wrong permissions to access ldapi

Bug #257667 reported by Javier Uruen Val on 2008-08-13
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)

Bug Description

Binary package hint: slapd

Source: openldap_2.4.11-0ubuntu1

Release: 8.10

Version: 2.4.11-0ubuntu1

Unless I'm missing something if slapd is configured to place its socket unix within /var/run/slapd -which is usual-, processes won't be able to connect to the socket due to the directory's permissions.

Related branches

Javier Uruen Val (juruen) wrote :
Mathias Gug (mathiaz) wrote :

Thanks for your bug report. Your debdiff doesn't work as expected as /var/run is a tmpfs directory and is recreated every time the system is booted.

Moreover, according the init script /etc/init.d/slapd, the symlink is there to maintain backward compatibility with openldap 2.1 client libraries:

    # Backward compatibility with OpenLDAP 2.1 client libraries.
    if [ ! -h /var/run/ldapi ] && [ ! -e /var/run/ldapi ] ; then
        ln -s slapd/ldapi /var/run/ldapi

Changed in openldap:
importance: Undecided → Medium
status: New → Confirmed
Javier Uruen Val (juruen) wrote :

Hi Mathias,

Thanks for taking care of this.

Yes, /var/run is recreated every time the system is booted, but that's fine because /etc/init.d/slapd does the work ok:

    # Make sure the pidfile directory exists with correct permissions
    piddir=`dirname "$SLAPD_PIDFILE"`
    if [ ! -d "$piddir" ]; then
            mkdir -p "$piddir"
            [ -z "$SLAPD_USER" ] || chown -R "$SLAPD_USER" "$piddir"
            [ -z "$SLAPD_GROUP" ] || chgrp -R "$SLAPD_GROUP" "$piddir"

So as there's no umask the permissions for $piddir will be fine.

The issue comes up between the first time the package is installed and the first boot. That's what my debdiff tries to address.

Mathias Gug (mathiaz) wrote :

You are right Javier.

However, I'd suggest to always fix the permission in the init script just after the ownership are set. It's simpler.

Changed in openldap:
status: Confirmed → Triaged
milestone: none → ubuntu-8.10-beta
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.11-0ubuntu4

openldap (2.4.11-0ubuntu4) intrepid; urgency=low

  * debian/slapd.postinst, debian/slapd.script-common: set correct ownership
    and permissions on /var/lib/ldap, /etc/ldap/slapd.d (group readable) and
    /var/run/slapd (world readable). (LP: #257667).
  * debian/slapd.script-common:
    - Fix package reconfiguration:
      + Remove slapd.d/ directory if it already exists when creating a new
      + Fix backup directory naming for multiple reconfiguration.

 -- Mathias Gug <email address hidden> Wed, 24 Sep 2008 21:01:42 -0400

Changed in openldap:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers