[SRU]slapd gssapi failure - apparmor profile doesn't support kerberos gssapi

Bug #229252 reported by javierpb on 2008-05-11
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Jamie Strandboge
Jamie Strandboge

Bug Description

Binary package hint: slapd

I'm setting up a ldap server allowing gssapi (kerberos) authentication, and it looks like the slapd daemon does not work properly. I've tried with both sasl-gssapi flavours (MIT & heimdal), and both fail when the slapd is running on the ubuntu (hardy) box, but works properly when the slapd is on a debian (etch) box.

The behaviour (described below) is the same when I supply the proper KRB5_KTNAME on /etc/default/slapd and when no keytab is supplied there, so it looks like the environment variable is not honoured.

When using the Heimdal-GSSAPI library, I get
ldap_sasl_interactive_bind_s: Invalid credentials (49)

MIT-GSSAPI library gives
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
and on the credential cache I see two ticket for a ldap principal one with the realm and another one that looks like realm-less.
There is also a quite probably related syslog message (selinux disabled, keytab owned by openldap user):
kernel: [ 783.797967] audit(1210511590.180:11): type=1503 operation="inode_permission" requested_mask="::a" denied_mask="::a" name="/dev/tty" pid=7408 profile="/usr/sbin/slapd" namespace="default"

I've just had a similar problem. It's caused by a conflict with AppArmor's slapd policy (in /etc/apparmor.d/usr.sbin.slapd).
I switched apparmor's policy to complain mode with aa-complain and it fixed the problem.

Philipp Kaluza (pixelpapst) wrote :

Ryan, could you post the text of AppArmor's complaint ?

AppArmor provided several complaints:

Jun 16 12:30:43 lionel kernel: [ 6122.925033] audit(1213633843.473:17): type=1503 operation="inode_permission" requested_mask="::a" denied_mask="::a" name="/dev/tty" pid=5259 profile="/usr/sbin/slapd" namespace="default"
Jun 16 12:30:43 lionel kernel: [ 6122.927321] audit(1213633843.473:18): type=1503 operation="file_lock" requested_mask="k::" denied_mask="k::" name="/etc/ldap/keytab.ldap" pid=5259 profile="/usr/sbin/slapd" namespace="default"

To fix the top two, I added
  /dev/tty rw,
  /etc/ldap/keytab.ldap kr,
to AppArmor's slapd profile.

Upon restart of AppArmor and slapd, I tried to connect again, and it failed with this log message:

Jun 16 12:38:17 lionel kernel: [ 6577.144098] audit(1213634297.983:19): type=1503 operation="inode_permission" requested_mask="rw::" denied_mask="rw::" name="/var/tmp/ldap_111" pid=5339 profile="/usr/sbin/slapd" namespace="default"

From there, I added
  /var/tmp/ r,
  /var/tmp/* rw,
to the slapd profile.

Restarting AppArmor and slapd again, connecting to the server with gssapi works fine and presents no errors.

Changed in openldap:
status: New → Confirmed

Attached debdiff was tested and verified to work against a krb5 KDC and kerberized slapd. The profile allows 'kr' access to /etc/krb5.keytab as well as all of /etc/ldap/** (so users can put their keytabs in there).

Attached debdiff also fixes bug #243525

Changed in openldap:
assignee: nobody → jdstrand
status: Confirmed → In Progress
Jamie Strandboge (jdstrand) wrote :

Attached debdiff is (perhaps obviously) for Hardy SRU.

Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package openldap - 2.4.10-3ubuntu1

openldap (2.4.10-3ubuntu1) intrepid; urgency=low

  [ Mathias Gug ]
  * Merge from debian unstable, remaining changes:
    - debian/apparmor-profile: add AppArmor profile
    - debian/slapd.postinst: Reload AA profile on configuration
    - updated debian/slapd.README.Debian for note on AppArmor
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
      to make sure that if earlier version of apparmour-profiles gets
      installed it won't overwrite our profile.
    - Modify Maintainer value to match the DebianMaintainerField
    - follow ApparmorProfileMigration and force apparmor compalin mode on
      some upgrades (LP: #203529)
    - debian/slapd.dirs: add etc/apparmor.d/force-complain
    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
      non-enforcing) and upgrades where apparmor profile does not exist.
    - debian/slapd.postrm: remove symlink in force-complain/ on purge
    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
      the ucred struct now.
    - debian/patches/fix-unique-overlay-assertion.patch:
      Fix another assertion error in unique overlay (LP: #243337).
      Backport from head.
  * Dropped - implemented in Debian:
    - debian/patches/fix-gnutls-key-strength.patch:
      Fix slapd handling of ssf using gnutls. (LP: #244925).
    - debian/control:
      Add time as build dependency: needed by make test.
  * debian/control:
    - Build-depend on libltdl7-dev rather then libltdl3-dev.
  * debian/patches/autogen.sh:
    - Call libtoolize with the --install option to install config.{guess,sub}

  [ Jamie Strandboge ]
  * adjust apparmor profile to allow gssapi (LP: #229252)
  * adjust apparmor profile to allow cnconfig (LP: #243525)

openldap (2.4.10-3) unstable; urgency=low

  [ Steve Langasek ]
  * New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS
    vulnerability in the BER decoder. Addresses CVE-2008-2952,
    closes: #488710.
  * debian/slapd.scripts-common, debian/slapd.postinst: drop
    update_path_argsfile_pidfile function, not needed for updates from etch
    or newer.
  * Drop the code to check for and upgrade ldbm databases. The etch
    release of slapd had already dropped support for them and direct
    upgrades from sarge are not supported.

  [ Russ Allbery ]
  * Apply upstream patch to convert GnuTLS cipher strength from bytes to
    bits, as expected by OpenLDAP. (Closes: #473796)
  * Add Build-Depends on time, used by the test suite and only a shell
    built-in with bash. Thanks, Daniel Schepler. (Closes: #490754)
  * Refresh all patches, convert all patches to -p1, and remove extraneous
    Index: lines. (Closes: #485263)
  * Unless DFSG_NONFREE is set, also check whether the upstream schemas
    with RFC comments are included.
  * Update standards version to 3.8.0.
    - Include debian/README.source pointing to the quilt README.source.
    - Wrap Uploaders for ...


Changed in openldap:
status: In Progress → Fix Released
Nick Fishman (bsdlogical) wrote :


I don't mean to reopen this bug after it's (apparently) been fixed.

I was trying to setup a combined LDAP/Kerberos system today, and ran into this exact problem. I'm running the latest version of Hardy with all updates. After I applied the fixes to the AppArmor profile suggested by Ryan, everything worked.

My major question is (and perhaps this is due to a major misunderstanding on my part): why was this fix applied to the openldap package, when the server itself is in slapd? Indeed, I could not find this patch in the latest slapd package.

Thanks in advance,

Jamie Strandboge (jdstrand) wrote :

openldap is the name of the source package in the development release, and the slapd profile has been fixed in that release. We will also apply for a StableReleaseUpdate for Ubuntu 8.04 LTS.

Chuck Short (zulcss) on 2008-08-05
Changed in openldap:
status: Fix Released → Confirmed
status: Confirmed → Fix Released
Chuck Short (zulcss) wrote :

Due to apparmor changes kerberos authentication is not available in hardy. This patch fixes it:

Steps to Reproduce:

1. Install openldap2.3
2. Install a kerberos authentication environment
3. Try to authenticate.

NOTE: This test should be done with someone who already has this setup.

I have attached the debdiff that fixes this issue.


Changed in openldap:
status: New → In Progress
Chuck Short (zulcss) wrote :
Steve Langasek (vorlon) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in openldap:
status: In Progress → Fix Committed
javierpb (javiplx) wrote :

Is there any schedule for including openldap-2.4.10-3ubuntu1 into hardy? I would like to test that the patch does actually works.

I've tried to install the binary package and compile the source one, but both fail due to missing dependencies (libltdl7) or versions.

On Thu, Aug 07, 2008 at 04:39:29PM -0000, javierpb wrote:
> Is there any schedule for including openldap-2.4.10-3ubuntu1 into hardy?
> I would like to test that the patch does actually works.

The version for hardy is 2.4.9-0ubuntu0.8.04.2, which is currently in
hardy-proposed. You can test it by enabling the hardy-proposed pocket in
your "Software Sources" administration dialog.

Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

javierpb (javiplx) wrote :

I've finally performed the test, and I can confirm that the package in hardy-proposed solves this bug, and GSSAPI authentication to a OpenLDAP server works without problems.

jplien (jolien) wrote :

I applied the fix from hardy-proposed, restarted slapd and apparmor, and I am no longer getting errors from apparmor in /var/log/messages. Accessing slapd using GSSAPI doesn't work, however, because slapd doesn't seem to honor my KRB5_KTNAME variable. I had this working in gutsy, but since upgrade to hardy I can't use GSSAPI. Trying to connect gives the following slapd output:

SASL [conn=1] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)

I have a keytab file /etc/ldap/slapd.keytab (owned by openldap:openldap, mode 600), and I have KRB5_KTNAME=/etc/ldap/slapd.keytab. This is set in /etc/default/slapd when slapd is started automatically, and I set on the cmd line before running slapd manually. Neither method works. If I make /etc/slapd.keytab world readable, nothing changes. If I make /etc/krb5.keytab world readable, then it complains instead about not finding the principal it wants, so this is definitely where it is looking. Did something change between gutsy and hardy as far as specifying a keytab? I can't find info on this anywhere else.

jplien (jolien) wrote :

Ok, I changed /etc/default/slapd so that the last line reads
export KRB5_KTNAME="/etc/ldap/slapd.keytab"

instead of just:

The latter worked in gutsy, but I noticed the hardy config file included the "export". GSSAPI in slapd now works when auto-started, but it still won't work from the command line, even if I run export KRB5_KTNAME="/etc/ldap/slapd.keytab".

Steve Langasek (vorlon) wrote :


What's the exact command line you're using to try to start slapd manually?

Steve Langasek (vorlon) wrote :

marking this fix as verified, because the remaining issues don't appear to be related to apparmor.

jplien (jolien) wrote :

Sorry for the delayed reply. It is working from the command line now. I was exporting the wrong keytab file name. I swear I looked at that 20 times the other day. **sigh**

Mathias Gug (mathiaz) wrote :

Fix released in 2.4.9-0ubuntu0.8.04.2.

Changed in openldap:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments