slapd missing apparmor profile, and when applied, fails to start under systemd

Bug #2119884 reported by Dean
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Status tracked in Resolute
Plucky
In Progress
High
Jonas Jelten
Questing
In Progress
High
Jonas Jelten
Resolute
In Progress
High
Jonas Jelten

Bug Description

Ubuntu 25.04 Plucky saw a change from using init to systemd for starting slapd. When starting slapd using systemd, slapd runs but is terminated by systemd when it fails to receive a notification (sd_notify) from slapd that everything is ok.

root@minerva:/etc/apt# lsb_release -rd
Description: Ubuntu 25.04
Release: 25.04

root@minerva:/etc/apt# apt info slapd
Package: slapd
Version: 2.6.9+dfsg-2ubuntu1
Priority: optional
Section: net
Source: openldap
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: Debian OpenLDAP Maintainers <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 5,195 kB
Provides: ldap-server
Pre-Depends: debconf, init-system-helpers (>= 1.54~)
Depends: libargon2-1 (>= 0~20171227), libc6 (>= 2.38), libcrypt1 (>= 1:4.1.0), libldap2 (= 2.6.9+dfsg-2ubuntu1), li>
Recommends: ldap-utils
Suggests: libsasl2-modules, ufw, libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
Conflicts: ldap-server
Homepage: https://www.openldap.org/
Download-Size: 1,661 kB
APT-Manual-Installed: yes
APT-Sources: http://au.archive.ubuntu.com/ubuntu plucky/main amd64 Packages
Description: OpenLDAP server (slapd)
 This is the OpenLDAP (Lightweight Directory Access Protocol) server
 (slapd). The server can be used to provide a standalone directory
 service.

root@minerva:/etc/apt# systemctl start slapd.service
Job for slapd.service failed because a timeout was exceeded.
See "systemctl status slapd.service" and "journalctl -xeu slapd.service" for details.

root@minerva:/etc/apt# systemctl status slapd.service
× slapd.service - OpenLDAP Server Daemon
     Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; preset: enabled)
     Active: failed (Result: timeout) since Thu 2025-08-07 22:01:36 AEST; 2min 11s ago
   Duration: 7h 20min 53.690s
 Invocation: 2efc19fa8f9c491b86b1c9039f12dba7
       Docs: man:slapd
             man:slapd-config
             man:slapd-mdb
    Process: 87009 ExecStart=sh -c mkdir -p /run/slapd; chown "$SLAPD_USER":"$SLAPD_GROUP" /run/slapd; >
   Main PID: 87009 (code=exited, status=0/SUCCESS)
   Mem peak: 4.1M
        CPU: 49ms

Aug 07 22:00:06 minerva.cording.id.au systemd[1]: Starting slapd.service - OpenLDAP Server Daemon...
Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: @(#) $OpenLDAP: slapd 2.6.9+dfsg-2ubuntu1 (Mar 15 2025 05:58:33>
                                                            Ubuntu Developers <email address hidden>
Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: slapd starting
Aug 07 22:00:06 minerva.cording.id.au slapd[87009]: systemd sd_notify failed (-13)
Aug 07 22:01:36 minerva.cording.id.au systemd[1]: slapd.service: start operation timed out. Terminating.
Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: daemon: shutdown requested and initiated.
Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: slapd shutdown: waiting for 0 operations/tasks to finish
Aug 07 22:01:36 minerva.cording.id.au slapd[87009]: slapd stopped.
Aug 07 22:01:36 minerva.cording.id.au systemd[1]: slapd.service: Failed with result 'timeout'.
Aug 07 22:01:36 minerva.cording.id.au systemd[1]: Failed to start slapd.service - OpenLDAP Server Daemon.

root@minerva:/usr/lib/systemd/system# more slapd.service
[Unit]
Description=OpenLDAP Server Daemon
After=network.target
# It doesn't really need network-online. Might revisit this for trixie:
# old initscript does have dependency on network-online.
#After=network-online.target
# For binding to particular IPs with systemd-networkd, use
#After=systemd-networkd-wait-online@eth0:no-carrier.service
# (with appropriate name for eth0)
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-mdb

[Service]
Type=notify
# /etc/default/slapd sets:
# SLAPD_SERVICES SLAPD_CONF SLAPD_USER SLAPD_GROUP SLAPD_OPTIONS
# Also can set KRB5_KTNAME
EnvironmentFile=/etc/default/slapd
# can use User=, but it does not accept $Variables (compatibility)
# can use RuntimeDirectory= but it need to be owned by user anyway
ExecStart=sh -c 'mkdir -p /run/slapd; \
        chown "$SLAPD_USER":"$SLAPD_GROUP" /run/slapd; \
        [ -d "$SLAPD_CONF" ] && confflag=-F || confflag=-f; \
        exec /usr/sbin/slapd -d0 \
                ${SLAPD_SERVICES:+-h "$SLAPD_SERVICES"} \
                ${SLAPD_USER:+-u "$SLAPD_USER"} \
                ${SLAPD_GROUP:+-g "$SLAPD_GROUP"} \
                ${SLAPD_CONF:+$confflag "$SLAPD_CONF"} \
                $SLAPD_OPTIONS'

[Install]
WantedBy=multi-user.target

Issue due to missing permission in apparmor usr.sbin.slapd:

 # systemd sd_notify
  /run/systemd/notify w,

Tags: server-todo

Related branches

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This is surprising to me in at least two levels:

a) Why wasn't this caught before? Seems so basic

b) The slapd apparmor profile doesn't seem to be applied by default. It used to be, or so I thought.

Did you have to enable it by hand? I checked and there is nothing in the slapd maintainer scripts to apply the profile (no postinst snippet).

I just checked noble, and it is applied and enforced there.

Revision history for this message
Andreas Hasenack (ahasenack) wrote (last edit ):

The build log of openldap on plucky[1] has this:

dh_apparmor -pslapd --profile-name=usr.sbin.slapd
dh_apparmor: warning: All requested packages have been excluded (e.g. via a Build-Profile or due to architecture restrictions).

uh-oh

1. https://launchpadlibrarian.net/782470240/buildlog_ubuntu-plucky-amd64.openldap_2.6.9+dfsg-2ubuntu1_BUILDING.txt.gz#:~:text=dh_apparmor%20%2Dpslapd%20%2D%2Dprofile%2Dname%3Dusr.sbin.slapd

Changed in openldap (Ubuntu):
importance: Undecided → High
status: New → Triaged
tags: added: server-todo
information type: Public → Public Security
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Marking as "public security" until we know more.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Confirmed for questing as well.

Changed in openldap (Ubuntu Plucky):
importance: Undecided → High
status: New → Triaged
summary: - slapd fails to start under systemd
+ slapd missing apparmor profile, and when applied, fails to start under
+ systemd
Changed in openldap (Ubuntu Plucky):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in openldap (Ubuntu Questing):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in openldap (Ubuntu Questing):
status: Triaged → In Progress
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This is only happening on amd64. I'm remembering a qemu case[1], which also involved build profiles. Something to do with the LP behavior regarding build profiles when building on amd64, because that's also the architecture we use to build arch-all packages. I'm trying to remember what was happening then...

1. https://git.launchpad.net/ubuntu/+source/qemu/commit/?id=886ad04bb326c95b2343b48851638645080c2ee5

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> This is only happening on amd64

Hm, no, I'm wrong. We *don't* see this message in the arm64 build logs[1], but it still doesn't ship the apparmor profile:

dh_apparmor: warning: All requested packages have been excluded (e.g. via a Build-Profile or due to architecture restrictions).

1. https://launchpadlibrarian.net/810812359/buildlog_ubuntu-questing-arm64.openldap_2.6.10+dfsg-1ubuntu1_BUILDING.txt.gz

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I rebuilt the questing src:openldap package in a noble container, and it also lacks the apparmor profile.

d/rules has had many changes between noble and questing, checking that next...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Ah, ok, dh_apparmor moved to another target.

Noble:
override_dh_install-arch:
(...)
    dh_apparmor -pslapd --profile-name=usr.sbin.slapd

Questing (and probably earlier):

override_dh_auto_install-indep:
(...)
    dh_apparmor -pslapd --profile-name=usr.sbin.slapd

Jonas Jelten (jj)
Changed in openldap (Ubuntu Plucky):
assignee: Andreas Hasenack (ahasenack) → Jonas Jelten (jj)
status: Triaged → In Progress
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.3 KiB)

Jonas, this is the branch I have:

https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+ref/questing-openldap-apparmor-2119884

The relevant commit:
commit fd332b8d456cfc043ed3dc707c41f8c5912b0a8a
Author: Andreas Hasenack <email address hidden>
Date: Tue Aug 26 11:24:32 2025 -0300

      * d/rules: fix apparmor profile installation (LP: #2119884)

diff --git a/debian/rules b/debian/rules
index 684d70627a..b570f4ecb7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -144,6 +144,8 @@ override_dh_auto_install-indep:
            ${installdir}/usr/share/man/man5/ldap.conf.5

 ifeq (${noslapd},)
+override_dh_install-arch:
+ dh_install
        # install AppArmor profile
        install -D -m 644 $(CURDIR)/debian/apparmor-profile \
            $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd
@@ -157,8 +159,6 @@ ifeq (${noslapd},)
            $(CURDIR)/debian/slapd/etc/ufw/applications.d/slapd
 endif

-override_dh_auto_build: override_dh_auto_build-arch
-
 override_dh_installinit:
        dh_installinit --no-restart-after-upgrade --error-handler=ignore_init_failure -- "defaults 19 80"

The first part is more or less obvious, it fixes installing the apparmor profile. But the second override, the one I'm removing, I just detected because it was also part of a bad merge. But I can't say what the impact is of leaving it out, or in.

That override_dh_auto_build was removed in debian here:
commit 69b998a5f98c2d07e99a4a252d0ee9616e899bfc (tag: pkg/import/2.6.9+dfsg-1, tag: import/2.6.9+dfsg-1)
Author: Ryan Tandy <email address hidden>
Date: Tue Jan 14 18:30:51 2025 -0800

    2.6.9+dfsg-1 (patches unapplied)

    Imported using git-ubuntu import.

...
      * d/rules: Delete override_dh_auto_build target, so that -indep/-arch are
        actually used. See #1014334.

But we reintroduced it (by mistake?) here, in the same commit that incorrectly tried to reapply the apparmor delta:

$ git show 98a18f4bdc5ba15eab807027b9073fdccaba5119 -- debian/rules
commit 98a18f4bdc5ba15eab807027b9073fdccaba5119
Author: Sergio Durigan Junior <email address hidden>
Date: Tue Jun 15 13:31:22 2021 -0400

        - Enable AppArmor support:
          + d/apparmor-profile: add AppArmor profile
          + d/rules: use dh_apparmor
          + d/control: Build-Depends on dh-apparmor
          + d/slapd.README.Debian: add note about AppArmor

diff --git a/debian/rules b/debian/rules
index 9d1e9bf717..3361057fad 100755
--- a/debian/rules
+++ b/debian/rules
@@ -143,6 +143,15 @@ override_dh_auto_install-indep:
        install -Dm0644 ${builddir}/doc/man/man5/ldap.conf.5.tmp \
            ${installdir}/usr/share/man/man5/ldap.conf.5

+ifeq (${noslapd},)
+ # install AppArmor profile
+ install -D -m 644 $(CURDIR)/debian/apparmor-profile \
+ $(CURDIR)/debian/slapd/etc/apparmor.d/usr.sbin.slapd
+ dh_apparmor -pslapd --profile-name=usr.sbin.slapd
+endif
+
+override_dh_auto_build: override_dh_auto_build-arch
+
 override_dh_installinit:
        dh_installinit --no-restart-after-upgrade --error-handler=ignore_init_failure -- "defaults 19 80"

So I think we should delete "override_dh_auto_build: override_dh_aut...

Read more...

Revision history for this message
Jonas Jelten (jj) wrote :

Merge proposals for fixing plucky and questing are up :)

Changed in openldap (Ubuntu Questing):
assignee: Andreas Hasenack (ahasenack) → Jonas Jelten (jj)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.