slapd [or its init script] does not create necessary directory for nssov socket and fails to start

Bug #1452087 reported by ben thielsen on 2015-05-06
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Undecided
Unassigned

Bug Description

when used with the nss overlay, slapd fails to start, because /var/run/nslcd/ does not exist, and slap cannot then create the socket for this. additionally, creating the directory manually does not help, because it disappears after every reboot.

1] >lsb_release -rd
Description: Ubuntu 15.04
Release: 15.04

2] >apt-cache policy slapd
slapd:
  Installed: 2.4.31-1+nmu2ubuntu12
  Candidate: 2.4.31-1+nmu2ubuntu12
  Version table:
 *** 2.4.31-1+nmu2ubuntu12 0
        500 http://us.archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages
        100 /var/lib/dpkg/status

3] i expected the necessary directory to be created when starting slapd if the nss overlay is in use
4] it was not

Peter Matulis (petermatulis) wrote :

Can you check /var/log/kern.log to see if this is an apparmor issue?

Ryan Tandy (rtandy) wrote :

IIRC slapd does try to create the directory, but it's already switched users by that point, so doesn't have sufficient privileges.

http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/openldap/vivid/view/head:/contrib/slapd-modules/nssov/nssov.c#L808

I don't know whether the overlay has a way to run code before switching permissions. Might be worth filing an ITS about, as this really should work. Otherwise, the init script is probably the most reasonable place to do it; but only if nssov is actually being used.

(apparmor may also be involved as pmatulis suggests. I didn't check.)

ben thielsen (btb-bitrate) wrote :

there was an apparmor message logged:

May 6 22:52:05 server kernel: audit: type=1400 audit(1430967118.381:12): apparmor="DENIED" operation="mkdir" profile="/usr/sbin/slapd" name="/run/nslcd/" pid=1419 comm="slapd" requested_mask="c" denied_mask="c" fsuid=108 ouid=108

adding to /etc/apparmor.d/local/usr.sbin.slapd [among some other things]:

  /etc/ldap/pki/** rw,
  /{,var/}run/slapd/* rw,
  /{,var/}run/nslcd/ rw,
  /{,var/}run/nslcd/* rw,

seems to have addressed that, but the directory still isn't created.

temporarily changing /run/ to 777 seem to reinforce rtandy's reference. the directory is then created, but not with adequate permissions:

dr-xr-xr-x 2 openldap openldap 40 May 6 23:01 nslcd/

slapd[2357]: nssov: bind() to /var/run/nslcd/socket failed: Permission denied

adjusting them manually after creation confirms this, and slapd then starts.

at the moment, i've added the following to the init script:

NSSOV_SOCKETDIR='/var/run/nslcd'

start_slapd() {
    [ -d "${NSSOV_SOCKETDIR}" ] || ( mkdir -m 755 "${NSSOV_SOCKETDIR}" ; \
        chown openldap.openldap "${NSSOV_SOCKETDIR}" )

which solves the problem for me [albeit the wrong way, imo], since it's blindly doing it regardless of if the overlay is actually in use.

Ryan Tandy (rtandy) wrote :

Thinking about it again, an upstream fix for this is unlikely. slapd changes users before it even starts loading its config, so there probably isn't any way for nssov to mkdir as root.

Ryan Tandy (rtandy) on 2015-05-25
Changed in openldap (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers