** Description changed:
+ [Impact]
+
+ When using openldap with sasl authentication, the slapd process will
+ communicate with the saslauthd daemon via a socket in
+ {,/var}/run/saslauthd/mux. Unfortunately, this will fail in every Ubuntu
+ release from trusty onwards, because slapd's apparmor profile doesn't
+ contain the necessary directive to allow it to read/write from/to the
+ socket specified above.
+
+ The fix is simple: just add the necessary directive to allow slapd to
+ read/write from/to the saslauthd socket.
+
+ [Test Case]
+
+ One can reproduce the problem by doing:
+
+ $ lxc launch ubuntu-daily:groovy openldap-bugbug1557157-groovy
+ $ lxc shell openldap-bugbug1557157-groovy
+ # apt install slapd sasl2-bin ldap-utils apparmor-utils
+
+ (As the domain name, use "example.com").
+
+ # sed -i -e 's/^START=.*/START=yes/' /etc/default/saslauthd
+ # cat > /etc/ldap/sasl2/slapd.conf << __EOF__
+ mech_list: PLAIN
+ pwcheck_method: saslauthd
+ __EOF__
+ # adduser openldap sasl
+ # aa-enforce /etc/apparmor.d/usr.sbin.slapd
+ # systemctl restart slapd.service
+ # systemctl restart saslauthd.service
+ # passwd root
+
+ (You can choose any password here. You will need to type it when running
+ the next command.)
+
+ # ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y
+ PLAIN
+
+ The command will fail with something like:
+
+ ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
+ additional info: SASL(-1): generic failure: Password verification
failed
+
+ [Regression Potential]
+
+ This is an extremely simple and well contained fix, so I don't envision
+ any possible regressions after applying it. It is important noticing
+ that, since the problem affects older Ubuntu releases, the openldap
+ package will have to be rebuilt against possible newer versions of
+ libraries and other depencencies, which, albeit unlikely, may cause
+ issues.
+
+ [Original Description]
+
When using slapd with saslauthd the processes communicate via the
{,/var}/run/saslauthd/mux socket (this is the default location for the
saslauthd server from the sasl2-bin package in the
/etc/default/saslauthd config), but the apparmor profile for
usr.sbin.slapd does not allow access to this socket/file.
Syslog message:
apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd"
name="/run/saslauthd/mux" pid=1880
4 comm="slapd" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
-
Please add the following line to /etc/apparmor.d/usr.sbin.slapd:
/{,var/}run/saslauthd/mux rw,
-
Ubuntu version: Ubuntu 14.04.4 LTS
slapd version: 2.4.31-1+nmu2ubu
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1557157
Title:
apparmor profile denied for saslauthd: /run/saslauthd/mux
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1557157/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
