slapd missing apparmor profile, and when applied, fails to start under systemd
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
openldap (Ubuntu) | Status tracked in Resolute | |||||
Plucky |
In Progress
|
High
|
Jonas Jelten | |||
Questing |
In Progress
|
High
|
Jonas Jelten | |||
Resolute |
In Progress
|
High
|
Jonas Jelten |
Bug Description
Ubuntu 25.04 Plucky saw a change from using init to systemd for starting slapd. When starting slapd using systemd, slapd runs but is terminated by systemd when it fails to receive a notification (sd_notify) from slapd that everything is ok.
root@minerva:
Description: Ubuntu 25.04
Release: 25.04
root@minerva:
Package: slapd
Version: 2.6.9+dfsg-2ubuntu1
Priority: optional
Section: net
Source: openldap
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-
Bugs: https:/
Installed-Size: 5,195 kB
Provides: ldap-server
Pre-Depends: debconf, init-system-helpers (>= 1.54~)
Depends: libargon2-1 (>= 0~20171227), libc6 (>= 2.38), libcrypt1 (>= 1:4.1.0), libldap2 (= 2.6.9+dfsg-
Recommends: ldap-utils
Suggests: libsasl2-modules, ufw, libsasl2-
Conflicts: ldap-server
Homepage: https:/
Download-Size: 1,661 kB
APT-Manual-
APT-Sources: http://
Description: OpenLDAP server (slapd)
This is the OpenLDAP (Lightweight Directory Access Protocol) server
(slapd). The server can be used to provide a standalone directory
service.
root@minerva:
Job for slapd.service failed because a timeout was exceeded.
See "systemctl status slapd.service" and "journalctl -xeu slapd.service" for details.
root@minerva:
× slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/
Active: failed (Result: timeout) since Thu 2025-08-07 22:01:36 AEST; 2min 11s ago
Duration: 7h 20min 53.690s
Invocation: 2efc19fa8f9c491
Docs: man:slapd
Process: 87009 ExecStart=sh -c mkdir -p /run/slapd; chown "$SLAPD_
Main PID: 87009 (code=exited, status=0/SUCCESS)
Mem peak: 4.1M
CPU: 49ms
Aug 07 22:00:06 minerva.
Aug 07 22:00:06 minerva.
Aug 07 22:00:06 minerva.
Aug 07 22:00:06 minerva.
Aug 07 22:01:36 minerva.
Aug 07 22:01:36 minerva.
Aug 07 22:01:36 minerva.
Aug 07 22:01:36 minerva.
Aug 07 22:01:36 minerva.
Aug 07 22:01:36 minerva.
root@minerva:
[Unit]
Description=
After=network.
# It doesn't really need network-online. Might revisit this for trixie:
# old initscript does have dependency on network-online.
#After=
# For binding to particular IPs with systemd-networkd, use
#After=
# (with appropriate name for eth0)
Documentation=
Documentation=
Documentation=
[Service]
Type=notify
# /etc/default/slapd sets:
# SLAPD_SERVICES SLAPD_CONF SLAPD_USER SLAPD_GROUP SLAPD_OPTIONS
# Also can set KRB5_KTNAME
EnvironmentFile
# can use User=, but it does not accept $Variables (compatibility)
# can use RuntimeDirectory= but it need to be owned by user anyway
ExecStart=sh -c 'mkdir -p /run/slapd; \
chown "$SLAPD_
[ -d "$SLAPD_CONF" ] && confflag=-F || confflag=-f; \
exec /usr/sbin/slapd -d0 \
[Install]
WantedBy=
Issue due to missing permission in apparmor usr.sbin.slapd:
# systemd sd_notify
/run/
Related branches
- git-ubuntu bot: Approve
- Athos Ribeiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 339 lines (+231/-11)9 files modifieddebian/apparmor-profile (+3/-0)
debian/changelog (+14/-0)
debian/patches/lp2125685-pbkdf2-configurable-rounds.patch (+92/-0)
debian/patches/lp2125685-pbkdf2-fix-iteration-arg.patch (+26/-0)
debian/patches/series (+2/-0)
debian/rules (+6/-8)
debian/tests/control (+5/-1)
debian/tests/pbkdf2-contrib (+63/-0)
debian/tests/slapd (+20/-2)
- git-ubuntu bot: Approve
- Athos Ribeiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 339 lines (+231/-11)9 files modifieddebian/apparmor-profile (+3/-0)
debian/changelog (+14/-0)
debian/patches/lp2125685-pbkdf2-configurable-rounds.patch (+92/-0)
debian/patches/lp2125685-pbkdf2-fix-iteration-arg.patch (+26/-0)
debian/patches/series (+2/-0)
debian/rules (+6/-8)
debian/tests/control (+5/-1)
debian/tests/pbkdf2-contrib (+63/-0)
debian/tests/slapd (+20/-2)
- Athos Ribeiro (community): Needs Information
- Canonical Server Reporter: Pending requested
-
Diff: 254 lines (+157/-10)8 files modifieddebian/apparmor-profile (+3/-0)
debian/changelog (+13/-0)
debian/patches/lp2125685-pbkdf2-configurable-rounds.patch (+92/-0)
debian/patches/lp2125685-pbkdf2-fix-iteration-arg.patch (+22/-0)
debian/patches/series (+2/-0)
debian/rules (+6/-8)
debian/tests/control (+1/-1)
debian/tests/slapd (+18/-1)
- Andreas Hasenack: Pending requested
- Athos Ribeiro: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 2226 lines (+805/-196)39 files modifiedCHANGES (+27/-0)
build/version.var (+3/-3)
clients/tools/common.c (+14/-0)
clients/tools/ldapvc.c (+15/-0)
contrib/slapd-modules/autogroup/autogroup.c (+2/-0)
contrib/slapd-modules/variant/variant.c (+12/-12)
debian/apparmor-profile (+3/-0)
debian/changelog (+22/-0)
debian/patches/lp2125685-pbkdf2-configurable-rounds.patch (+92/-0)
debian/patches/lp2125685-pbkdf2-fix-iteration-arg.patch (+26/-0)
debian/patches/series (+2/-0)
debian/rules (+6/-8)
debian/tests/control (+5/-1)
debian/tests/pbkdf2-contrib (+63/-0)
debian/tests/slapd (+20/-2)
doc/guide/admin/replication.sdf (+22/-3)
doc/guide/admin/slapdconf2.sdf (+62/-61)
doc/man/man5/ldap.conf.5 (+8/-6)
doc/man/man5/slapd-config.5 (+18/-4)
doc/man/man5/slapd.conf.5 (+1/-1)
doc/man/man5/slapo-dynlist.5 (+3/-0)
doc/man/man8/slapacl.8 (+4/-4)
libraries/libldap/error.c (+19/-0)
libraries/libldap/result.c (+60/-2)
libraries/librewrite/subst.c (+6/-6)
servers/lloadd/config.c (+4/-0)
servers/slapd/back-ldif/ldif.c (+71/-22)
servers/slapd/back-mdb/attr.c (+3/-0)
servers/slapd/back-mdb/config.c (+3/-0)
servers/slapd/back-mdb/delete.c (+11/-10)
servers/slapd/back-mdb/tools.c (+2/-1)
servers/slapd/bconfig.c (+109/-24)
servers/slapd/logging.c (+32/-9)
servers/slapd/overlays/autoca.c (+1/-0)
servers/slapd/overlays/memberof.c (+9/-8)
servers/slapd/overlays/pcache.c (+8/-2)
servers/slapd/slapacl.c (+14/-0)
servers/slapd/slapcommon.c (+20/-0)
servers/slapd/syncrepl.c (+3/-7)
summary: |
- slapd fails to start under systemd + slapd missing apparmor profile, and when applied, fails to start under + systemd |
Changed in openldap (Ubuntu Plucky): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in openldap (Ubuntu Questing): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in openldap (Ubuntu Questing): | |
status: | Triaged → In Progress |
Changed in openldap (Ubuntu Plucky): | |
assignee: | Andreas Hasenack (ahasenack) → Jonas Jelten (jj) |
status: | Triaged → In Progress |
This is surprising to me in at least two levels:
a) Why wasn't this caught before? Seems so basic
b) The slapd apparmor profile doesn't seem to be applied by default. It used to be, or so I thought.
Did you have to enable it by hand? I checked and there is nothing in the slapd maintainer scripts to apply the profile (no postinst snippet).
I just checked noble, and it is applied and enforced there.