Hi Lucas, I'm not running that version of slapd or Ubuntu anymore. I've
long since added the local customization to
/etc/apparmor.d/local/usr.sbin.slapd which made the problem go away.
It's possible that this workaround isn't needed anymore, I haven't
tested that.
I just thought I'd share the
While working on something else recently, I got a hunch for what might
have been happening here. I had configured syncrepl on this server to
use GSSAPI (saslmech=GSSAPI) to authenticate to its provider server. In
this role, slapd ignores the keytab file and behaves like an ordinary
GSSAPI client.
I don't think that changing the logcheck regexp will help here. The
logcheck program doesn't actually prevent messages from being logged to
syslog. All it does is scan the existing logs and optionally alert on
certain types of messages. The /etc/logcheck/ignore.d.server/libsasl-
modules file will
This happens on 20.04 as well:
# lsb_release -d
Description:Ubuntu 20.04 LTS
# repeat 10 ldapsearch -x -b cn=config > /dev/null
# journalctl -n 10
-- Logs begin at Thu 2020-04-23 13:12:44 EDT, end at Wed 2020-07-01 12:20:49
EDT. --
Jul 01 12:20:48 hostname ldapsearch[727817]: DIGEST-MD5
I recently discovered this problem and wanted to share a workaround that
preserves key parts of my preferred use model:
(1) I can press the Delete key on the keyboard, or the delete button in
the GUI, to remove mail from my Inbox (or other folders), while
preserving them in a folder (All Mail)
I resolved this issue last year by upgrading to the 2018.3 package on
repo.saltstack.com after it became available:
https://github.com/saltstack/salt/issues/47434
https://repo.saltstack.com/py3/ubuntu/18.04/amd64/2018.3/
This issue can be closed.
** Bug watch added:
Cool, thanks Andreas!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1783183
Title:
apparmor profile denied for kerberos client keytab and credential
cache files
To manage notifications about
Just to provide some more background, the specific scenarios in my case
are syncrepl and a chain overlay. I have lines like this in slapd.conf:
syncrepl rid=1 provider=ldap://providerhost starttls=yes bindmethod=sasl
saslmech=GSSAPI
and this:
overlay chain
chain-uri ldap://providerhost
The client.keytab path is standard functionality provided by libkrb5.so
in Ubuntu 18.04. Here is the relevant documentation:
http://manpages.ubuntu.com/manpages/bionic/man5/krb5.conf.5.html
default_client_keytab_name
This relation specifies the name of the default
Public bug reported:
Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate
permissions to the slapd apparmor profile? I'm getting the following
kinds of errors:
apparmor="DENIED" operation="open" profile="/usr/sbin/slapd"
name="/etc/krb5/user/389/client.keytab" pid=19080
Thanks for the pointer Hans. I read through the thread and can
appreciate the reasoning for removing this package.
** Changed in: libcrypt-gpg-perl (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
Thanks for the information Hans. I took a closer look and it turns out
that this package is no longer a dependency for my use case, which is
consistent with the above :-)
** Changed in: openslp-dfsg (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a
Public bug reported:
This package doesn't seem to be available on 18.04. Any chance of
getting it built? (Or is there a particular reason why it wasn't built?)
** Affects: openslp-dfsg (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you
Public bug reported:
This package doesn't seem to be available on 18.04. Any chance of
getting it built? (Or is there a particular reason why it wasn't built?)
** Affects: libcrypt-gpg-perl (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because
Public bug reported:
/etc/logrotate.d/zabbix-agent has the following postrotate line:
[ -e /var/run/zabbix/zabbix_agentd.pid ] && invoke-rc.d zabbix-agent
force-reload >/dev/null
There are a couple of issues with this:
1) When logrotate is invoked from cron, this doesn't work since invoke-
Public bug reported:
I'm running into python3-related str/byte mismatch errors with
2017.7.4+dfsg1-1, like this:
Jinja error: a bytes-like object is required, not 'str'
Reading the 2018.3.0 release notes, it looks like a number of these
errors are fixed in that release:
No worries Christian. As far as issues caused by unpredictable complex
interactions go, this one is fairly benign :-) I'm fine with the
workaround -- it's just one more line that gets programmatically added
to a config file that has to be customized anyway. And who knows, it may
well have been
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1654416
Title:
Requesting 2.4.44 build which includes fix for ITS#8185
To manage notifications about this bug go to:
Understood, thanks for the responses Ryan and Hans.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1654416
Title:
Requesting 2.4.44 build which includes fix for ITS#8185
To manage notifications
Public bug reported:
I reported ITS#8185 to OpenLDAP which was fixed in the 2.4.43 release.
There have been no OpenLDAP releases since 2.4.44 in February 2016, so
it looks like things have been stable for a while. I'd like to request a
refreshed slapd package for 2.4.44 (the most recent slapd
Not really -- in this case, all of the packages are pretty much
installed at the same time with automated processes.
In #1 above, Ryan Tandy mentions seeing these error messages too -- so I
assumed this was a fairly common sort of occurrence.
I've been working around this issue by adding a line
Hi Ryan,
Thanks for looking into this. Unfortunately I don't have much to add to
my earlier response in this thread. Here are the only kerberos-related
types of lines that I have in slapd.conf:
authz-regexp
uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth
I'm not sure if/how exactly I'm using kcm with slapd. I have an
/etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter
defined. Kerberos authentication actually seems to work okay -- for
example, ldapwhoami -Y GSSAPI works properly. I don't know what else may
or may not be working, but
I'm not sure if/how exactly I'm using kcm with slapd. I have an
/etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter
defined. Kerberos authentication actually seems to work okay -- for
example, ldapwhoami -Y GSSAPI works properly. I don't know what else may
or may not be working, but
Public bug reported:
The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l
.kcm-socket which is used by kerberos:
apparmor=DENIED operation=connect profile=/usr/sbin/slapd
name=/run/.heim_org.h5l.kcm-socket pid=61289 comm=slapd
requested_mask=wr denied_mask=wr fsuid=389 ouid=0
Public bug reported:
The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l
.kcm-socket which is used by kerberos:
apparmor=DENIED operation=connect profile=/usr/sbin/slapd
name=/run/.heim_org.h5l.kcm-socket pid=61289 comm=slapd
requested_mask=wr denied_mask=wr fsuid=389 ouid=0
This bug can be closed out now in favor of just building a new package
for 2.4.41, since that release is now available and includes the fix:
http://www.openldap.org/software/release/changes.html
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is
This bug can be closed out now in favor of just building a new package
for 2.4.41, since that release is now available and includes the fix:
http://www.openldap.org/software/release/changes.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
Public bug reported:
OpenLDAP version 2.4.41 is now available, and includes the bugfix for
the issue I reported in bug #1461276, as well as many other bugfixes.
Requesting an Ubuntu package for this release.
** Affects: openldap (Ubuntu)
Importance: Undecided
Status: New
--
You
Public bug reported:
OpenLDAP version 2.4.41 is now available, and includes the bugfix for
the issue I reported in bug #1461276, as well as many other bugfixes.
Requesting an Ubuntu package for this release.
** Affects: openldap (Ubuntu)
Importance: Undecided
Status: New
--
You
Any response on this?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1461276
Title:
off-by-one in LDIF length
To manage notifications about this bug go to:
Any response on this?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1461276
Title:
off-by-one in LDIF length
To manage notifications about this bug go to:
I have run both 2.4.31 and 2.4.40 for a few days, and have only
experienced this type of slapd crash with 2.4.40. That by itself isn't
conclusive though, since memory corruption errors can be sensitive in
how they manifest. Looking at the code briefly, I see that the same off-
by-one error in
I have run both 2.4.31 and 2.4.40 for a few days, and have only
experienced this type of slapd crash with 2.4.40. That by itself isn't
conclusive though, since memory corruption errors can be sensitive in
how they manifest. Looking at the code briefly, I see that the same off-
by-one error in
Does anyone know the current status of this -- is a revised patch still
in the works?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1292400
Title:
task systemd-udevd:1906 blocked for more than 120
Public bug reported:
Would it be possible to include the patch for ITS#8003 in the next build
of the 2.4.40 package?
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363
It fixes a bug that causes slapd to crash when the audit log is enabled
Public bug reported:
Would it be possible to include the patch for ITS#8003 in the next build
of the 2.4.40 package?
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363
It fixes a bug that causes slapd to crash when the audit log is enabled
37 matches
Mail list logo
