I think you're right that adding the nslcd socket to the
abstractions/nameservice probably makes sense; I didn't see anything in
the nslcd manpages that suggested nscd was the only way to use the


You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.

  usr.sbin.nscd needs r/w access to nslcd socket

Status in AppArmor:
Status in apparmor package in Ubuntu:

Bug description:
  I am usinc nscd with nslcd (LDAP lookup daemon) for NSS services via

  It is typical to configure nslcd to connect to the actual LDAP server,
  and then set up /etc/ldap.conf (which is what NSS/nscd uses for "ldap"
  type lookups in /etc/nsswitch.conf) with a server URI of
  ldapi:///var/run/nslcd/socket . This way, only nslcd needs to talk
  with the LDAP server, rather than every application that wants to do
  getpwent() et al.

  Unfortunately, the usr.sbin.nscd profile in apparmor-profiles
  2.10.95-0ubuntu2 (Xenial) makes no mention of the nslcd socket, which
  results in NSS LDAP lookups not working when the profile is enforced
  in this configuration.

  This is the new line that is needed:

      /{,var/}run/nslcd/socket rw,

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to