Ubuntu
python-ldap package

openldap apparmor profile denies access to test files in /tmp/

Bug #2130351 reported by Jonas Jelten
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)
Fix Released
Undecided
Jonas Jelten
openldap (Ubuntu)
Invalid
Undecided
Jonas Jelten
python-ldap (Ubuntu)
Fix Released
Undecided
Jonas Jelten

Bug Description

this happens due to fixing apparmor in bug #2119884

package tests run in a directory that is denied by apparmor.

== nss-pam-ldapd ==
sets up slapd config in /tmp/

echo "$script: setting up test slapd..."
tmpslapd=`mktemp -d -t slapd.XXXXXX`
tests/setup_slapd.sh "$tmpslapd" setup
tests/setup_slapd.sh "$tmpslapd" start
=>
105s testsuite: setting up test slapd...
105s Creating blank /tmp/slapd.HYWyj5 slapd environment... done.
108s Fixing permissions... done.
108s Starting OpenLDAP: slapd FAILED
slapd -F "/tmp/slapd.HYWyj5/slapd.d" -u "$user" -g "$group" -h "ldap:/// ldaps:/// ldapi:///"

== python-ldap ==
runs its tests in /tmp/autopkgtest
via TMPDIR = os.environ.get('TMP', os.getcwd()), but this is denied by apparmor.

to test the openldap config validity, python-ldap starts:

    def _test_config(self):
        self._log.debug('testing config %s', self._slapd_conf)
        popen_list = [
            self.PATH_SLAPD,
            "-Ttest",
            "-F", self._slapd_conf,
            "-u",
            "-v",
            "-d", "config"
        ]
        p = subprocess.run(
            popen_list,
            stdout=subprocess.PIPE,
            stderr=subprocess.STDOUT
        )
        if p.returncode != 0:
            self._log.error(p.stdout.decode("utf-8"))
            raise RuntimeError("configuration test failed")
        self._log.info("config ok: %s", self._slapd_conf)

this is denied by apparmor:

192s autopkgtest [04:33:39]: test startserver: [-----------------------
192s 2025-10-29 04:33:39,747 ERROR ldif_read_file: Permission denied for "/tmp/autopkgtest.y86Vgq/autopkgtest_tmp/python-ldap-test-59787/slapd.d/cn=config.ldif"
192s slaptest: bad configuration directory!
192s
192s Traceback (most recent call last):
192s File "<string>", line 1, in <module>
192s import slapdtest; server = slapdtest.SlapdObject(); server.start(); assert server.port > 0 and server.port < 65536; server.stop()
192s ~~~~~~~~~~~~^^
192s File "/usr/lib/python3/dist-packages/slapdtest/_slapdtest.py", line 448, in start
192s self._test_config()
192s ~~~~~~~~~~~~~~~~~^^
192s File "/usr/lib/python3/dist-packages/slapdtest/_slapdtest.py", line 395, in _test_config
192s raise RuntimeError("configuration test failed")
192s RuntimeError: configuration test failed

See original description

Related branches

~jj/ubuntu/+source/python-ldap:lp2130351-autopkgtest-apparmor-fix
git-ubuntu bot: Approve
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 27 lines (+7/-1)
2 files modified
debian/changelog (+6/-0)
debian/tests/apparmor.sh (+1/-1)
~jj/ubuntu/+source/python-ldap:lp2130351-autopkgtest-apparmor
git-ubuntu bot: Approve
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 135 lines (+78/-2)
6 files modified
debian/changelog (+9/-0)
debian/control (+2/-1)
debian/tests/apparmor.sh (+58/-0)
debian/tests/control (+1/-1)
debian/tests/startserver (+4/-0)
debian/tests/upstream (+4/-0)
~jj/ubuntu/+source/nss-pam-ldapd:lp2130351-autopkgtest-apparmor
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 82 lines (+47/-1)
2 files modified
debian/changelog (+8/-0)
debian/tests/testsuite (+39/-1)
Jonas Jelten (jj)
description: updated
description: updated
Revision history for this message
Hector CAO (hectorcao) wrote :

As we can see in https://autopkgtest.ubuntu.com/packages/python-ldap

python-ldap autopkgtests fail also in Noble.
(they succeeded in Plucky and Questing because of the bug #2119884 that lets slapd's profile inactive).

so the test failure due to the permission issue on accessing /tmp is not something new, the question is why it has not been fixed in Noble before the Ubuntu Noble release ?

Revision history for this message
Jonas Jelten (jj) wrote :

Fix proposal for nss-pam-ldapd in https://salsa.debian.org/debian/nss-pam-ldapd/-/merge_requests/4

Jonas Jelten (jj)
Changed in nss-pam-ldapd (Ubuntu):
assignee: nobody → Jonas Jelten (jj)
Jonas Jelten (jj)
Changed in python-ldap (Ubuntu):
status: New → Incomplete
status: Incomplete → New
Changed in nss-pam-ldapd (Ubuntu):
status: New → In Progress
Changed in python-ldap (Ubuntu):
status: New → In Progress
assignee: nobody → Jonas Jelten (jj)
Revision history for this message
Jonas Jelten (jj) wrote :

Fix proposal for python-ldap in https://salsa.debian.org/python-team/packages/python-ldap/-/merge_requests/1

Christian Ehrhardt (paelzer)
Changed in openldap (Ubuntu):
status: New → Triaged
Jonas Jelten (jj)
Changed in openldap (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Jonas Jelten (jj)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I left review comments in those salsa PRs.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

@jj, have you tested those changes in our dep8 infra? I would suggest to test on at least amd64 and armhf, due to the way armhf is setup in our infra.

Revision history for this message
Jonas Jelten (jj) wrote (last edit ):

PPA for testing those with ubuntu's autopkgtest: https://launchpad.net/~jj/+archive/ubuntu/lp2119884-openldap-fix-apparmor
my local test on amd64 with autopkgtest-buildvm-ubuntu-cloud succeeds :)

Revision history for this message
Jonas Jelten (jj) wrote :

  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [amd64]
    + ✅ nss-pam-ldapd on resolute for amd64 @ 17.11.25 11:54:41 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [arm64]
    + ✅ nss-pam-ldapd on resolute for arm64 @ 17.11.25 11:56:45 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [armhf]
    + ❌ nss-pam-ldapd on resolute for armhf @ 17.11.25 11:57:55 Log️ 🗒️
      • testsuite FAIL 🟥
      • testsuite FLAKY 🟫
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [i386]
    + ❌ nss-pam-ldapd on resolute for i386 @ 17.11.25 11:54:00 Log️ 🗒️
      • testsuite FAIL 🟥
      • testsuite FAIL 🟥
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [ppc64el]
    + ✅ nss-pam-ldapd on resolute for ppc64el @ 17.11.25 11:56:40 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [riscv64]
    + ⛔ nss-pam-ldapd on resolute for riscv64 @ 17.11.25 12:11:46 Log️ 🗒️
      • testbed BAD ⛔
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [s390x]
    + ✅ nss-pam-ldapd on resolute for s390x @ 17.11.25 11:55:37 Log️ 🗒️

  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [amd64]
    + ✅ python-ldap on resolute for amd64 @ 17.11.25 11:53:01 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [arm64]
    + ✅ python-ldap on resolute for arm64 @ 17.11.25 11:53:53 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [armhf]
    + ❌ python-ldap on resolute for armhf @ 17.11.25 11:55:05 Log️ 🗒️
      • upstream FAIL 🟥
      • startserver FAIL 🟥
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [i386]
    + ❌ python-ldap on resolute for i386 @ 17.11.25 11:52:53 Log️ 🗒️
      • 76s FAIL 🟥
      • 76s FAIL 🟥
      • 76s FAIL 🟥
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [ppc64el]
    + ✅ python-ldap on resolute for ppc64el @ 17.11.25 11:53:17 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [riscv64]
    + ⛔ python-ldap on resolute for riscv64 @ 17.11.25 12:01:24 Log️ 🗒️
      • testbed BAD ⛔
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [s390x]
    + ✅ python-ldap on resolute for s390x @ 17.11.25 11:53:21 Log️ 🗒️

=> i386 doesn't have libpam-ldapd:i386/python3-pyldap:i386
=> armhf fails due to apparmor restrictions:
   apparmor_parser: Unable to replace "/usr/sbin/slapd". apparmor_parser: Access denied. You need policy admin privileges to manage profiles.

i suggest to avoid adding delta, so we should just set them as reference.

Revision history for this message
Jonas Jelten (jj) wrote (last edit ):

To have a proper solution for now I've added delta to nss-pam-ldapd and python-ldap to fix this, since migration-reference setting isn't possible in -proposed.

  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [amd64]
    + ✅ nss-pam-ldapd on resolute for amd64 @ 08.12.25 14:09:49 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [arm64]
    + ✅ nss-pam-ldapd on resolute for arm64 @ 08.12.25 14:21:55 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [armhf]
    + ✅ nss-pam-ldapd on resolute for armhf @ 08.12.25 14:13:03 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [i386]
    + ❌ nss-pam-ldapd on resolute for i386 @ 08.12.25 14:09:19 Log️ 🗒️
      • testsuite FAIL 🟥
      • testsuite FAIL 🟥
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [ppc64el]
    + ✅ nss-pam-ldapd on resolute for ppc64el @ 08.12.25 14:12:28 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [s390x]
    + ✅ nss-pam-ldapd on resolute for s390x @ 08.12.25 14:24:17 Log️ 🗒️

  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [amd64]
    + ✅ python-ldap on resolute for amd64 @ 08.12.25 15:12:14 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [arm64]
    + ✅ python-ldap on resolute for arm64 @ 08.12.25 15:13:54 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [armhf]
    + ✅ python-ldap on resolute for armhf @ 08.12.25 15:14:16 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [i386]
    + ❌ python-ldap on resolute for i386 @ 08.12.25 15:11:33 Log️ 🗒️
      • 62s FAIL 🟥
      • 62s FAIL 🟥
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [ppc64el]
    + ✅ python-ldap on resolute for ppc64el @ 08.12.25 15:13:24 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [s390x]
    + ✅ python-ldap on resolute for s390x @ 08.12.25 15:15:51 Log️ 🗒️

green now!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-ldap - 3.4.4-2ubuntu2

---------------
python-ldap (3.4.4-2ubuntu2) resolute; urgency=medium

  * d/t/apparmor.sh: fix testing apparmor profile write access (LP: #2130351)

python-ldap (3.4.4-2ubuntu1) resolute; urgency=medium

  * d/t/{startserver,upstream}: fix slapd apparmor access to test directory
    (LP: #2130351)
    - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf
      (LP: #2008393)

 -- Jonas Jelten <email address hidden> Mon, 08 Dec 2025 15:45:13 +0100

Changed in python-ldap (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.9.13-2ubuntu2

---------------
nss-pam-ldapd (0.9.13-2ubuntu2) resolute; urgency=medium

  * d/t/testsuite: fix slapd apparmor access to test directory (LP: #2130351)
    - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf
      (LP: #2008393)

 -- Jonas Jelten <email address hidden> Wed, 12 Nov 2025 16:42:10 +0100

Changed in nss-pam-ldapd (Ubuntu):
status: In Progress → Fix Released
Jonas Jelten (jj)
Changed in openldap (Ubuntu):
status: In Progress → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.