apparmor profile denied for saslauthd: /run/saslauthd/mux
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Trusty |
Won't Fix
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Bionic |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Eoan |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Focal |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Groovy |
Fix Released
|
Undecided
|
Sergio Durigan Junior |
Bug Description
[Impact]
When using openldap with sasl authentication, the slapd process will communicate with the saslauthd daemon via a socket in {,/var}
The fix is simple: just add the necessary directive to allow slapd to read/write from/to the saslauthd socket.
[Test Case]
One can reproduce the problem by doing:
$ lxc launch ubuntu-daily:groovy openldap-
$ lxc shell openldap-
# apt install slapd sasl2-bin ldap-utils apparmor-utils
(As the domain name, use "example.com").
# sed -i -e 's/^START=
# cat > /etc/ldap/
mech_list: PLAIN
pwcheck_method: saslauthd
__EOF__
# adduser openldap sasl
# aa-enforce /etc/apparmor.
# systemctl restart slapd.service
# systemctl restart saslauthd.service
# passwd root
(You can choose any password here. You will need to type it when running the next command.)
# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN
The command will fail with something like:
ldap_sasl_
additional info: SASL(-1): generic failure: Password verification failed
[Regression Potential]
This is an extremely simple and well contained fix, so I don't envision any possible regressions after applying it. It is important noticing that, since the problem affects older Ubuntu releases, the openldap package will have to be rebuilt against possible newer versions of libraries and other depencencies, which, albeit unlikely, may cause issues.
[Original Description]
When using slapd with saslauthd the processes communicate via the {,/var}
Syslog message:
apparmor="DENIED" operation="connect" profile=
4 comm="slapd" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Please add the following line to /etc/apparmor.
/{,var/
Ubuntu version: Ubuntu 14.04.4 LTS
slapd version: 2.4.31-1+nmu2ubu
Related branches
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 93 lines (+54/-1)4 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+13/-0)
debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch (+38/-0)
debian/patches/series (+1/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 93 lines (+54/-1)4 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+13/-0)
debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch (+38/-0)
debian/patches/series (+1/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 93 lines (+54/-1)4 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+13/-0)
debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch (+38/-0)
debian/patches/series (+1/-0)
- Christian Ehrhardt (community): Disapprove
- Canonical Server: Pending requested
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
tags: | added: bitesize |
tags: | added: server-next |
Changed in openldap (Ubuntu Trusty): | |
status: | New → Triaged |
Changed in openldap (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in openldap (Ubuntu Trusty): | |
status: | Triaged → Confirmed |
Changed in openldap (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in openldap (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in openldap (Ubuntu Groovy): | |
status: | Incomplete → Confirmed |
Changed in openldap (Ubuntu Trusty): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in openldap (Ubuntu Xenial): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in openldap (Ubuntu Bionic): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in openldap (Ubuntu Focal): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in openldap (Ubuntu Groovy): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
description: | updated |
Changed in openldap (Ubuntu Trusty): | |
status: | Confirmed → Won't Fix |
assignee: | Sergio Durigan Junior (sergiodj) → nobody |
Changed in openldap (Ubuntu Eoan): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in openldap (Ubuntu Eoan): | |
status: | New → Confirmed |
Status changed to 'Confirmed' because the bug affects multiple users.