apparmor profile denied for saslauthd: /run/saslauthd/mux

Status changed to 'Confirmed' because the bug affects multiple users.

Still occurs in 20.04.

Can you explain the configuration process for saslauthd with slapd? Or a copy of your config file would do.

My configs are:

/etc/default/saslauthd:
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="kerberos5"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/run/saslauthd"

/etc/ldap/sasl2/slapd.conf:
mech_list: plain
pwcheck_method: saslauthd

As the reporter of this bug stated, AppArmor denies slapd access to the saslauthd socket /run/saslauthd/mux.

This bug was fixed in the package openldap - 2.4.50+dfsg-1ubuntu2

---------------
openldap (2.4.50+dfsg-1ubuntu2) groovy; urgency=medium

  * d/apparmor-profile: Update apparmor profile to grant access to
    the saslauthd socket, so that SASL authentication works. (LP: #1557157)

 -- Sergio Durigan Junior <email address hidden> Fri, 12 Jun 2020 18:20:42 -0400

Hello Mattias, or anyone else affected,

Accepted openldap into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.49+dfsg-2ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mattias, or anyone else affected,

Accepted openldap into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.48+dfsg-1ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mattias, or anyone else affected,

Accepted openldap into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.45+dfsg-1ubuntu1.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mattias, or anyone else affected,

Accepted openldap into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.42+dfsg-2ubuntu3.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted openldap (2.4.48+dfsg-1ubuntu1.2) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:

asterisk/1:16.2.1~dfsg-2build2 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/eoan/update_excuses.html#openldap

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted openldap (2.4.49+dfsg-2ubuntu1.3) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

apache2/2.4.41-4ubuntu3 (armhf)
cyrus-imapd/3.0.13-5 (armhf)
kopanocore/8.7.0-7ubuntu1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#openldap

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

bionic verification

First reproducing the problem:
  Version table:
 *** 2.4.45+dfsg-1ubuntu1.5 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://br.archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status

Command fails:
root@bionic-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
 additional info: SASL(-1): generic failure: Password verification failed

And dmesg shows the apparmor denial:
[17283.881912] audit: type=1400 audit(1594228773.536:453): apparmor="DENIED" operation="connect" namespace="root//lxd-bionic-openldap-saslauthd-1557157_<var-snap-lxd-common-lxd>" profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=153401 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=1000111 ouid=1000000

With the updated package from proposed:
  Version table:
 *** 2.4.45+dfsg-1ubuntu1.6 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

The ldapsearch command works, and there is no apparmor error in dmesg:
root@bionic-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

Bionic verification succeeded.

Eoan verification

First, reproducing the bug:

  Version table:
 *** 2.4.48+dfsg-1ubuntu1.1 500
        500 http://br.archive.ubuntu.com/ubuntu eoan-updates/main amd64 Packages
        500 http://br.archive.ubuntu.com/ubuntu eoan-security/main amd64 Packages
        100 /var/lib/dpkg/status

ldapsearch fails:
root@eoan-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
 additional info: SASL(-1): generic failure: Password verification failed

And dmesg shows the apparmor DENIED message:
[17713.076558] audit: type=1400 audit(1594229202.756:559): apparmor="DENIED" operation="connect" namespace="root//lxd-eoan-openldap-saslauthd-1557157_<var-snap-lxd-common-lxd>" profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=162867 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=1000111 ouid=1000000

With the package from proposed:
  Version table:
 *** 2.4.48+dfsg-1ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu eoan-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

ldapsearch works:
root@eoan-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

And there is no DENIED message in dmesg.

eoan verification succeeded.

Focal verification

First, reproducing the problem:

  Version table:
 *** 2.4.49+dfsg-2ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://br.archive.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status

ldapsearch fails:
root@focal-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
 additional info: SASL(-1): generic failure: Password verification failed

and dmesg complains:
[18037.506232] audit: type=1400 audit(1594229527.198:647): apparmor="DENIED" operation="connect" namespace="root//lxd-focal-openldap-saslauthd-1557157_<var-snap-lxd-common-lxd>" profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=171680 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=1000112 ouid=1000000

With the proposed packages:
 *** 2.4.49+dfsg-2ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

ldapsearch works:
root@focal-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

And there is no apparmor DENIED message in dmesg.

Focal verification succeeded.

Xenial verification

Reproducing the error:
root@xenial-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
 additional info: SASL(-1): generic failure: Password verification failed

And dmesg:
[qua jul 8 11:50:42 2020] audit: type=1400 audit(1594219843.513:405): apparmor="DENIED" operation="connect" namespace="root//lxd-xenial-openldap-saslauthd-1557157_<var-snap-lxd-common-lxd>" profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=83468 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=1000112 ouid=1000000

With the updated packages, ldapsearch works:
root@xenial-openldap-saslauthd-1557157:~# apt-cache policy slapd
slapd:
  Installed: 2.4.42+dfsg-2ubuntu3.9
  Candidate: 2.4.42+dfsg-2ubuntu3.9
  Version table:
 *** 2.4.42+dfsg-2ubuntu3.9 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
...

root@xenial-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

And no dmesg apparmor error.

Xenial verification succeeded.

The asterisk DEP8 armhf test was retried and is now green.

All autopkgtests for the newly accepted openldap (2.4.49+dfsg-2ubuntu1.3) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

cyrus-imapd/3.0.13-5 (armhf)
apache2/2.4.41-4ubuntu3 (armhf)
kopanocore/8.7.0-7ubuntu1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#openldap

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Kopanocore armhf is the only persistent red, but this test/package is known to be flaky on armhf.

This bug was fixed in the package openldap - 2.4.49+dfsg-2ubuntu1.3

---------------
openldap (2.4.49+dfsg-2ubuntu1.3) focal; urgency=medium

  * d/apparmor-profile: Update apparmor profile to grant access to
    the saslauthd socket, so that SASL authentication works. (LP: #1557157)

 -- Sergio Durigan Junior <email address hidden> Fri, 12 Jun 2020 18:18:58 -0400

The verification of the Stable Release Update for openldap has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package openldap - 2.4.48+dfsg-1ubuntu1.2

---------------
openldap (2.4.48+dfsg-1ubuntu1.2) eoan; urgency=medium

  [ Andreas Hasenack ]
  * d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream
    patch to fix slapd crashing in certain configurations when a client
    attempts a login to a locked account. (LP: #1866303)

  [ Sergio Durigan Junior ]
  * d/apparmor-profile: Update apparmor profile to grant access to
    the saslauthd socket, so that SASL authentication works. (LP: #1557157)

 -- Andreas Hasenack <email address hidden> Wed, 01 Jul 2020 16:43:06 -0300

This bug was fixed in the package openldap - 2.4.45+dfsg-1ubuntu1.6

---------------
openldap (2.4.45+dfsg-1ubuntu1.6) bionic; urgency=medium

  [ Andreas Hasenack ]
  * d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream
    patch to fix slapd crashing in certain configurations when a client
    attempts a login to a locked account. (LP: #1866303)

  [ Sergio Durigan Junior ]
  * d/apparmor-profile: Update apparmor profile to grant access to
    the saslauthd socket, so that SASL authentication works. (LP: #1557157)

 -- Andreas Hasenack <email address hidden> Wed, 01 Jul 2020 16:38:55 -0300

This bug was fixed in the package openldap - 2.4.42+dfsg-2ubuntu3.9

---------------
openldap (2.4.42+dfsg-2ubuntu3.9) xenial; urgency=medium

  [ Andreas Hasenack ]
  * d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream
    patch to fix slapd crashing in certain configurations when a client
    attempts a login to a locked account. (LP: #1866303)

  [ Sergio Durigan Junior]
  * d/apparmor-profile: Update apparmor profile to grant access to
    the saslauthd socket, so that SASL authentication works. (LP: #1557157)

 -- Andreas Hasenack <email address hidden> Wed, 01 Jul 2020 16:33:08 -0300