apparmor profile denied for saslauthd: /run/saslauthd/mux
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| openldap (Ubuntu) | Status tracked in Groovy | |||||
| | Trusty |
Undecided
|
Unassigned | |||
| | Xenial |
Undecided
|
Sergio Durigan Junior | |||
| | Bionic |
Undecided
|
Sergio Durigan Junior | |||
| | Eoan |
Undecided
|
Sergio Durigan Junior | |||
| | Focal |
Undecided
|
Sergio Durigan Junior | |||
| | Groovy |
Undecided
|
Sergio Durigan Junior | |||
Bug Description
[Impact]
When using openldap with sasl authentication, the slapd process will communicate with the saslauthd daemon via a socket in {,/var}
The fix is simple: just add the necessary directive to allow slapd to read/write from/to the saslauthd socket.
[Test Case]
One can reproduce the problem by doing:
$ lxc launch ubuntu-daily:groovy openldap-
$ lxc shell openldap-
# apt install slapd sasl2-bin ldap-utils apparmor-utils
(As the domain name, use "example.com").
# sed -i -e 's/^START=
# cat > /etc/ldap/
mech_list: PLAIN
pwcheck_method: saslauthd
__EOF__
# adduser openldap sasl
# aa-enforce /etc/apparmor.
# systemctl restart slapd.service
# systemctl restart saslauthd.service
# passwd root
(You can choose any password here. You will need to type it when running the next command.)
# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN
The command will fail with something like:
ldap_sasl_
additional info: SASL(-1): generic failure: Password verification failed
[Regression Potential]
This is an extremely simple and well contained fix, so I don't envision any possible regressions after applying it. It is important noticing that, since the problem affects older Ubuntu releases, the openldap package will have to be rebuilt against possible newer versions of libraries and other depencencies, which, albeit unlikely, may cause issues.
[Original Description]
When using slapd with saslauthd the processes communicate via the {,/var}
Syslog message:
apparmor="DENIED" operation="connect" profile=
4 comm="slapd" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
Please add the following line to /etc/apparmor.
/{,var/
Ubuntu version: Ubuntu 14.04.4 LTS
slapd version: 2.4.31-1+nmu2ubu
Related branches
- Andreas Hasenack: Approve on 2020-07-03
- Canonical Server Team: Pending requested 2020-07-03
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
- Christian Ehrhardt : Approve on 2020-07-02
- Canonical Server Team: Pending requested 2020-07-01
-
Diff: 93 lines (+54/-1)4 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+13/-0)
debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch (+38/-0)
debian/patches/series (+1/-0)
- Christian Ehrhardt : Approve on 2020-07-02
- Canonical Server Team: Pending requested 2020-07-01
-
Diff: 93 lines (+54/-1)4 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+13/-0)
debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch (+38/-0)
debian/patches/series (+1/-0)
- Christian Ehrhardt : Approve on 2020-07-02
- Canonical Server Team: Pending requested 2020-07-01
-
Diff: 93 lines (+54/-1)4 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+13/-0)
debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch (+38/-0)
debian/patches/series (+1/-0)
- Christian Ehrhardt : Disapprove on 2020-06-16
- Canonical Server Team: Pending requested 2020-06-15
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
- Christian Ehrhardt : Approve on 2020-06-22
- Canonical Server Team: Pending requested 2020-06-15
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
- Christian Ehrhardt : Approve on 2020-06-16
- Canonical Server Team: Pending requested 2020-06-16
- Canonical Server Core Reviewers: Pending requested 2020-06-15
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
- Christian Ehrhardt : Approve on 2020-06-16
- Canonical Server Team: Pending requested 2020-06-16
- Canonical Server Core Reviewers: Pending requested 2020-06-15
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
- Christian Ehrhardt : Approve on 2020-06-17
- Canonical Server Team: Pending requested 2020-06-15
-
Diff: 34 lines (+9/-1)2 files modifieddebian/apparmor-profile (+2/-1)
debian/changelog (+7/-0)
| Marian Rainer-Harbach (marianrh) wrote : | #2 |
Still occurs in 20.04.
| tags: | added: bitesize |
| tags: | added: server-next |
| Bryce Harrington (bryce) wrote : | #3 |
Can you explain the configuration process for saslauthd with slapd? Or a copy of your config file would do.
| Changed in openldap (Ubuntu): | |
| status: | Confirmed → Incomplete |
| Marian Rainer-Harbach (marianrh) wrote : | #4 |
My configs are:
/etc/default/
#
# Settings for saslauthd daemon
# Please read /usr/share/
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS=
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/run/saslauthd"
/etc/ldap/
mech_list: plain
pwcheck_method: saslauthd
As the reporter of this bug stated, AppArmor denies slapd access to the saslauthd socket /run/saslauthd/mux.
| Changed in openldap (Ubuntu Trusty): | |
| status: | New → Triaged |
| Changed in openldap (Ubuntu Xenial): | |
| status: | New → Confirmed |
| Changed in openldap (Ubuntu Trusty): | |
| status: | Triaged → Confirmed |
| Changed in openldap (Ubuntu Bionic): | |
| status: | New → Confirmed |
| Changed in openldap (Ubuntu Focal): | |
| status: | New → Confirmed |
| Changed in openldap (Ubuntu Groovy): | |
| status: | Incomplete → Confirmed |
| Changed in openldap (Ubuntu Trusty): | |
| assignee: | nobody → Sergio Durigan Junior (sergiodj) |
| Changed in openldap (Ubuntu Xenial): | |
| assignee: | nobody → Sergio Durigan Junior (sergiodj) |
| Changed in openldap (Ubuntu Bionic): | |
| assignee: | nobody → Sergio Durigan Junior (sergiodj) |
| Changed in openldap (Ubuntu Focal): | |
| assignee: | nobody → Sergio Durigan Junior (sergiodj) |
| Changed in openldap (Ubuntu Groovy): | |
| assignee: | nobody → Sergio Durigan Junior (sergiodj) |
| description: | updated |
| Changed in openldap (Ubuntu Trusty): | |
| status: | Confirmed → Won't Fix |
| assignee: | Sergio Durigan Junior (sergiodj) → nobody |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package openldap - 2.4.50+
---------------
openldap (2.4.50+
* d/apparmor-profile: Update apparmor profile to grant access to
the saslauthd socket, so that SASL authentication works. (LP: #1557157)
-- Sergio Durigan Junior <email address hidden> Fri, 12 Jun 2020 18:20:42 -0400
| Changed in openldap (Ubuntu Groovy): | |
| status: | Confirmed → Fix Released |
| Changed in openldap (Ubuntu Eoan): | |
| assignee: | nobody → Sergio Durigan Junior (sergiodj) |
| Changed in openldap (Ubuntu Eoan): | |
| status: | New → Confirmed |
Hello Mattias, or anyone else affected,
Accepted openldap into focal-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in openldap (Ubuntu Focal): | |
| status: | Confirmed → Fix Committed |
| tags: | added: verification-needed verification-needed-focal |
| Changed in openldap (Ubuntu Eoan): | |
| status: | Confirmed → Fix Committed |
| tags: | added: verification-needed-eoan |
| Brian Murray (brian-murray) wrote : | #7 |
Hello Mattias, or anyone else affected,
Accepted openldap into eoan-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in openldap (Ubuntu Bionic): | |
| status: | Confirmed → Fix Committed |
| tags: | added: verification-needed-bionic |
| Brian Murray (brian-murray) wrote : | #8 |
Hello Mattias, or anyone else affected,
Accepted openldap into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in openldap (Ubuntu Xenial): | |
| status: | Confirmed → Fix Committed |
| tags: | added: verification-needed-xenial |
| Brian Murray (brian-murray) wrote : | #9 |
Hello Mattias, or anyone else affected,
Accepted openldap into xenial-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openldap/2.4.48+dfsg-1ubuntu1.2) | #10 |
All autopkgtests for the newly accepted openldap (2.4.48+
The following regressions have been reported in tests triggered by the package:
asterisk/
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
| Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openldap/2.4.49+dfsg-2ubuntu1.3) | #12 |
All autopkgtests for the newly accepted openldap (2.4.49+
The following regressions have been reported in tests triggered by the package:
apache2/
cyrus-imapd/
kopanocore/
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
| Andreas Hasenack (ahasenack) wrote : | #13 |
bionic verification
First reproducing the problem:
Version table:
*** 2.4.45+
500 http://
500 http://
100 /var/lib/
Command fails:
root@bionic-
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_
additional info: SASL(-1): generic failure: Password verification failed
And dmesg shows the apparmor denial:
[17283.881912] audit: type=1400 audit(159422877
With the updated package from proposed:
Version table:
*** 2.4.45+
500 http://
100 /var/lib/
The ldapsearch command works, and there is no apparmor error in dmesg:
root@bionic-
SASL/PLAIN authentication started
Please enter your password:
SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example
Bionic verification succeeded.
| tags: |
added: verification-done-bionic removed: verification-needed-bionic |
| Andreas Hasenack (ahasenack) wrote : | #14 |
Eoan verification
First, reproducing the bug:
Version table:
*** 2.4.48+
500 http://
500 http://
100 /var/lib/
ldapsearch fails:
root@eoan-
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_
additional info: SASL(-1): generic failure: Password verification failed
And dmesg shows the apparmor DENIED message:
[17713.076558] audit: type=1400 audit(159422920
With the package from proposed:
Version table:
*** 2.4.48+
500 http://
100 /var/lib/
ldapsearch works:
root@eoan-
SASL/PLAIN authentication started
Please enter your password:
SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example
And there is no DENIED message in dmesg.
eoan verification succeeded.
| tags: |
added: verification-done-eoan removed: verification-needed-eoan |
| Andreas Hasenack (ahasenack) wrote : | #15 |
Focal verification
First, reproducing the problem:
Version table:
*** 2.4.49+
500 http://
500 http://
100 /var/lib/
ldapsearch fails:
root@focal-
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_
additional info: SASL(-1): generic failure: Password verification failed
and dmesg complains:
[18037.506232] audit: type=1400 audit(159422952
With the proposed packages:
*** 2.4.49+
500 http://
100 /var/lib/
ldapsearch works:
root@focal-
SASL/PLAIN authentication started
Please enter your password:
SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example
And there is no apparmor DENIED message in dmesg.
Focal verification succeeded.
| tags: |
added: verification-done-focal removed: verification-needed-focal |
| Andreas Hasenack (ahasenack) wrote : | #16 |
Xenial verification
Reproducing the error:
root@xenial-
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_
additional info: SASL(-1): generic failure: Password verification failed
And dmesg:
[qua jul 8 11:50:42 2020] audit: type=1400 audit(159421984
With the updated packages, ldapsearch works:
root@xenial-
slapd:
Installed: 2.4.42+
Candidate: 2.4.42+
Version table:
*** 2.4.42+
500 http://
100 /var/lib/
...
root@xenial-
SASL/PLAIN authentication started
Please enter your password:
SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example
And no dmesg apparmor error.
Xenial verification succeeded.
| tags: |
added: verification-done-xenial removed: verification-needed-xenial |
| Andreas Hasenack (ahasenack) wrote : | #17 |
The asterisk DEP8 armhf test was retried and is now green.
| Ubuntu SRU Bot (ubuntu-sru-bot) wrote : | #18 |
All autopkgtests for the newly accepted openldap (2.4.49+
The following regressions have been reported in tests triggered by the package:
cyrus-imapd/
apache2/
kopanocore/
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
| Andreas Hasenack (ahasenack) wrote : | #19 |
Kopanocore armhf is the only persistent red, but this test/package is known to be flaky on armhf.
| Launchpad Janitor (janitor) wrote : | #20 |
This bug was fixed in the package openldap - 2.4.49+
---------------
openldap (2.4.49+
* d/apparmor-profile: Update apparmor profile to grant access to
the saslauthd socket, so that SASL authentication works. (LP: #1557157)
-- Sergio Durigan Junior <email address hidden> Fri, 12 Jun 2020 18:18:58 -0400
| Changed in openldap (Ubuntu Focal): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for openldap has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
| Launchpad Janitor (janitor) wrote : | #22 |
This bug was fixed in the package openldap - 2.4.48+
---------------
openldap (2.4.48+
[ Andreas Hasenack ]
* d/p/ITS-
patch to fix slapd crashing in certain configurations when a client
attempts a login to a locked account. (LP: #1866303)
[ Sergio Durigan Junior ]
* d/apparmor-profile: Update apparmor profile to grant access to
the saslauthd socket, so that SASL authentication works. (LP: #1557157)
-- Andreas Hasenack <email address hidden> Wed, 01 Jul 2020 16:43:06 -0300
| Changed in openldap (Ubuntu Eoan): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #23 |
This bug was fixed in the package openldap - 2.4.45+
---------------
openldap (2.4.45+
[ Andreas Hasenack ]
* d/p/ITS-
patch to fix slapd crashing in certain configurations when a client
attempts a login to a locked account. (LP: #1866303)
[ Sergio Durigan Junior ]
* d/apparmor-profile: Update apparmor profile to grant access to
the saslauthd socket, so that SASL authentication works. (LP: #1557157)
-- Andreas Hasenack <email address hidden> Wed, 01 Jul 2020 16:38:55 -0300
| Changed in openldap (Ubuntu Bionic): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #24 |
This bug was fixed in the package openldap - 2.4.42+
---------------
openldap (2.4.42+
[ Andreas Hasenack ]
* d/p/ITS-
patch to fix slapd crashing in certain configurations when a client
attempts a login to a locked account. (LP: #1866303)
[ Sergio Durigan Junior]
* d/apparmor-profile: Update apparmor profile to grant access to
the saslauthd socket, so that SASL authentication works. (LP: #1557157)
-- Andreas Hasenack <email address hidden> Wed, 01 Jul 2020 16:33:08 -0300
| Changed in openldap (Ubuntu Xenial): | |
| status: | Fix Committed → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.