Apparmor profile improvements for letsencrypt

The attachment "usr.sbin.slapd patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

FYI - Your change looks fine to me.
I'll take a closer look later to consider where to best push this.

The apparmor profile isn't in Debian yet and I've seen no effort to do so [1][2] yet.
Therefore for now just update the profile we have.

Therefore I proposed [3] which converted your contribution to the changes that will be needed on the packaging.

P.S. I've spoken to Andreas and he said there was no old deny for apparmor in Debian, so we should at some point be able to get it there as well (with the fix then).

[1]: https://salsa.debian.org/paelzer-guest/openldap/-/merge_requests
[2]: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=yes&src=openldap
[3]: https://code.launchpad.net/~paelzer/ubuntu/+source/openldap/+git/openldap/+merge/395730

FYI - We've united this with a merge for 21.04 that was ongoing.

This bug was fixed in the package openldap - 2.4.56+dfsg-1ubuntu1

---------------
openldap (2.4.56+dfsg-1ubuntu1) hirsute; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - Enable AppArmor support:
      + d/apparmor-profile: add AppArmor profile
      + d/rules: use dh_apparmor
      + d/control: Build-Depends on dh-apparmor
      + d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
      + d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      + d/configure.options: Configure with --with-gssapi
      + d/control: Added heimdal-dev as a build depend
      + d/rules:
        - Explicitly add -I/usr/include/heimdal to CFLAGS.
        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
      + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
      This should be dropped when the soname changes.
    - Enable ufw support:
      + d/control: suggest ufw.
      + d/rules: install ufw profile.
      + d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      + d/rules:
        - add nssov to CONTRIB_MODULES
        - add sysconfdir to CONTRIB_MAKEVARS
      + d/slapd.install: install nssov overlay
      + d/slapd.manpages: install slapo-nssov(5) man page
      + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
        Debian bug #919136, we also have to patch the nssov makefile
        accordingly and thus update this patch.
    - d/{rules,slapd.py}: Add apport hook.
    - Add support for CLDAP (UDP) support, back then required by
      likewise-open (first enabled in 2.4.17-1ubuntu2):
      + d/rules: Enable -DLDAP_CONNECTIONLESS
      + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
      This should be dropped when the soname changes.
    - debian/patches/fix_test_timing.patch: fix FTBFS on riscv64 because
      of test timing issue.
    - d/rules: better regexp to match the Maintainer tag in d/control,
      needed in the Ubuntu case because of XSBC-Original-Maintainer
      (Closes #960448, LP #1875697)
  * d/apparmor-profile: use abstractions/ssl_keys instead of manual rules,
    allows letsencrypt to work. Thanks to Paul McEnery (LP: #1909748)

 -- Paride Legovini <email address hidden> Mon, 04 Jan 2021 16:18:57 +0100