[Touch-packages] [Bug 1452087] Re: slapd [or its init script] does not create necessary directory for nssov socket and fails to start
** Changed in: openldap (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1452087 Title: slapd [or its init script] does not create necessary directory for nssov socket and fails to start Status in openldap package in Ubuntu: Confirmed Bug description: when used with the nss overlay, slapd fails to start, because /var/run/nslcd/ does not exist, and slap cannot then create the socket for this. additionally, creating the directory manually does not help, because it disappears after every reboot. 1] lsb_release -rd Description: Ubuntu 15.04 Release: 15.04 2] apt-cache policy slapd slapd: Installed: 2.4.31-1+nmu2ubuntu12 Candidate: 2.4.31-1+nmu2ubuntu12 Version table: *** 2.4.31-1+nmu2ubuntu12 0 500 http://us.archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages 100 /var/lib/dpkg/status 3] i expected the necessary directory to be created when starting slapd if the nss overlay is in use 4] it was not To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1452087/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452087] Re: slapd [or its init script] does not create necessary directory for nssov socket and fails to start
Thinking about it again, an upstream fix for this is unlikely. slapd changes users before it even starts loading its config, so there probably isn't any way for nssov to mkdir as root. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1452087 Title: slapd [or its init script] does not create necessary directory for nssov socket and fails to start Status in openldap package in Ubuntu: New Bug description: when used with the nss overlay, slapd fails to start, because /var/run/nslcd/ does not exist, and slap cannot then create the socket for this. additionally, creating the directory manually does not help, because it disappears after every reboot. 1] lsb_release -rd Description: Ubuntu 15.04 Release: 15.04 2] apt-cache policy slapd slapd: Installed: 2.4.31-1+nmu2ubuntu12 Candidate: 2.4.31-1+nmu2ubuntu12 Version table: *** 2.4.31-1+nmu2ubuntu12 0 500 http://us.archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages 100 /var/lib/dpkg/status 3] i expected the necessary directory to be created when starting slapd if the nss overlay is in use 4] it was not To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1452087/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452087] Re: slapd [or its init script] does not create necessary directory for nssov socket and fails to start
there was an apparmor message logged:
May 6 22:52:05 server kernel: audit: type=1400
audit(1430967118.381:12): apparmor=DENIED operation=mkdir
profile=/usr/sbin/slapd name=/run/nslcd/ pid=1419 comm=slapd
requested_mask=c denied_mask=c fsuid=108 ouid=108
adding to /etc/apparmor.d/local/usr.sbin.slapd [among some other
things]:
/etc/ldap/pki/** rw,
/{,var/}run/slapd/* rw,
/{,var/}run/nslcd/ rw,
/{,var/}run/nslcd/* rw,
seems to have addressed that, but the directory still isn't created.
temporarily changing /run/ to 777 seem to reinforce rtandy's reference.
the directory is then created, but not with adequate permissions:
dr-xr-xr-x 2 openldap openldap 40 May 6 23:01 nslcd/
slapd[2357]: nssov: bind() to /var/run/nslcd/socket failed: Permission
denied
adjusting them manually after creation confirms this, and slapd then
starts.
at the moment, i've added the following to the init script:
NSSOV_SOCKETDIR='/var/run/nslcd'
start_slapd() {
[ -d ${NSSOV_SOCKETDIR} ] || ( mkdir -m 755 ${NSSOV_SOCKETDIR} ; \
chown openldap.openldap ${NSSOV_SOCKETDIR} )
which solves the problem for me [albeit the wrong way, imo], since it's
blindly doing it regardless of if the overlay is actually in use.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1452087
Title:
slapd [or its init script] does not create necessary directory for
nssov socket and fails to start
Status in openldap package in Ubuntu:
New
Bug description:
when used with the nss overlay, slapd fails to start, because
/var/run/nslcd/ does not exist, and slap cannot then create the socket
for this. additionally, creating the directory manually does not
help, because it disappears after every reboot.
1] lsb_release -rd
Description: Ubuntu 15.04
Release: 15.04
2] apt-cache policy slapd
slapd:
Installed: 2.4.31-1+nmu2ubuntu12
Candidate: 2.4.31-1+nmu2ubuntu12
Version table:
*** 2.4.31-1+nmu2ubuntu12 0
500 http://us.archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages
100 /var/lib/dpkg/status
3] i expected the necessary directory to be created when starting slapd if
the nss overlay is in use
4] it was not
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1452087/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452087] Re: slapd [or its init script] does not create necessary directory for nssov socket and fails to start
Can you check /var/log/kern.log to see if this is an apparmor issue? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1452087 Title: slapd [or its init script] does not create necessary directory for nssov socket and fails to start Status in openldap package in Ubuntu: New Bug description: when used with the nss overlay, slapd fails to start, because /var/run/nslcd/ does not exist, and slap cannot then create the socket for this. additionally, creating the directory manually does not help, because it disappears after every reboot. 1] lsb_release -rd Description: Ubuntu 15.04 Release: 15.04 2] apt-cache policy slapd slapd: Installed: 2.4.31-1+nmu2ubuntu12 Candidate: 2.4.31-1+nmu2ubuntu12 Version table: *** 2.4.31-1+nmu2ubuntu12 0 500 http://us.archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages 100 /var/lib/dpkg/status 3] i expected the necessary directory to be created when starting slapd if the nss overlay is in use 4] it was not To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1452087/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452087] Re: slapd [or its init script] does not create necessary directory for nssov socket and fails to start
IIRC slapd does try to create the directory, but it's already switched users by that point, so doesn't have sufficient privileges. http://bazaar.launchpad.net/~ubuntu- branches/ubuntu/vivid/openldap/vivid/view/head:/contrib/slapd- modules/nssov/nssov.c#L808 I don't know whether the overlay has a way to run code before switching permissions. Might be worth filing an ITS about, as this really should work. Otherwise, the init script is probably the most reasonable place to do it; but only if nssov is actually being used. (apparmor may also be involved as pmatulis suggests. I didn't check.) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1452087 Title: slapd [or its init script] does not create necessary directory for nssov socket and fails to start Status in openldap package in Ubuntu: New Bug description: when used with the nss overlay, slapd fails to start, because /var/run/nslcd/ does not exist, and slap cannot then create the socket for this. additionally, creating the directory manually does not help, because it disappears after every reboot. 1] lsb_release -rd Description: Ubuntu 15.04 Release: 15.04 2] apt-cache policy slapd slapd: Installed: 2.4.31-1+nmu2ubuntu12 Candidate: 2.4.31-1+nmu2ubuntu12 Version table: *** 2.4.31-1+nmu2ubuntu12 0 500 http://us.archive.ubuntu.com/ubuntu/ vivid/main amd64 Packages 100 /var/lib/dpkg/status 3] i expected the necessary directory to be created when starting slapd if the nss overlay is in use 4] it was not To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1452087/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
