[Bug 2119884] Re: slapd missing apparmor profile, and when applied, fails to start under systemd

Jonas Jelten Thu, 27 Nov 2025 01:06:07 -0800

** Description changed:

+ [ Impact ]
+ 
+  * slapd doesn't have a working apparmor profile on 25.04 plucky and 25.10 
questing, due to a ordering issue in debian/rules
+    - fix by placing dh_apparmor under override_dh_auto_install-arch instead 
of -indep
+  * in addition, when enabling the apparmor profile, slapd startup fails to 
submit the systemd startup notification
+    - fix profile by allowing write to @{run}/systemd/notify)
+ 
+ 
+ [ Test Plan ]
+ 
+ * error confirmation:
+  - apt-get -y install slapd
+  - aa-status doesn't list usr.sbin.slapd profile
+ 
+ * fix confirmation:
+  - apt-get -y install slapd
+  - `aa-status --json | jq -r ".profiles.\"/usr/sbin/slapd\""` should return 
"enforce"
+  - `cat /proc/${slapd_pid}/attr/current` should return "/usr/sbin/slapd 
(enforce)"
+  - the updated autopkgtest d/t/slapd checks if slapd is running with apparmor 
profile.
+ 
+ [ Where problems could occur ]
+ 
+ * when apparmor for slapd is restored, it can no longer access resources not 
permitted in the profile
+ * config files outside /etc can't be accessed any more
+ 
+ 
+ [ Original Report ]
+ 
  Ubuntu 25.04 Plucky saw a change from using init to systemd for starting
  slapd.  When starting slapd using systemd, slapd runs but is terminated
  by systemd when it fails to receive a notification (sd_notify) from
  slapd that everything is ok.
  
- 
  root@minerva:/etc/apt# lsb_release -rd
  Description:    Ubuntu 25.04
  Release:        25.04
- 
  
  root@minerva:/etc/apt# apt info slapd
  Package: slapd
  Version: 2.6.9+dfsg-2ubuntu1
  Priority: optional
  Section: net
  Source: openldap
  Origin: Ubuntu
  Maintainer: Ubuntu Developers <[email protected]>
  Original-Maintainer: Debian OpenLDAP Maintainers 
<[email protected]>
  Bugs: https://bugs.launchpad.net/ubuntu/+filebug
  Installed-Size: 5,195 kB
  Provides: ldap-server
  Pre-Depends: debconf, init-system-helpers (>= 1.54~)
  Depends: libargon2-1 (>= 0~20171227), libc6 (>= 2.38), libcrypt1 (>= 
1:4.1.0), libldap2 (= 2.6.9+dfsg-2ubuntu1), li>
  Recommends: ldap-utils
  Suggests: libsasl2-modules, ufw, libsasl2-modules-gssapi-mit | 
libsasl2-modules-gssapi-heimdal
  Conflicts: ldap-server
  Homepage: https://www.openldap.org/
  Download-Size: 1,661 kB
  APT-Manual-Installed: yes
  APT-Sources: http://au.archive.ubuntu.com/ubuntu plucky/main amd64 Packages
  Description: OpenLDAP server (slapd)
-  This is the OpenLDAP (Lightweight Directory Access Protocol) server
-  (slapd). The server can be used to provide a standalone directory
-  service.
- 
+  This is the OpenLDAP (Lightweight Directory Access Protocol) server
+  (slapd). The server can be used to provide a standalone directory
+  service.
  
  root@minerva:/etc/apt# systemctl start slapd.service
  Job for slapd.service failed because a timeout was exceeded.
  See "systemctl status slapd.service" and "journalctl -xeu slapd.service" for 
details.
  
- 
  root@minerva:/etc/apt# systemctl status slapd.service
  × slapd.service - OpenLDAP Server Daemon
-      Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; preset: 
enabled)
-      Active: failed (Result: timeout) since Thu 2025-08-07 22:01:36 AEST; 
2min 11s ago
-    Duration: 7h 20min 53.690s
-  Invocation: 2efc19fa8f9c491b86b1c9039f12dba7
-        Docs: man:slapd
-              man:slapd-config
-              man:slapd-mdb
-     Process: 87009 ExecStart=sh -c mkdir -p /run/slapd;         chown 
"$SLAPD_USER":"$SLAPD_GROUP" /run/slapd;     >
-    Main PID: 87009 (code=exited, status=0/SUCCESS)
-    Mem peak: 4.1M
-         CPU: 49ms
+      Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; preset: 
enabled)
+      Active: failed (Result: timeout) since Thu 2025-08-07 22:01:36 AEST; 
2min 11s ago
+    Duration: 7h 20min 53.690s
+  Invocation: 2efc19fa8f9c491b86b1c9039f12dba7
+        Docs: man:slapd
+              man:slapd-config
+              man:slapd-mdb
+     Process: 87009 ExecStart=sh -c mkdir -p /run/slapd;         chown 
"$SLAPD_USER":"$SLAPD_GROUP" /run/slapd;     >
+    Main PID: 87009 (code=exited, status=0/SUCCESS)
+    Mem peak: 4.1M
+         CPU: 49ms
  
  Aug 07 22:00:06 minerva.cording.id.au systemd[1]: Starting slapd.service - 
OpenLDAP Server Daemon...
  Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: @(#) $OpenLDAP: slapd 
2.6.9+dfsg-2ubuntu1 (Mar 15 2025 05:58:33>
-                                                             Ubuntu Developers 
<[email protected]>
+                                                             Ubuntu Developers 
<[email protected]>
  Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: slapd starting
  Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: systemd sd_notify failed 
(-13)
  Aug 07 22:01:36 minerva.cording.id.au systemd[1]: slapd.service: start 
operation timed out. Terminating.
  Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: daemon: shutdown 
requested and initiated.
  Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: slapd shutdown: waiting 
for 0 operations/tasks to finish
  Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: slapd stopped.
  Aug 07 22:01:36 minerva.cording.id.au systemd[1]: slapd.service: Failed with 
result 'timeout'.
  Aug 07 22:01:36 minerva.cording.id.au systemd[1]: Failed to start 
slapd.service - OpenLDAP Server Daemon.
  
- 
- root@minerva:/usr/lib/systemd/system# more slapd.service 
+ root@minerva:/usr/lib/systemd/system# more slapd.service
  [Unit]
  Description=OpenLDAP Server Daemon
  After=network.target
  # It doesn't really need network-online. Might revisit this for trixie:
  # old initscript does have dependency on network-online.
  #After=network-online.target
  # For binding to particular IPs with systemd-networkd, use
  #After=systemd-networkd-wait-online@eth0:no-carrier.service
  # (with appropriate name for eth0)
  Documentation=man:slapd
  Documentation=man:slapd-config
  Documentation=man:slapd-mdb
  
  [Service]
  Type=notify
  # /etc/default/slapd sets:
  #  SLAPD_SERVICES SLAPD_CONF SLAPD_USER SLAPD_GROUP SLAPD_OPTIONS
  # Also can set KRB5_KTNAME
  EnvironmentFile=/etc/default/slapd
  # can use User=, but it does not accept $Variables (compatibility)
  # can use RuntimeDirectory= but it need to be owned by user anyway
  ExecStart=sh -c 'mkdir -p /run/slapd; \
-         chown "$SLAPD_USER":"$SLAPD_GROUP" /run/slapd; \
-         [ -d "$SLAPD_CONF" ] && confflag=-F || confflag=-f; \
-         exec /usr/sbin/slapd -d0 \
-                 ${SLAPD_SERVICES:+-h "$SLAPD_SERVICES"} \
-                 ${SLAPD_USER:+-u "$SLAPD_USER"} \
-                 ${SLAPD_GROUP:+-g "$SLAPD_GROUP"} \
-                 ${SLAPD_CONF:+$confflag "$SLAPD_CONF"} \
-                 $SLAPD_OPTIONS'
+         chown "$SLAPD_USER":"$SLAPD_GROUP" /run/slapd; \
+         [ -d "$SLAPD_CONF" ] && confflag=-F || confflag=-f; \
+         exec /usr/sbin/slapd -d0 \
+                 ${SLAPD_SERVICES:+-h "$SLAPD_SERVICES"} \
+                 ${SLAPD_USER:+-u "$SLAPD_USER"} \
+                 ${SLAPD_GROUP:+-g "$SLAPD_GROUP"} \
+                 ${SLAPD_CONF:+$confflag "$SLAPD_CONF"} \
+                 $SLAPD_OPTIONS'
  
  [Install]
  WantedBy=multi-user.target
  
- 
  Issue due to missing permission in apparmor usr.sbin.slapd:
  
-  # systemd sd_notify
-   /run/systemd/notify w,
+  # systemd sd_notify
+   /run/systemd/notify w,


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119884

Title:
  slapd missing apparmor profile, and when applied, fails to start under
  systemd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2119884/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2119884] Re: slapd missing apparmor profile, and when applied, fails to start under systemd

Reply via email to