Hi,
>From what I can tell, looking at the existing slapd apparmor profile, it
does not include access to the kcm socket in /run as you say. However,
I've yet to discover how to have slapd attempt to access this particular
socket.
I've examined a number of Kerberos + OpenLDAP setups and there's no easy
answer on how to setup and configure this combination and certainly no
indication which one of those would trigger such an access.
Is there any additional information you can provide to help narrow down
what possible configuration is needed and which command or action would
trigger?
I'll start reading the LDAP server code to see if I can understand a bit
more what the KDC socket is doing but in the mean time, I'd like as much
detail as possible.
Note, the version mentioned 2.4.40 appeared between vivid and wily
releases; Trusty has 2.4.31 and Xenial/Yakkety are at 2.4.42.
If possible, it would be useful to know if this can be reproduced on
Xenial or Yakkety; or if it's only on the older releases (Trusty and
Precise would be affected).
** Changed in: openldap (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1472639
Title:
apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
