the nslcd socket.
  * Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
    (LP: #1293250)

openldap (2.4.40+dfsg-1) unstable; urgency=medium

  * Remove inetorgperson.schema from the upstream source. Replace it with a
    copy stripped of RFC text. (Closes: #780283)
  * Adjust debian/watch for +dfsg versioning.
  * debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
    patch to fix scope=onelevel searches wrongly including the search base in
    results under the MDB backend. (ITS#7975) (Closes: #782212)

openldap (2.4.40-4) unstable; urgency=medium

  * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
    patch to fix a crash when a search includes the Deref control with an
    empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
  * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
    patch to fix a double free triggered by...

This bug was fixed in the package openldap - 2.4.40+dfsg-1ubuntu1

---------------
openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low

* Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
    - Enable AppArmor support:
      - d/apparmor-profile: add AppArmor profile
      - d/rules: use dh_apparmor
      - d/control: Build-Depends on dh-apparmor
      - d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support:
      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      - d/configure.options: Configure with --with-gssapi
      - d/control: Added heimdal-dev as a build depend
    - Enable ufw support:
      - d/control: suggest ufw.
      - d/rules: install ufw profile.
      - d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      - d/{patches/nssov-build,rules}: Apply, build and package the
        nss overlay.
    - d/{rules,slapd.py}: Add apport hook.
    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
      either the default DIT nor via an Authn mapping.
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
      - Remove unused variable new_conf.
      - Fix backup directory naming for multiple reconfiguration.
    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
      in the openldap library, as required by Likewise-Open
    - Show distribution in version:
      - d/control: added lsb-release
      - d/patches/fix-ldap-distribution.patch: show distribution in version
  * Drop patches included upstream:
    - d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
    - d/patches/bdb-deadlock.patch
    - d/patches/its-7354-fix-delta-sync-mmr.diff
  * Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
  * debian/patches/nssov-build: Adjust for upstream changes.
  * debian/apparmor-profile:
    - Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
      kernel ABI v7 (utopic and later). (LP: #1392018)
    - Reduce permissions on /run/nslcd to just the nslcd socket.
  * Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
    (LP: #1293250)

openldap (2.4.40+dfsg-1) unstable; urgency=medium

* Remove inetorgperson.schema from the upstream source. Replace it with a
    copy stripped of RFC text. (Closes: #780283)
  * Adjust debian/watch for +dfsg versioning.
  * debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
    patch to fix scope=onelevel searches wrongly including the search base in
    results under the MDB backend. (ITS#7975) (Closes: #782212)

openldap (2.4.40-4) unstable; urgency=medium

* debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
    patch to fix a crash when a search includes the Deref control with an
    empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
  * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
    patch to fix a double free triggered by certain search queries using the
    Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)

openldap (2.4.40-3) unstable; urgency=medium

* Remove trailing spaces from slapd.templates.
  * Update Vietnamese debconf translation.
    Thanks to Trần Ngọc Quân.
  * Update Danish debconf translation.
    Thanks to Joe Hansen. (Closes: #766848)
  * Update Japanese debconf translation.
    Thanks to Kenshi Muto. (Closes: #766824)
  * Update Russian debconf translation.
    Thanks to Yuri Kozlov. (Closes: #766825)
  * Update Basque translation.
    Thanks to Iñaki Larrañaga Murgoitio. (Closes: #767070)
  * Update French debconf translation.
    Thanks to Christian Perrier. (Closes: #767634)
  * Update German debconf translation.
    Thanks to Helge Kreutzmann. (Closes: #767686)
  * Update Portuguese debconf translation.
    Thanks to Ricardo Silva. (Closes: #768085)
  * Update Italian debconf translation.
    Thanks to Luca Monducci. (Closes: #768195)
  * Update Turkish debconf translation.
    Thanks to Atila KOÇ. (Closes: #768409)
  * Update Czech debconf translation.
    Thanks to Miroslav Kure. (Closes: #768591)
  * Update Catalan debconf translation.
    Thanks to Innocent De Marchi. (Closes: #768605)
  * Update Dutch debconf translation.
    Thanks to Frans Spiesschaert. (Closes: #769024)
  * Update Brazilian Portuguese debconf translation.
    Thanks to Adriano Rafael Gomes. (Closes: #769717)
  * Update Galician debconf translation.
    Thanks to Jorge Barreiro.
  * Update Swedish debconf translation.
    Thanks to Martin Bagge / brother. (Closes: #769867)
  * Update Spanish debconf translation.
    Thanks to Camaleón. (Closes: #770715)
  * Fix doubled spaces in po files, caused by trailing spaces in the templates
    file.
  * Run debconf-updatepo to refresh PO files.

openldap (2.4.40-2) unstable; urgency=medium

* Fix typo (chmod/chgrp) in previous changelog, spotted by Ferenc Wagner.
  * debian/patches/contrib-modules-use-dpkg-buildflags: Also use CPPFLAGS from
    dpkg-buildflags. Spotted by Lintian.
  * debian/slapd.init.ldif: Don't bother explicitly granting rights to the
    rootdn, since it already has unlimited privileges. Thanks Ferenc Wagner.
  * Recommend MDB for new installations, per upstream's recommendation.
  * Don't re-create the default DB_CONFIG if there wasn't one in the backup,
    for example if the active backend doesn't use it. Thanks Ferenc Wagner.
  * On upgrade, if an access rule begins with "to * by self write", show a
    debconf note warning that it should be changed. (Closes: #761406)
  * Build and install the lastbind contrib module. (Closes: #701111)
  * Build and install the passwd/sha2 contrib module. (Closes: #746727)

openldap (2.4.40-1) unstable; urgency=low

[ Ryan Tandy ]
  * New upstream release.
    - fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024)
    - fixed slapcat with external schema (ITS#7895) (Closes: #599235)
    - fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384)
    - fixed modrdn crash on naming attr with no matching rule (ITS#7850)
      (Closes: #666515)
    - fixed slapacl causing unclean database (ITS#7827) (Closes: #741248)
  * slapd.scripts-common:
    - Anchor grep patterns to avoid matching commented lines in ldif files
      under cn=config. (Closes: #723957)
    - Don't silently ignore nonexistent directories that should be dumped.
    - Invoke find, chown, and chgrp with -H in case /var/lib/ldap is a
      symlink. (Closes: #742862)
    - When upgrading a database, ignore extra nested directories as they might
      contain other databases. Patch from Kenny Millington. (LP: #1003854)
    - Fix dumping and reloading when multiple databases hold the same suffix,
      thanks Peder Stray. (Closes: #759596, LP: #1362481)
    - Remove trailing dot from slapd/domain. (Closes: #637996)
  * debian/rules:
    - Enable parallel building.
    - Copy libldap-2.4-2.shlibs into place manually, as a workaround for
      #676168. (Closes: #742841)
  * debian/slapd.README.Debian: Add a note about database format upgrades and
    the consequences of missing one. (Closes: #594711)
  * Build with GnuTLS 3 (Closes: #745231, #760559).
  * Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
  * Drop debconf-utils from Build-Depends, no longer used (replaced by
    po-debconf). Thanks Johannes Schauer.
  * Acknowledge NMU fixing #729367, thanks to Michael Gilbert.
  * Offer the MDB backend as a choice during initial configuration. (Closes:
    #750022)
  * debian/slapd.init.ldif:
    - Disallow modifying one's own entry by default, except specific
      attributes. (Closes: #761406)
    - Index some more common search attributes by default. (Closes: #762111)
  * Introduce a symbols file for libldap-2.4-2.
  * debian/schema/pmi.schema: Add a copyright clarification. There does not
    appear to be any copyrighted text in this file, only ASN.1 assignments and
    LDAP schema definitions. Fixes a Lintian error on the original.
  * debian/schema/duaconf.schema: Strip Internet-Draft text from
    duaconf.schema.
  * Drop debian/patches/CVE-2013-4449.patch, applied upstream.
  * Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes.
  * debian/schema/ppolicy.schema: Update with ordering rules added in
    draft-behera-ldap-password-policy-11.
  * Suggest GSSAPI SASL modules. (Closes: #762424)
  * debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in
    slapd-config.5 the fact that changes to olcAuthzRegexp only take effect
    after the server is restarted. (Closes: #761407)
  * Add myself to Uploaders.

[ Jelmer Vernooij ]
  * Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
    #706123)

[ Updated debconf translations ]
  * Turkish, thanks to Atila KOÇ <akoc@artielektronik.com.tr>.
    (Closes: #661641)

openldap (2.4.39-1.1) unstable; urgency=high

* Non-maintainer upload by the Security Team.
  * Fix CVE-2013-4449: reference counting logic issue (closes: #729367).

openldap (2.4.39-1) unstable; urgency=low

[ Peter Marschall ]
  * debian/patches/wrong-database-location: fix database location in
    doc/man/man5/slapd-mdb.5
  * debian/configure.options: add info on --enable-mdb

[ Russ Allbery ]
  * Remove myself from Uploaders.

[ Steve Langasek ]
  * Remove Stephen Frost from Uploaders, per discussion with him.  Thanks for
    your contributions, Stephen!
  * Adjust dh_autoreconf usage to update all config.sub/config.guess
    instances in the source, so that we can be forwards-compatible with new
    ports.  Thanks to Colin Watson <cjwatson@ubuntu.com> for the patch.
    Closes: #725824.
  * Add Timo to Uploaders.
  * Update Vcs-* fields to point at the new git repo; thanks to Timo for
    driving this migration!
  * Rebuild against db5.3, with a corresponding dump/restore of the database
    on upgrade.  Closes: #738641.

[ Timo Aaltonen ]
  * contrib-modules-use-dpkg-buildflags, autogroup-makefile,
    smbk5pwd-makefile:
    - Updated for current upstream.
  * Refresh patches to apply cleanly.
  * rules: Use dpkg-parsechangelog to determine the upstream version for
    get-orig-source.
  * source: Add lintian overrides for non-transatable internal
    templates.

-- Ryan Tandy <ryan@nardis.ca>  Mon, 25 May 2015 19:49:21 -0700

Changed in openldap (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Ryan Tandy (rtandy) wrote on 2015-05-29:

#6

utopic patch Edit (996 bytes, text/plain)

description:

updated

Revision history for this message

Ryan Tandy (rtandy) wrote on 2015-05-29:

#7

vivid patch Edit (993 bytes, text/plain)

Revision history for this message

Massé (davon24) wrote on 2015-06-02:

#8

Hello! I have a problem with the vivid patch

sudo patch -p1 < ../openldap_2.4.31-1+nmu2ubuntu12.debdiff
bash: ../openldap_2.4.31-1+nmu2ubuntu12.debdiff: Aucun fichier ou dossier de ce type

Revision history for this message

Ryan Tandy (rtandy) wrote on 2015-06-02: Re: [Bug 1392018] Re: apparmor stops /var/run/ldapi from being read causing ldap to fail

#9

On Tue, Jun 02, 2015 at 01:36:04AM -0000, Massé wrote:
>Hello! I have a problem with the vivid patch
>
>sudo patch -p1 < ../openldap_2.4.31-1+nmu2ubuntu12.debdiff
>bash: ../openldap_2.4.31-1+nmu2ubuntu12.debdiff: Aucun fichier ou dossier de ce type

That's not a problem with the patch. That's bash telling you it can't
find the patch in the place you told it to look :)

Revision history for this message

Moritz (morrez) wrote on 2015-06-17:

#10

I try to apply the vivid patch, but don't seem to have openldap installed, only slapd – is that the same?

apt-get install openldap -> Unable to locate package

If slapd is correct, what is the proper patch location? slapd is located as follows:

/etc/init.d/slapd
/etc/ufw/applications.d/slapd
/etc/default/slapd
/run/slapd
/usr/share/lintian/overrides/slapd
/usr/share/slapd
/usr/share/doc/slapd
/usr/sbin/slapd
/var/lib/slapd

Revision history for this message

Ryan Tandy (rtandy) wrote on 2015-06-17:

#11

On Wed, Jun 17, 2015 at 07:28:44AM -0000, Moritz wrote:
>I try to apply the vivid patch, but don't seem to have openldap
>installed, only slapd – is that the same?

openldap is the source package. slapd is one of the binary packages
built from it.

http://packages.ubuntu.com/source/vivid/openldap

https://www.debian.org/doc/manuals/debian-faq/ch-pkg_basics.en.html

The patch applies to the source package.

>If slapd is correct, what is the proper patch location?

The patch changes one file: /etc/apparmor.d/usr.sbin.slapd

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-06-23:

#12

The actual fix that went into wily is:

# pid files and sockets
/{,var/}run/slapd/* w,
/{,var/}run/slapd/ldapi rw,
/{,var/}run/nslcd/socket rw,

Ryan, could you please update your proposed debdiffs to reflect the actual changes that went into the development release?

Thanks!

Revision history for this message

Ryan Tandy (rtandy) wrote on 2015-06-25:

#13

utopic patch v2 Edit (978 bytes, text/plain)

Apologies for the inconvenience. Attaching fixed (and tested) patches.

Revision history for this message

Ryan Tandy (rtandy) wrote on 2015-06-25:

#14

vivid patch v2 Edit (975 bytes, text/plain)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-07-21:

#15

ACK on the debdiffs, they look good. Thanks!

Uploaded for processing by the SRU team.

Changed in openldap (Ubuntu Utopic):
status:	New → In Progress
Changed in openldap (Ubuntu Vivid):
status:	New → In Progress

Revision history for this message

Chris J Arges (arges) wrote on 2015-07-22: Please test proposed package

#16

Hello Arjan.S, or anyone else affected,

Accepted openldap into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu12.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openldap (Ubuntu Vivid):
status:	In Progress → Fix Committed
tags:	added: verification-needed
Changed in openldap (Ubuntu Utopic):
status:	In Progress → Won't Fix

Revision history for this message

Ryan Tandy (rtandy) wrote on 2015-07-28:

#17

With slapd from vivid-updates:

# dpkg-query -W slapd
slapd 2.4.31-1+nmu2ubuntu12.1
# ldapwhoami -H ldapi:// -QY EXTERNAL
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

With slapd from vivid-proposed:

# dpkg-query -W slapd
slapd 2.4.31-1+nmu2ubuntu12.2
# ldapwhoami -H ldapi:// -QY EXTERNAL
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Marking verified.

tags:

added: verification-done
removed: verification-needed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-07-29:

#18

This bug was fixed in the package openldap - 2.4.31-1+nmu2ubuntu12.2

---------------
openldap (2.4.31-1+nmu2ubuntu12.2) vivid; urgency=medium

* debian/apparmor-profile: Change 'r' to 'rw' for ldapi and nslcd sockets,
required for apparmor kernel ABI v7 (utopic and later). (LP: #1392018)

-- Ryan Tandy <email address hidden> Thu, 25 Jun 2015 09:40:29 -0700

Changed in openldap (Ubuntu Vivid):
status:	Fix Committed → Fix Released

Revision history for this message

Chris J Arges (arges) wrote on 2015-07-29: Update Released

#19

The verification of the Stable Release Update for openldap has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

David Bonner (bonnedav) wrote on 2016-07-06:

#20

This bug seems to still be be present in Ubuntu 16.04. How do i fix it so & can use ldap?

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2016-07-06:

#21

David, please file a new bug report and be sure to include any AppArmor DENIED messages from your logs.

Thanks

	Status	Importance	Assigned to
openldap (Ubuntu)	Fix Released	Undecided	Ryan Tandy
Utopic	Won't Fix	Undecided	Unassigned
Vivid	Fix Released	Undecided	Unassigned

Ubuntu
openldap package

apparmor stops /var/run/ldapi from being read causing ldap to fail

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntuopenldap package

apparmor stops /var/run/ldapi from being read causing ldap to fail

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
openldap package