Jonas, this is the branch I have: https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+ref/questing- openldap-apparmor-2119884
The relevant commit: commit fd332b8d456cfc043ed3dc707c41f8c5912b0a8a Author: Andreas Hasenack <[email protected]> Date: Tue Aug 26 11:24:32 2025 -0300 * d/rules: fix apparmor profile installation (LP: #2119884) diff --git a/debian/rules b/debian/rules index 684d70627a..b570f4ecb7 100755 --- a/debian/rules +++ b/debian/rules @@ -144,6 +144,8 @@ override_dh_auto_install-indep: ${installdir}/usr/share/man/man5/ldap.conf.5 ifeq (${noslapd},) +override_dh_install-arch: + dh_install # install AppArmor profile install -D -m 644 $(CURDIR)/debian/apparmor-profile \ $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd @@ -157,8 +159,6 @@ ifeq (${noslapd},) $(CURDIR)/debian/slapd/etc/ufw/applications.d/slapd endif -override_dh_auto_build: override_dh_auto_build-arch - override_dh_installinit: dh_installinit --no-restart-after-upgrade --error-handler=ignore_init_failure -- "defaults 19 80" The first part is more or less obvious, it fixes installing the apparmor profile. But the second override, the one I'm removing, I just detected because it was also part of a bad merge. But I can't say what the impact is of leaving it out, or in. That override_dh_auto_build was removed in debian here: commit 69b998a5f98c2d07e99a4a252d0ee9616e899bfc (tag: pkg/import/2.6.9+dfsg-1, tag: import/2.6.9+dfsg-1) Author: Ryan Tandy <[email protected]> Date: Tue Jan 14 18:30:51 2025 -0800 2.6.9+dfsg-1 (patches unapplied) Imported using git-ubuntu import. ... * d/rules: Delete override_dh_auto_build target, so that -indep/-arch are actually used. See #1014334. But we reintroduced it (by mistake?) here, in the same commit that incorrectly tried to reapply the apparmor delta: $ git show 98a18f4bdc5ba15eab807027b9073fdccaba5119 -- debian/rules commit 98a18f4bdc5ba15eab807027b9073fdccaba5119 Author: Sergio Durigan Junior <[email protected]> Date: Tue Jun 15 13:31:22 2021 -0400 - Enable AppArmor support: + d/apparmor-profile: add AppArmor profile + d/rules: use dh_apparmor + d/control: Build-Depends on dh-apparmor + d/slapd.README.Debian: add note about AppArmor diff --git a/debian/rules b/debian/rules index 9d1e9bf717..3361057fad 100755 --- a/debian/rules +++ b/debian/rules @@ -143,6 +143,15 @@ override_dh_auto_install-indep: install -Dm0644 ${builddir}/doc/man/man5/ldap.conf.5.tmp \ ${installdir}/usr/share/man/man5/ldap.conf.5 +ifeq (${noslapd},) + # install AppArmor profile + install -D -m 644 $(CURDIR)/debian/apparmor-profile \ + $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd + dh_apparmor -pslapd --profile-name=usr.sbin.slapd +endif + +override_dh_auto_build: override_dh_auto_build-arch + override_dh_installinit: dh_installinit --no-restart-after-upgrade --error-handler=ignore_init_failure -- "defaults 19 80" So I think we should delete "override_dh_auto_build: override_dh_auto_build-arch", because it was deleted in debian and I think we reintroduced it by mistake, but I stopped short of determining what the impact of that is. That's why this bug was dragging so long... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2119884 Title: slapd missing apparmor profile, and when applied, fails to start under systemd Status in openldap package in Ubuntu: In Progress Status in openldap source package in Plucky: In Progress Status in openldap source package in Questing: In Progress Bug description: Ubuntu 25.04 Plucky saw a change from using init to systemd for starting slapd. When starting slapd using systemd, slapd runs but is terminated by systemd when it fails to receive a notification (sd_notify) from slapd that everything is ok. root@minerva:/etc/apt# lsb_release -rd Description: Ubuntu 25.04 Release: 25.04 root@minerva:/etc/apt# apt info slapd Package: slapd Version: 2.6.9+dfsg-2ubuntu1 Priority: optional Section: net Source: openldap Origin: Ubuntu Maintainer: Ubuntu Developers <[email protected]> Original-Maintainer: Debian OpenLDAP Maintainers <[email protected]> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 5,195 kB Provides: ldap-server Pre-Depends: debconf, init-system-helpers (>= 1.54~) Depends: libargon2-1 (>= 0~20171227), libc6 (>= 2.38), libcrypt1 (>= 1:4.1.0), libldap2 (= 2.6.9+dfsg-2ubuntu1), li> Recommends: ldap-utils Suggests: libsasl2-modules, ufw, libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal Conflicts: ldap-server Homepage: https://www.openldap.org/ Download-Size: 1,661 kB APT-Manual-Installed: yes APT-Sources: http://au.archive.ubuntu.com/ubuntu plucky/main amd64 Packages Description: OpenLDAP server (slapd) This is the OpenLDAP (Lightweight Directory Access Protocol) server (slapd). The server can be used to provide a standalone directory service. root@minerva:/etc/apt# systemctl start slapd.service Job for slapd.service failed because a timeout was exceeded. See "systemctl status slapd.service" and "journalctl -xeu slapd.service" for details. root@minerva:/etc/apt# systemctl status slapd.service × slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; preset: enabled) Active: failed (Result: timeout) since Thu 2025-08-07 22:01:36 AEST; 2min 11s ago Duration: 7h 20min 53.690s Invocation: 2efc19fa8f9c491b86b1c9039f12dba7 Docs: man:slapd man:slapd-config man:slapd-mdb Process: 87009 ExecStart=sh -c mkdir -p /run/slapd; chown "$SLAPD_USER":"$SLAPD_GROUP" /run/slapd; > Main PID: 87009 (code=exited, status=0/SUCCESS) Mem peak: 4.1M CPU: 49ms Aug 07 22:00:06 minerva.cording.id.au systemd[1]: Starting slapd.service - OpenLDAP Server Daemon... Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: @(#) $OpenLDAP: slapd 2.6.9+dfsg-2ubuntu1 (Mar 15 2025 05:58:33> Ubuntu Developers <[email protected]> Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: slapd starting Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: systemd sd_notify failed (-13) Aug 07 22:01:36 minerva.cording.id.au systemd[1]: slapd.service: start operation timed out. Terminating. Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: daemon: shutdown requested and initiated. Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: slapd shutdown: waiting for 0 operations/tasks to finish Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: slapd stopped. Aug 07 22:01:36 minerva.cording.id.au systemd[1]: slapd.service: Failed with result 'timeout'. Aug 07 22:01:36 minerva.cording.id.au systemd[1]: Failed to start slapd.service - OpenLDAP Server Daemon. root@minerva:/usr/lib/systemd/system# more slapd.service [Unit] Description=OpenLDAP Server Daemon After=network.target # It doesn't really need network-online. Might revisit this for trixie: # old initscript does have dependency on network-online. #After=network-online.target # For binding to particular IPs with systemd-networkd, use #After=systemd-networkd-wait-online@eth0:no-carrier.service # (with appropriate name for eth0) Documentation=man:slapd Documentation=man:slapd-config Documentation=man:slapd-mdb [Service] Type=notify # /etc/default/slapd sets: # SLAPD_SERVICES SLAPD_CONF SLAPD_USER SLAPD_GROUP SLAPD_OPTIONS # Also can set KRB5_KTNAME EnvironmentFile=/etc/default/slapd # can use User=, but it does not accept $Variables (compatibility) # can use RuntimeDirectory= but it need to be owned by user anyway ExecStart=sh -c 'mkdir -p /run/slapd; \ chown "$SLAPD_USER":"$SLAPD_GROUP" /run/slapd; \ [ -d "$SLAPD_CONF" ] && confflag=-F || confflag=-f; \ exec /usr/sbin/slapd -d0 \ ${SLAPD_SERVICES:+-h "$SLAPD_SERVICES"} \ ${SLAPD_USER:+-u "$SLAPD_USER"} \ ${SLAPD_GROUP:+-g "$SLAPD_GROUP"} \ ${SLAPD_CONF:+$confflag "$SLAPD_CONF"} \ $SLAPD_OPTIONS' [Install] WantedBy=multi-user.target Issue due to missing permission in apparmor usr.sbin.slapd: # systemd sd_notify /run/systemd/notify w, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2119884/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
