[Expired for openldap (Ubuntu) because there has been no activity for 60
days.]
** Changed in: openldap (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Hi Lucas, I'm not running that version of slapd or Ubuntu anymore. I've
long since added the local customization to
/etc/apparmor.d/local/usr.sbin.slapd which made the problem go away.
It's possible that this workaround isn't needed anymore, I haven't
tested that.
I just thought I'd share the
Hi Kartik,
Are you still facing this issue? Which Ubuntu release are you using? Do
you have the steps to reproduce the failure now?
TIA!
** Changed in: openldap (Ubuntu)
Assignee: Ryan Harper (raharper) => (unassigned)
--
You received this bug notification because you are a member of
While working on something else recently, I got a hunch for what might
have been happening here. I had configured syncrepl on this server to
use GSSAPI (saslmech=GSSAPI) to authenticate to its provider server. In
this role, slapd ignores the keytab file and behaves like an ordinary
GSSAPI client.
No worries Christian. As far as issues caused by unpredictable complex
interactions go, this one is fairly benign :-) I'm fine with the
workaround -- it's just one more line that gets programmatically added
to a config file that has to be customized anyway. And who knows, it may
well have been
Hi,
this bug was dormant for a long time.
We have to face it that due to the complexity, the lack of an (easy) recreation
and the fact that there is a workaround via modifying the apparmor profiles
likely nothing gets changed - unless somebody in the community steps up and
does so.
Yet as I
Not really -- in this case, all of the packages are pretty much
installed at the same time with automated processes.
In #1 above, Ryan Tandy mentions seeing these error messages too -- so I
assumed this was a fairly common sort of occurrence.
I've been working around this issue by adding a line
Do you have a specific guide or sequence you followed?
1. apt-get install slapd krb5* heimdal-kdc .. etc?
And then the various config changes applied?
I'll keep digging.
On Wed, Jul 20, 2016 at 11:31 AM, Kartik Subbarao
wrote:
> Hi Ryan,
>
> Thanks for looking into
Hi Ryan,
Thanks for looking into this. Unfortunately I don't have much to add to
my earlier response in this thread. Here are the only kerberos-related
types of lines that I have in slapd.conf:
authz-regexp
uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth
Hi,
>From what I can tell, looking at the existing slapd apparmor profile, it
does not include access to the kcm socket in /run as you say. However,
I've yet to discover how to have slapd attempt to access this particular
socket.
I've examined a number of Kerberos + OpenLDAP setups and there's
** Changed in: openldap (Ubuntu)
Assignee: (unassigned) => Ryan Harper (raharper)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1472639
Title:
apparmor profile denied for kerberos:
I'm not sure if/how exactly I'm using kcm with slapd. I have an
/etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter
defined. Kerberos authentication actually seems to work okay -- for
example, ldapwhoami -Y GSSAPI works properly. I don't know what else may
or may not be working, but
I'm not sure if/how exactly I'm using kcm with slapd. I have an
/etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter
defined. Kerberos authentication actually seems to work okay -- for
example, ldapwhoami -Y GSSAPI works properly. I don't know what else may
or may not be working, but
Hi Kartik,
To help me reproduce and verify this, can you describe your setup where
slapd stores its credentials in the KCM?
I'm asking because I do see these denials, but they don't appear to
affect operation with a keytab, and I haven't been able to get slapd to
work without a keytab. I'm
Hi Kartik,
To help me reproduce and verify this, can you describe your setup where
slapd stores its credentials in the KCM?
I'm asking because I do see these denials, but they don't appear to
affect operation with a keytab, and I haven't been able to get slapd to
work without a keytab. I'm
** Tags added: apparmor
** Changed in: openldap (Ubuntu)
Importance: Undecided = High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1472639
Title:
apparmor profile denied for kerberos:
** Tags added: apparmor
** Changed in: openldap (Ubuntu)
Importance: Undecided = High
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1472639
Title:
apparmor profile denied for
17 matches
Mail list logo