Apparmor should include letsencrypt directory for Slapd
Bug #1805178 reported by
Tarek Loubani
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Apparmor denies access to /etc/letsencrypt for slapd, which is confusing for users trying to secure ldap with Letsencrypt in a stock configuration.
The fix is inserting the following line in /etc/apparmor.
/etc/
and then refreshing the profile:
# apparmor_parser -vr usr.sbin.slapd
This line should simply be included.
tarek : )
Changed in openldap (Ubuntu): | |
status: | Expired → New |
To post a comment you must log in.
Thanks for filing this bug in Ubuntu.
First, let me suggest that any local modifications to apparmor profiles be made in /etc/apparmor. d/local instead of the profile in /etc/apparmor.d, otherwise you will get dpkg conf prompts with every upgrade. For slapd, for example, you have /etc/apparmor. d/local/ usr.sbin. slapd
Second, what is the structure of files and directories in /etc/letsencrypt? Is it separated by user, service, or do all certs go in there? It would be good if we could come up with a rule that's a bit more specific.