Public bug reported:
On a brand new Lucid installation (dist-upgraded to last version, with
slapd 2.4.21-0ubuntu5), I can't feed a new backend to slapd, it fails
with the following error :
adding new entry "olcDatabase=hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcDbIndex> failed startup
In syslog, the relevant messages :
-----------------------------------------8<----------------------------8<--------------------------------
Aug 2 11:42:30 Gany slapd[7049]: slapd starting
Aug 2 11:43:04 Gany slapd[7049]: bdb(dc=meta-it,dc=local): /var/lib/ldap:
Permission denied
Aug 2 11:43:04 Gany slapd[7049]: bdb(dc=meta-it,dc=local): PANIC: Permission
denied
Aug 2 11:43:04 Gany slapd[7049]: bdb(dc=meta-it,dc=local): unable to join the
environment
Aug 2 11:43:04 Gany slapd[7049]: bdb(dc=meta-it,dc=local): /var/lib/ldap:
Permission denied
Aug 2 11:43:04 Gany slapd[7049]: hdb_db_open: database "dc=meta-it,dc=local"
cannot be opened, err -30974. Restore from backup!
Aug 2 11:43:04 Gany slapd[7049]: bdb(dc=meta-it,dc=local): txn_checkpoint
interface requires an environment configured for the transaction subsystem
Aug 2 11:43:04 Gany slapd[7049]: bdb_db_close: database "dc=meta-it,dc=local":
txn_checkpoint failed: Invalid argument (22).
Aug 2 11:43:04 Gany slapd[7049]: backend_startup_one (type=hdb,
suffix="dc=meta-it,dc=local"): bi_db_open failed! (-30974)
Aug 2 11:43:04 Gany slapd[7049]: olcDbIndex: value #6: <olcDbIndex> failed
startup ()!
Aug 2 11:43:04 Gany kernel: [ 9503.137139] type=1400
audit(1280742184.756:137): operation="getattr" pid=7073 parent=1
profile="/usr/sbin/slapd" name="/var/lib/" pid=7073 comm="sla
pd" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Aug 2 11:43:04 Gany kernel: [ 9503.137903] type=1400
audit(1280742184.756:138): operation="getattr" pid=7073 parent=1
profile="/usr/sbin/slapd" name="/var/lib/" pid=7073 comm="sla
pd" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
-----------------------------------------8<----------------------------8<--------------------------------
The message says "/var/lib/ldap: Permission denied" but it is misleading
because :
1. the unix perms are openldap:openldap/755 on /var/lib/ldap
2. the apparmor profile usr.sbin/slapd includes "/var/lib/ldap/ r,
/var/lib/ldap/** rwk" which seems fine to me.
I used http://blogger.ziesemer.com/2010/05/openldap-ubuntu-linux.html
and http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html as
start for my LDAP configuration.
Here is my full run log :
sudo apt-get install slapd libnss-ldap libpam-ldap
[OK; debconf parameters: RootDN: cn=admin,dc=meta-it, dc=local, BaseDN:
dc=meta-it, dc=local, RootPW: metasecret, everything else defaults to what
debconf asks]
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
[OK]
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
[OK]
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
[OK]
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
[OK]
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/licorn.ldif
[OK]
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/backend.module.ldif
[OK]
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/backend.hdb.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcDbIndex> failed startup
[I get the syslog output pasted before]
service apparmor stop
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/backend.hdb.ldif
[OK]
service apparmor start
Then everything works as expected after this point.
I can prevent stopping completely apparmor by adding "/var/lib/ r," to
the usr.sbin.slapd profile and reloading apparmor, then adding my
backend.hdb.ldif, then removing the profile line and reloading apparmor.
I don't understand why this is a problem, and why slapd needs this one time
/var/lib access.
Purging the package, rm -rf /var/lib/ldap and reinstalling leads to a 100%
reproductible problem.
disabling apparmor or adding the temporary line to the apparmor profile leads
to a 100% working workaround.
Feel free to contact me for further information if needed.
** Affects: openldap (Ubuntu)
Importance: Undecided
Status: New
--
apparmor profile is not good for first backend creation
https://bugs.launchpad.net/bugs/612525
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
