Focal verification

First, reproducing the problem:

  Version table:
 *** 2.4.49+dfsg-2ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu focal-updates/main amd64 
Packages
        500 http://br.archive.ubuntu.com/ubuntu focal-security/main amd64 
Packages
        100 /var/lib/dpkg/status

ldapsearch fails:
root@focal-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 
'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password: 
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
        additional info: SASL(-1): generic failure: Password verification failed

and dmesg complains:
[18037.506232] audit: type=1400 audit(1594229527.198:647): apparmor="DENIED" 
operation="connect" 
namespace="root//lxd-focal-openldap-saslauthd-1557157_<var-snap-lxd-common-lxd>"
 profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=171680 comm="slapd" 
requested_mask="wr" denied_mask="wr" fsuid=1000112 ouid=1000000


With the proposed packages:
 *** 2.4.49+dfsg-2ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu focal-proposed/main amd64 
Packages
        100 /var/lib/dpkg/status


ldapsearch works:
root@focal-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 
'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password: 
SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example


And there is no apparmor DENIED message in dmesg.

Focal verification succeeded.

** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1557157

Title:
  apparmor profile denied for saslauthd: /run/saslauthd/mux

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Trusty:
  Won't Fix
Status in openldap source package in Xenial:
  Fix Committed
Status in openldap source package in Bionic:
  Fix Committed
Status in openldap source package in Eoan:
  Fix Committed
Status in openldap source package in Focal:
  Fix Committed
Status in openldap source package in Groovy:
  Fix Released

Bug description:
  [Impact]

  When using openldap with sasl authentication, the slapd process will
  communicate with the saslauthd daemon via a socket in
  {,/var}/run/saslauthd/mux. Unfortunately, this will fail in every
  Ubuntu release from trusty onwards, because slapd's apparmor profile
  doesn't contain the necessary directive to allow it to read/write
  from/to the socket specified above.

  The fix is simple: just add the necessary directive to allow slapd to
  read/write from/to the saslauthd socket.

  [Test Case]

  One can reproduce the problem by doing:

  $ lxc launch ubuntu-daily:groovy openldap-bugbug1557157-groovy
  $ lxc shell openldap-bugbug1557157-groovy
  # apt install slapd sasl2-bin ldap-utils apparmor-utils

  (As the domain name, use "example.com").

  # sed -i -e 's/^START=.*/START=yes/' /etc/default/saslauthd
  # cat > /etc/ldap/sasl2/slapd.conf << __EOF__
  mech_list: PLAIN
  pwcheck_method: saslauthd
  __EOF__
  # adduser openldap sasl
  # aa-enforce /etc/apparmor.d/usr.sbin.slapd
  # systemctl restart slapd.service
  # systemctl restart saslauthd.service
  # passwd root

  (You can choose any password here. You will need to type it when
  running the next command.)

  # ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root
  -Y PLAIN

  The command will fail with something like:

  ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
          additional info: SASL(-1): generic failure: Password verification 
failed

  [Regression Potential]

  This is an extremely simple and well contained fix, so I don't
  envision any possible regressions after applying it.  It is important
  noticing that, since the problem affects older Ubuntu releases, the
  openldap package will have to be rebuilt against possible newer
  versions of libraries and other depencencies, which, albeit unlikely,
  may cause issues.

  [Original Description]

  When using slapd with saslauthd the processes communicate via the
  {,/var}/run/saslauthd/mux socket (this is the default location for the
  saslauthd server from the sasl2-bin package in the
  /etc/default/saslauthd config), but the apparmor profile for
  usr.sbin.slapd does not allow access to this socket/file.

  Syslog message:
  apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" 
name="/run/saslauthd/mux" pid=1880
  4 comm="slapd" requested_mask="r" denied_mask="r" fsuid=108 ouid=0

  Please add the following line to  /etc/apparmor.d/usr.sbin.slapd:
  /{,var/}run/saslauthd/mux rw,

  Ubuntu version: Ubuntu 14.04.4 LTS
  slapd version: 2.4.31-1+nmu2ubu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1557157/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to