Blog do projektu Open Source JavaHotel

niedziela, 29 marca 2015

OpenLDAP, Ubuntu, TLS

Problem
I installed OpenLDAP on my Ubuntu 14.04 machine. It worked fine until I tried to authenticate from RHEL 6.6 box. RHEL 6.6 LDAP client requires TLS connection and there is not way to persuade it to change its mind. So I enabled OpenLDAP server for TLS connection using advice provided here. But in turn OpenLDAP server refused to restart. In /var/log/syslog file I found enigmatic entry:

Mar 29 00:47:57 sb-ThinkPad-W540 slapd[11071]: connections_destroy: nothing to destroy.
Mar 29 00:47:57 sb-ThinkPad-W540 kernel: [14766.527083] type=1400 audit(1427586477.983:83): 
apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/usr/share/p11-kit/modules/" 
pid=11070 comm="slapd" requested_mask="r" denied_mask="r" fsuid=122 ouid=0
Solution
After browsing I discovered that there exists linux kernel guardian called AppArmor and this Cerberus denies OpenLDAP server access to some configuration directories. But the solution was quite simple. Adding several lines to slapd profile opens this gate and now my LDAP server works as expected
File /etc/apparmor.d/usr.sbin.slapd
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/* r,
/usr/lib/x86_64-linux-gnu/pkcs11/ m,
/usr/lib/x86_64-linux-gnu/pkcs11/* m,