[SRU]slapd needs apparmor changes for cn=config

Bug #243525 reported by Jeff Strunk on 2008-06-27
6
Affects Status Importance Assigned to Milestone
openldap2.3 (Ubuntu)
Medium
Jamie Strandboge
Hardy
Undecided
Unassigned
Intrepid
Medium
Unassigned

Bug Description

Binary package hint: slapd

/usr/bin/slapd needs write access to /etc/ldap/slap.d if one is going to use the in tree configuration mechanism effectively.

The following line needs to be added to /etc/apparmor.d/usr.sbin.slapd :
  /etc/ldap/slapd.d/* rw,

It can go after the line:
  /etc/ldap/slapd.conf r,

I found this bug on a Hardy server with slapd 2.4.9-0ubuntu0.8.04 which is made with the openldap2.3 source package. The solution was at http://ubuntuforums.org/showthread.php?t=808097

The consequence of not doing this is that any changes made to the cn=config tree are not saved in /etc/ldap/slapd.d . This defeats the purpose of this new feature.

On Fri, Jun 27, 2008 at 02:11:53PM -0000, Jeff Strunk wrote:
> Public bug reported:
>
> Binary package hint: slapd
>
> /usr/bin/slapd needs write access to /etc/ldap/slap.d if one is going to
> use the in tree configuration mechanism effectively.
>
> The following line needs to be added to /etc/apparmor.d/usr.sbin.slapd :
> /etc/ldap/slapd.d/* rw,
>
> It can go after the line:
> /etc/ldap/slapd.conf r,
>
> I found this bug on a Hardy server with slapd 2.4.9-0ubuntu0.8.04 which
> is made with the openldap2.3 source package. The solution was at
> http://ubuntuforums.org/showthread.php?t=808097
>
> The consequence of not doing this is that any changes made to the
> cn=config tree are not saved in /etc/ldap/slapd.d . This defeats the
> purpose of this new feature.

  status triaged
  importance medium

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Changed in openldap2.3:
importance: Undecided → Medium
status: New → Triaged

please add the line reading:

/etc/ldap/slapd.d/** rw, (double **)

If you want to create an subentry in cn=config, slapd needs to create an directory unter /etc/ldap/slapd.d/cn=config/...

Changed in openldap2.3:
assignee: nobody → jdstrand
Changed in openldap2.3:
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

The attached debdiff simply adds 'rw' access to /etc/ldap/slapd.d, and cnconfig importing was tested to work properly. Patch is for Hardy SRU.

Also included in the debdiff is a fix for bug #229252.

Jamie Strandboge (jdstrand) wrote :

Testing consisted of updating the qa-regression-testing scripts to test for cnconfig imports, and the above debdiff passes this test with an apparmor enforcing profile.

Chuck Short (zulcss) wrote :

cn=config is not availble in hardy because of the way apparmor profile in hardy. This patch fixes the issue. I have attached the debdiff that fixes this issue:

STEPS TO REPRODUCE:

1. Install openldap2.3
2. Enable cn=config
3. Try to use openldap2.3 with cn=config enabled (http://www.zytrax.com/books/ldap/ch6/slapd-config.html)

If you have any questions please feel free to ask.

Regards
chuck

Changed in openldap2.3:
status: New → In Progress
Chuck Short (zulcss) wrote :
Steve Langasek (vorlon) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in openldap2.3:
status: In Progress → Fix Committed
Mathias Gug (mathiaz) wrote :

Fixed in intrepid with 2.4.11-0ubuntu1.

Changed in openldap2.3:
status: In Progress → Fix Released
Martin Pitt (pitti) wrote :

Any testers?

Steve Langasek (vorlon) on 2009-01-27
Changed in openldap2.3:
importance: Undecided → Medium
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap2.3 - 2.4.9-0ubuntu0.8.04.2

---------------
openldap2.3 (2.4.9-0ubuntu0.8.04.2) hardy-proposed; urgency=low

  [Chuck Short]
  * debian/patches/fix-gnutls-key-strength.patch: fixes ssf matching key
    strength with gnutls 2.3. (LP: #244925)

  [Jamie Strandboge]
  * adjust apparmor profile to allow gssapi (LP: #229252)
  * adjust apparmor profile to allow cnconfig (LP: #243525)

 -- Chuck Short <email address hidden> Tue, 05 Aug 2008 14:37:01 +0000

Changed in openldap2.3:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments