Public bug reported: On a brand new Lucid installation (dist-upgraded to last version, with slapd 2.4.21-0ubuntu5), I can't feed a new backend to slapd, it fails with the following error :
adding new entry "olcDatabase=hdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcDbIndex> failed startup In syslog, the relevant messages : -----------------------------------------8<----------------------------8<-------------------------------- Aug 2 11:42:30 Gany slapd[7049]: slapd starting Aug 2 11:43:04 Gany slapd[7049]: bdb(dc=meta-it,dc=local): /var/lib/ldap: Permission denied Aug 2 11:43:04 Gany slapd[7049]: bdb(dc=meta-it,dc=local): PANIC: Permission denied Aug 2 11:43:04 Gany slapd[7049]: bdb(dc=meta-it,dc=local): unable to join the environment Aug 2 11:43:04 Gany slapd[7049]: bdb(dc=meta-it,dc=local): /var/lib/ldap: Permission denied Aug 2 11:43:04 Gany slapd[7049]: hdb_db_open: database "dc=meta-it,dc=local" cannot be opened, err -30974. Restore from backup! Aug 2 11:43:04 Gany slapd[7049]: bdb(dc=meta-it,dc=local): txn_checkpoint interface requires an environment configured for the transaction subsystem Aug 2 11:43:04 Gany slapd[7049]: bdb_db_close: database "dc=meta-it,dc=local": txn_checkpoint failed: Invalid argument (22). Aug 2 11:43:04 Gany slapd[7049]: backend_startup_one (type=hdb, suffix="dc=meta-it,dc=local"): bi_db_open failed! (-30974) Aug 2 11:43:04 Gany slapd[7049]: olcDbIndex: value #6: <olcDbIndex> failed startup ()! Aug 2 11:43:04 Gany kernel: [ 9503.137139] type=1400 audit(1280742184.756:137): operation="getattr" pid=7073 parent=1 profile="/usr/sbin/slapd" name="/var/lib/" pid=7073 comm="sla pd" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Aug 2 11:43:04 Gany kernel: [ 9503.137903] type=1400 audit(1280742184.756:138): operation="getattr" pid=7073 parent=1 profile="/usr/sbin/slapd" name="/var/lib/" pid=7073 comm="sla pd" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 -----------------------------------------8<----------------------------8<-------------------------------- The message says "/var/lib/ldap: Permission denied" but it is misleading because : 1. the unix perms are openldap:openldap/755 on /var/lib/ldap 2. the apparmor profile usr.sbin/slapd includes "/var/lib/ldap/ r, /var/lib/ldap/** rwk" which seems fine to me. I used http://blogger.ziesemer.com/2010/05/openldap-ubuntu-linux.html and http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html as start for my LDAP configuration. Here is my full run log : sudo apt-get install slapd libnss-ldap libpam-ldap [OK; debconf parameters: RootDN: cn=admin,dc=meta-it, dc=local, BaseDN: dc=meta-it, dc=local, RootPW: metasecret, everything else defaults to what debconf asks] sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif [OK] sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif [OK] sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif [OK] sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif [OK] sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/licorn.ldif [OK] sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/backend.module.ldif [OK] sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/backend.hdb.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcDatabase=hdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcDbIndex> failed startup [I get the syslog output pasted before] service apparmor stop sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/backend.hdb.ldif [OK] service apparmor start Then everything works as expected after this point. I can prevent stopping completely apparmor by adding "/var/lib/ r," to the usr.sbin.slapd profile and reloading apparmor, then adding my backend.hdb.ldif, then removing the profile line and reloading apparmor. I don't understand why this is a problem, and why slapd needs this one time /var/lib access. Purging the package, rm -rf /var/lib/ldap and reinstalling leads to a 100% reproductible problem. disabling apparmor or adding the temporary line to the apparmor profile leads to a 100% working workaround. Feel free to contact me for further information if needed. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- apparmor profile is not good for first backend creation https://bugs.launchpad.net/bugs/612525 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs