** Description changed:
[ Impact ]
- * slapd doesn't have a working apparmor profile on 25.04 plucky and 25.10
questing, due to a ordering issue in debian/rules
- - fix by placing dh_apparmor under override_dh_auto_install-arch instead
of -indep
- * in addition, when enabling the apparmor profile, slapd startup fails to
submit the systemd startup notification
- - fix profile by allowing write to @{run}/systemd/notify)
-
+ * slapd doesn't apply its apparmor profile on 25.04 plucky and 25.10
questing, due to a ordering issue in debian/rules
+ - fix by placing dh_apparmor under override_dh_auto_install-arch instead
of -indep
+ * the profile itself is working, it's just not applied
+ * in addition, when enabling the apparmor profile, slapd startup fails to
submit the systemd startup notification
+ - fix profile by allowing write to @{run}/systemd/notify
[ Test Plan ]
* error confirmation:
- - apt-get -y install slapd
- - aa-status doesn't list usr.sbin.slapd profile
+ - apt-get -y install slapd
+ - aa-status doesn't list usr.sbin.slapd profile
* fix confirmation:
- - apt-get -y install slapd
- - `aa-status --json | jq -r ".profiles.\"/usr/sbin/slapd\""` should return
"enforce"
- - `cat /proc/${slapd_pid}/attr/current` should return "/usr/sbin/slapd
(enforce)"
- - the updated autopkgtest d/t/slapd checks if slapd is running with apparmor
profile.
+ - apt-get -y install slapd
+ - `aa-status --json | jq -r ".profiles.\"/usr/sbin/slapd\""` should return
"enforce"
+ - `cat /proc/${slapd_pid}/attr/current` should return "/usr/sbin/slapd
(enforce)"
+ - the updated autopkgtest d/t/slapd checks if slapd is running with apparmor
profile.
[ Where problems could occur ]
- * when apparmor for slapd is restored, it can no longer access resources not
permitted in the profile
- * config files outside /etc can't be accessed any more
+ - the slapd profile itself hasn't changed (except allowing systemd notify)
+ - this update restores apparmor confinement for slapd. thus slapd can no
longer access resources not permitted in the profile
+ - when openldap was used without an applied profile, deployments could have a
configation that will be blocked with this update - that means, after upgrading
to this update openldap will stop working for those configurations.
+ - deployments done in "in the usual way" (having their config in /etc, using
default socket paths, ...) should keep working with this update.
[ Original Report ]
Ubuntu 25.04 Plucky saw a change from using init to systemd for starting
slapd. When starting slapd using systemd, slapd runs but is terminated
by systemd when it fails to receive a notification (sd_notify) from
slapd that everything is ok.
root@minerva:/etc/apt# lsb_release -rd
Description: Ubuntu 25.04
Release: 25.04
root@minerva:/etc/apt# apt info slapd
Package: slapd
Version: 2.6.9+dfsg-2ubuntu1
Priority: optional
Section: net
Source: openldap
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Debian OpenLDAP Maintainers
<[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 5,195 kB
Provides: ldap-server
Pre-Depends: debconf, init-system-helpers (>= 1.54~)
Depends: libargon2-1 (>= 0~20171227), libc6 (>= 2.38), libcrypt1 (>=
1:4.1.0), libldap2 (= 2.6.9+dfsg-2ubuntu1), li>
Recommends: ldap-utils
Suggests: libsasl2-modules, ufw, libsasl2-modules-gssapi-mit |
libsasl2-modules-gssapi-heimdal
Conflicts: ldap-server
Homepage: https://www.openldap.org/
Download-Size: 1,661 kB
APT-Manual-Installed: yes
APT-Sources: http://au.archive.ubuntu.com/ubuntu plucky/main amd64 Packages
Description: OpenLDAP server (slapd)
This is the OpenLDAP (Lightweight Directory Access Protocol) server
(slapd). The server can be used to provide a standalone directory
service.
root@minerva:/etc/apt# systemctl start slapd.service
Job for slapd.service failed because a timeout was exceeded.
See "systemctl status slapd.service" and "journalctl -xeu slapd.service" for
details.
root@minerva:/etc/apt# systemctl status slapd.service
× slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; preset:
enabled)
Active: failed (Result: timeout) since Thu 2025-08-07 22:01:36 AEST;
2min 11s ago
Duration: 7h 20min 53.690s
Invocation: 2efc19fa8f9c491b86b1c9039f12dba7
Docs: man:slapd
man:slapd-config
man:slapd-mdb
Process: 87009 ExecStart=sh -c mkdir -p /run/slapd; chown
"$SLAPD_USER":"$SLAPD_GROUP" /run/slapd; >
Main PID: 87009 (code=exited, status=0/SUCCESS)
Mem peak: 4.1M
CPU: 49ms
Aug 07 22:00:06 minerva.cording.id.au systemd[1]: Starting slapd.service -
OpenLDAP Server Daemon...
Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: @(#) $OpenLDAP: slapd
2.6.9+dfsg-2ubuntu1 (Mar 15 2025 05:58:33>
Ubuntu Developers
<[email protected]>
Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: slapd starting
Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: systemd sd_notify failed
(-13)
Aug 07 22:01:36 minerva.cording.id.au systemd[1]: slapd.service: start
operation timed out. Terminating.
Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: daemon: shutdown
requested and initiated.
Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: slapd shutdown: waiting
for 0 operations/tasks to finish
Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: slapd stopped.
Aug 07 22:01:36 minerva.cording.id.au systemd[1]: slapd.service: Failed with
result 'timeout'.
Aug 07 22:01:36 minerva.cording.id.au systemd[1]: Failed to start
slapd.service - OpenLDAP Server Daemon.
root@minerva:/usr/lib/systemd/system# more slapd.service
[Unit]
Description=OpenLDAP Server Daemon
After=network.target
# It doesn't really need network-online. Might revisit this for trixie:
# old initscript does have dependency on network-online.
#After=network-online.target
# For binding to particular IPs with systemd-networkd, use
#After=systemd-networkd-wait-online@eth0:no-carrier.service
# (with appropriate name for eth0)
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-mdb
[Service]
Type=notify
# /etc/default/slapd sets:
# SLAPD_SERVICES SLAPD_CONF SLAPD_USER SLAPD_GROUP SLAPD_OPTIONS
# Also can set KRB5_KTNAME
EnvironmentFile=/etc/default/slapd
# can use User=, but it does not accept $Variables (compatibility)
# can use RuntimeDirectory= but it need to be owned by user anyway
ExecStart=sh -c 'mkdir -p /run/slapd; \
chown "$SLAPD_USER":"$SLAPD_GROUP" /run/slapd; \
[ -d "$SLAPD_CONF" ] && confflag=-F || confflag=-f; \
exec /usr/sbin/slapd -d0 \
${SLAPD_SERVICES:+-h "$SLAPD_SERVICES"} \
${SLAPD_USER:+-u "$SLAPD_USER"} \
${SLAPD_GROUP:+-g "$SLAPD_GROUP"} \
${SLAPD_CONF:+$confflag "$SLAPD_CONF"} \
$SLAPD_OPTIONS'
[Install]
WantedBy=multi-user.target
Issue due to missing permission in apparmor usr.sbin.slapd:
# systemd sd_notify
/run/systemd/notify w,
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119884
Title:
slapd missing apparmor profile, and when applied, fails to start under
systemd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2119884/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
