Ubuntu
python-ldap package

openldap apparmor profile denies access to test files in /tmp/

Bug #2130351 reported by Jonas Jelten
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)
Fix Released
Undecided
Jonas Jelten
Questing
Fix Released
Undecided
Jonas Jelten
openldap (Ubuntu)
Fix Released
Undecided
Jonas Jelten
Questing
Fix Released
Undecided
Jonas Jelten
python-ldap (Ubuntu)
Fix Released
Undecided
Jonas Jelten
Questing
Fix Released
Undecided
Jonas Jelten

Bug Description

[ Impact ]

 * when openldap's apparmor profile is re-enabled due to the fix in bug #2119884, tests using openldap fail to run due to its apparmor rules.
 * this SRU just fixes the tests of packages, it doesn't change the resulting binary packages.

[ Test Plan ]

observe failure
 * have openldap with enabled apparmor profile
 * run autopkgtest
 * see failures due to apparmor denial

apply fix and observe success
 * have same openldap with enabled apparmor profile
 * run autopkgtest and see success

[ Where problems could occur ]

 * this just changes the autopkgtest, so apart from the possible issues in the update rollout, no behavior change is expected

[ Other info ]

this is a fix needed to re-activate openldap's apparmor profile in bug #2119884 and is related to LP: #2008393. since these are just test changes they could be left in proposed if the SRU team prefers.

[ Error analysis ]

this happens due to fixing apparmor in bug #2119884

package tests run in a directory that is denied by apparmor.

== nss-pam-ldapd ==
sets up slapd config in /tmp/

echo "$script: setting up test slapd..."
tmpslapd=`mktemp -d -t slapd.XXXXXX`
tests/setup_slapd.sh "$tmpslapd" setup
tests/setup_slapd.sh "$tmpslapd" start
=>
105s testsuite: setting up test slapd...
105s Creating blank /tmp/slapd.HYWyj5 slapd environment... done.
108s Fixing permissions... done.
108s Starting OpenLDAP: slapd FAILED
slapd -F "/tmp/slapd.HYWyj5/slapd.d" -u "$user" -g "$group" -h "ldap:/// ldaps:/// ldapi:///"

== python-ldap ==
runs its tests in /tmp/autopkgtest
via TMPDIR = os.environ.get('TMP', os.getcwd()), but this is denied by apparmor.

to test the openldap config validity, python-ldap starts:

    def _test_config(self):
        self._log.debug('testing config %s', self._slapd_conf)
        popen_list = [
            self.PATH_SLAPD,
            "-Ttest",
            "-F", self._slapd_conf,
            "-u",
            "-v",
            "-d", "config"
        ]
        p = subprocess.run(
            popen_list,
            stdout=subprocess.PIPE,
            stderr=subprocess.STDOUT
        )
        if p.returncode != 0:
            self._log.error(p.stdout.decode("utf-8"))
            raise RuntimeError("configuration test failed")
        self._log.info("config ok: %s", self._slapd_conf)

this is denied by apparmor:

192s autopkgtest [04:33:39]: test startserver: [-----------------------
192s 2025-10-29 04:33:39,747 ERROR ldif_read_file: Permission denied for "/tmp/autopkgtest.y86Vgq/autopkgtest_tmp/python-ldap-test-59787/slapd.d/cn=config.ldif"
192s slaptest: bad configuration directory!
192s
192s Traceback (most recent call last):
192s File "<string>", line 1, in <module>
192s import slapdtest; server = slapdtest.SlapdObject(); server.start(); assert server.port > 0 and server.port < 65536; server.stop()
192s ~~~~~~~~~~~~^^
192s File "/usr/lib/python3/dist-packages/slapdtest/_slapdtest.py", line 448, in start
192s self._test_config()
192s ~~~~~~~~~~~~~~~~~^^
192s File "/usr/lib/python3/dist-packages/slapdtest/_slapdtest.py", line 395, in _test_config
192s raise RuntimeError("configuration test failed")
192s RuntimeError: configuration test failed

See original description

Related branches

~jj/ubuntu/+source/python-ldap:lp2130351-autopkgtest-apparmor-questing
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 121 lines (+76/-1)
5 files modified
debian/changelog (+9/-0)
debian/tests/apparmor.sh (+58/-0)
debian/tests/control (+1/-1)
debian/tests/startserver (+4/-0)
debian/tests/upstream (+4/-0)
~jj/ubuntu/+source/nss-pam-ldapd:lp2130351-autopkgtest-apparmor-questing
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 139 lines (+80/-2)
5 files modified
debian/changelog (+9/-0)
debian/control (+2/-1)
debian/patches/fix-c23-bool-keyword.patch (+29/-0)
debian/patches/series (+1/-0)
debian/tests/testsuite (+39/-1)
~jj/ubuntu/+source/python-ldap:lp2130351-autopkgtest-apparmor-fix
git-ubuntu bot: Approve
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 27 lines (+7/-1)
2 files modified
debian/changelog (+6/-0)
debian/tests/apparmor.sh (+1/-1)
~jj/ubuntu/+source/python-ldap:lp2130351-autopkgtest-apparmor
git-ubuntu bot: Approve
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 135 lines (+78/-2)
6 files modified
debian/changelog (+9/-0)
debian/control (+2/-1)
debian/tests/apparmor.sh (+58/-0)
debian/tests/control (+1/-1)
debian/tests/startserver (+4/-0)
debian/tests/upstream (+4/-0)
~jj/ubuntu/+source/nss-pam-ldapd:lp2130351-autopkgtest-apparmor
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 82 lines (+47/-1)
2 files modified
debian/changelog (+8/-0)
debian/tests/testsuite (+39/-1)
Jonas Jelten (jj)
description: updated
description: updated
Revision history for this message
Hector CAO (hectorcao) wrote :

As we can see in https://autopkgtest.ubuntu.com/packages/python-ldap

python-ldap autopkgtests fail also in Noble.
(they succeeded in Plucky and Questing because of the bug #2119884 that lets slapd's profile inactive).

so the test failure due to the permission issue on accessing /tmp is not something new, the question is why it has not been fixed in Noble before the Ubuntu Noble release ?

Revision history for this message
Jonas Jelten (jj) wrote :

Fix proposal for nss-pam-ldapd in https://salsa.debian.org/debian/nss-pam-ldapd/-/merge_requests/4

Jonas Jelten (jj)
Changed in nss-pam-ldapd (Ubuntu):
assignee: nobody → Jonas Jelten (jj)
Jonas Jelten (jj)
Changed in python-ldap (Ubuntu):
status: New → Incomplete
status: Incomplete → New
Changed in nss-pam-ldapd (Ubuntu):
status: New → In Progress
Changed in python-ldap (Ubuntu):
status: New → In Progress
assignee: nobody → Jonas Jelten (jj)
Revision history for this message
Jonas Jelten (jj) wrote :

Fix proposal for python-ldap in https://salsa.debian.org/python-team/packages/python-ldap/-/merge_requests/1

Christian Ehrhardt (paelzer)
Changed in openldap (Ubuntu):
status: New → Triaged
Jonas Jelten (jj)
Changed in openldap (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Jonas Jelten (jj)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I left review comments in those salsa PRs.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

@jj, have you tested those changes in our dep8 infra? I would suggest to test on at least amd64 and armhf, due to the way armhf is setup in our infra.

Revision history for this message
Jonas Jelten (jj) wrote (last edit ):

PPA for testing those with ubuntu's autopkgtest: https://launchpad.net/~jj/+archive/ubuntu/lp2119884-openldap-fix-apparmor
my local test on amd64 with autopkgtest-buildvm-ubuntu-cloud succeeds :)

Revision history for this message
Jonas Jelten (jj) wrote :

  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [amd64]
    + ✅ nss-pam-ldapd on resolute for amd64 @ 17.11.25 11:54:41 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [arm64]
    + ✅ nss-pam-ldapd on resolute for arm64 @ 17.11.25 11:56:45 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [armhf]
    + ❌ nss-pam-ldapd on resolute for armhf @ 17.11.25 11:57:55 Log️ 🗒️
      • testsuite FAIL 🟥
      • testsuite FLAKY 🟫
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [i386]
    + ❌ nss-pam-ldapd on resolute for i386 @ 17.11.25 11:54:00 Log️ 🗒️
      • testsuite FAIL 🟥
      • testsuite FAIL 🟥
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [ppc64el]
    + ✅ nss-pam-ldapd on resolute for ppc64el @ 17.11.25 11:56:40 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [riscv64]
    + ⛔ nss-pam-ldapd on resolute for riscv64 @ 17.11.25 12:11:46 Log️ 🗒️
      • testbed BAD ⛔
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu1~ppa5 [s390x]
    + ✅ nss-pam-ldapd on resolute for s390x @ 17.11.25 11:55:37 Log️ 🗒️

  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [amd64]
    + ✅ python-ldap on resolute for amd64 @ 17.11.25 11:53:01 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [arm64]
    + ✅ python-ldap on resolute for arm64 @ 17.11.25 11:53:53 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [armhf]
    + ❌ python-ldap on resolute for armhf @ 17.11.25 11:55:05 Log️ 🗒️
      • upstream FAIL 🟥
      • startserver FAIL 🟥
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [i386]
    + ❌ python-ldap on resolute for i386 @ 17.11.25 11:52:53 Log️ 🗒️
      • 76s FAIL 🟥
      • 76s FAIL 🟥
      • 76s FAIL 🟥
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [ppc64el]
    + ✅ python-ldap on resolute for ppc64el @ 17.11.25 11:53:17 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [riscv64]
    + ⛔ python-ldap on resolute for riscv64 @ 17.11.25 12:01:24 Log️ 🗒️
      • testbed BAD ⛔
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa4 [s390x]
    + ✅ python-ldap on resolute for s390x @ 17.11.25 11:53:21 Log️ 🗒️

=> i386 doesn't have libpam-ldapd:i386/python3-pyldap:i386
=> armhf fails due to apparmor restrictions:
   apparmor_parser: Unable to replace "/usr/sbin/slapd". apparmor_parser: Access denied. You need policy admin privileges to manage profiles.

i suggest to avoid adding delta, so we should just set them as reference.

Revision history for this message
Jonas Jelten (jj) wrote (last edit ):

To have a proper solution for now I've added delta to nss-pam-ldapd and python-ldap to fix this, since migration-reference setting isn't possible in -proposed.

  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [amd64]
    + ✅ nss-pam-ldapd on resolute for amd64 @ 08.12.25 14:09:49 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [arm64]
    + ✅ nss-pam-ldapd on resolute for arm64 @ 08.12.25 14:21:55 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [armhf]
    + ✅ nss-pam-ldapd on resolute for armhf @ 08.12.25 14:13:03 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [i386]
    + ❌ nss-pam-ldapd on resolute for i386 @ 08.12.25 14:09:19 Log️ 🗒️
      • testsuite FAIL 🟥
      • testsuite FAIL 🟥
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [ppc64el]
    + ✅ nss-pam-ldapd on resolute for ppc64el @ 08.12.25 14:12:28 Log️ 🗒️
  - nss-pam-ldapd: resolute/nss-pam-ldapd/0.9.13-2ubuntu2~ppa3 [s390x]
    + ✅ nss-pam-ldapd on resolute for s390x @ 08.12.25 14:24:17 Log️ 🗒️

  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [amd64]
    + ✅ python-ldap on resolute for amd64 @ 08.12.25 15:12:14 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [arm64]
    + ✅ python-ldap on resolute for arm64 @ 08.12.25 15:13:54 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [armhf]
    + ✅ python-ldap on resolute for armhf @ 08.12.25 15:14:16 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [i386]
    + ❌ python-ldap on resolute for i386 @ 08.12.25 15:11:33 Log️ 🗒️
      • 62s FAIL 🟥
      • 62s FAIL 🟥
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [ppc64el]
    + ✅ python-ldap on resolute for ppc64el @ 08.12.25 15:13:24 Log️ 🗒️
  - python-ldap: resolute/python-ldap/3.4.4-2ubuntu1~ppa10 [s390x]
    + ✅ python-ldap on resolute for s390x @ 08.12.25 15:15:51 Log️ 🗒️

green now!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-ldap - 3.4.4-2ubuntu2

---------------
python-ldap (3.4.4-2ubuntu2) resolute; urgency=medium

  * d/t/apparmor.sh: fix testing apparmor profile write access (LP: #2130351)

python-ldap (3.4.4-2ubuntu1) resolute; urgency=medium

  * d/t/{startserver,upstream}: fix slapd apparmor access to test directory
    (LP: #2130351)
    - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf
      (LP: #2008393)

 -- Jonas Jelten <email address hidden> Mon, 08 Dec 2025 15:45:13 +0100

Changed in python-ldap (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.9.13-2ubuntu2

---------------
nss-pam-ldapd (0.9.13-2ubuntu2) resolute; urgency=medium

  * d/t/testsuite: fix slapd apparmor access to test directory (LP: #2130351)
    - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf
      (LP: #2008393)

 -- Jonas Jelten <email address hidden> Wed, 12 Nov 2025 16:42:10 +0100

Changed in nss-pam-ldapd (Ubuntu):
status: In Progress → Fix Released
Jonas Jelten (jj)
Changed in openldap (Ubuntu):
status: In Progress → Invalid
Jonas Jelten (jj)
Changed in openldap (Ubuntu):
status: Invalid → In Progress
status: In Progress → Invalid
Changed in openldap (Ubuntu Questing):
status: New → In Progress
Changed in nss-pam-ldapd (Ubuntu Questing):
assignee: nobody → Jonas Jelten (jj)
Changed in openldap (Ubuntu Questing):
assignee: nobody → Jonas Jelten (jj)
Changed in python-ldap (Ubuntu Questing):
assignee: nobody → Jonas Jelten (jj)
Changed in nss-pam-ldapd (Ubuntu Questing):
status: New → In Progress
Changed in python-ldap (Ubuntu Questing):
status: New → In Progress
Jonas Jelten (jj)
Changed in openldap (Ubuntu):
status: Invalid → In Progress
Jonas Jelten (jj)
description: updated
Jonas Jelten (jj)
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Jonas, or anyone else affected,

Accepted python-ldap into questing-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-ldap/3.4.4-1ubuntu0.25.10.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-questing to verification-done-questing. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-questing. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in python-ldap (Ubuntu Questing):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-questing
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Jonas, or anyone else affected,

Accepted nss-pam-ldapd into questing-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss-pam-ldapd/0.9.13-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-questing to verification-done-questing. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-questing. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in nss-pam-ldapd (Ubuntu Questing):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (nss-pam-ldapd/0.9.13-1ubuntu0.1)

All autopkgtests for the newly accepted nss-pam-ldapd (0.9.13-1ubuntu0.1) for questing have finished running.
The following regressions have been reported in tests triggered by the package:

nss-pam-ldapd/0.9.13-1ubuntu0.1 (amd64, arm64, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/questing/update_excuses.html#nss-pam-ldapd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (python-ldap/3.4.4-1ubuntu0.25.10.2)

All autopkgtests for the newly accepted python-ldap (3.4.4-1ubuntu0.25.10.2) for questing have finished running.
The following regressions have been reported in tests triggered by the package:

barbican/2:21.0.0-0ubuntu1 (armhf)
django-auth-ldap/5.1.0-1 (armhf)
keystone/unknown (armhf)
python-ldap/3.4.4-1ubuntu0.25.10.2 (amd64, arm64, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/questing/update_excuses.html#python-ldap

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Jonas Jelten (jj) wrote :

nss-pam-ldapd questing autopkgtest now passes:
openldap/2.6.10+dfsg-1ubuntu2.1 nss-pam-ldapd/0.9.13-1ubuntu0.1
https://autopkgtest.ubuntu.com/run/e749207c-4014-41bb-a69d-b7ef598c7ccb

python-ldap questing autopkgtest now passes:
openldap/2.6.10+dfsg-1ubuntu2.1 python-ldap/3.4.4-1ubuntu0.25.10.2
https://autopkgtest.ubuntu.com/run/79dc0361-9835-46d2-8964-6dea06379dd9

verified.

tags: added: verification-done verification-done-questing
removed: verification-needed verification-needed-questing
Jonas Jelten (jj)
Changed in openldap (Ubuntu Questing):
status: In Progress → Fix Released
Changed in openldap (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.9.13-1ubuntu0.1

---------------
nss-pam-ldapd (0.9.13-1ubuntu0.1) questing; urgency=medium

  * d/t/testsuite: fix slapd apparmor access to test directory (LP: #2130351)
    - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf
      (LP: #2008393)
  * d/p/fix-c23-bool-keyword: fix build (LP: #2139290)

 -- Jonas Jelten <email address hidden> Tue, 20 Jan 2026 11:42:10 +0100

Changed in nss-pam-ldapd (Ubuntu Questing):
status: Fix Committed → Fix Released
Revision history for this message
Julian Andres Klode (juliank) wrote : Update Released

The verification of the Stable Release Update for nss-pam-ldapd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-ldap - 3.4.4-1ubuntu0.25.10.2

---------------
python-ldap (3.4.4-1ubuntu0.25.10.2) questing; urgency=medium

  * d/t/{startserver,upstream}: fix slapd apparmor access to test directory
    (LP: #2130351)
    - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf
      (LP: #2008393)

 -- Jonas Jelten <email address hidden> Tue, 20 Jan 2026 11:53:15 +0100

Changed in python-ldap (Ubuntu Questing):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.