Ubuntu
openldap package

Kolab setup needs to change slapd apparmor profile

Bug #357060 reported by Stefan Hamminga
36
This bug affects 7 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Expired
Low
Unassigned

Bug Description

Binary package hint: kolabd

after installing the kolabd packages, including slapd, on Ubuntu Server i386 Jaunty (2009-04-6-7) I needed to run 'kolab_bootstrap -b' to generate a default config. This failes with a message containing '/etc/kolab/rootDSE.ldif: Permission denied'.

After checking all permissions I found out slapd is protected with Apparmor and the '/etc/kolab/' directory was not present in the allowed list. Adding it indeed enabled kolab_bootstrap to continue.

Revision history for this message
Alvin (alvind) wrote :

Workaround (quoted from http://kolab.org/pipermail/kolab-users/2008-May/007953.html)

Edit /etc/apparmor.d/usr.sbin.slapd and add
the following lines:

/usr/share/kolabd/schema/ r,
/usr/share/kolabd/schema/* r,
/etc/kolab/ r,
/etc/kolab/* r,

Changed in kolabd (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
affects: kolabd (Ubuntu) → openldap (Ubuntu)
Changed in openldap (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Mathias Gug (mathiaz) wrote :

Does kolab uses the cn=config to manage the configuration of slapd?

Changed in openldap (Ubuntu):
importance: Undecided → Low
status: Triaged → Incomplete
Revision history for this message
Chuck Short (zulcss) wrote :

We'd like to figure out what's causing this bug for you, but we haven't heard back from you in a while. Could you please provide the requested information? Thanks!

Revision history for this message
Blackpaw (blackpaw) wrote :

Hi Chuck, I ran into this problem to - what was it you wanted to know? because Stefan reported the cause (apparmor config) and Alvin gave a workaround.

Chuck Short (zulcss)
Changed in openldap (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Alex (alepot-org23) wrote :

Bug still present in 10.04 i386

Revision history for this message
Gryphis (gryphis) wrote :

After the workaround a 'service apparmor reload' is necessary.
It would be nice to remove the bug now in Maverick Meerkat.
Thanks.

Revision history for this message
FriedChicken (domlyons) wrote :

Confirmed for Natty, too

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Are these rules still all that is needed to fix this bug (see comment #1)?
/usr/share/kolabd/schema/ r,
/usr/share/kolabd/schema/* r,
/etc/kolab/ r,
/etc/kolab/* r,

Changed in openldap (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openldap (Ubuntu) because there has been no activity for 60 days.]

Changed in openldap (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.