Friday, July 18, 2008

OpenLDAP multiple database support under Ubuntu

My OpenLDAP slapd was working just fine, until I tried to run multiple databases. I had created multiple new directories under /var/lib/ldap and moved the original contents of /var/lib/ldap to one of these new subdirectories. In this setup, when starting slapd, it would fail and I would get the following error in the syslog:

[10871.644142] audit(1216392346.825:24): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::"
name="/var/lib/ldap/database1/DUMMY" pid=16406 profile="/usr/sbin/slapd" namespace="default"
/etc/ldap/slapd.conf: line 64: invalid path: Permission denied

The audit entry is an audit from AppArmor. It seems that in Ubuntu AppArmor is configured for slapd, and in such a way that it cannot support multiple databases. In the /etc/apparmor.d/usr.sbin.slapd file it says:

# the databases and logs
/var/lib/ldap/ r,
/var/lib/ldap/* rw,

The single * means everything except when it contains a / (excluding subdirectories). So in order to support multiple LDAP databases, one needs to rewrite the /var/lib/ldap/* rw entry as:

/var/lib/ldap/** rwk,

This will grant read/ write access to slapd on this directory and all subdirectories thereof. Another thing that I had to do is appending the k to rw, in order for slapd to be allowed to lock files as well (I got audit messages complaining about operation="file_lock"). After a restart of AppArmor, e.g. "/etc/init.d/apparmor restart", it is now possible to start slapd again and have multiple databases, e.g. /var/lib/ldap/database1, /var/lib/ldap/database2, etc.


Albert Choy said...

Wow, thanks for figuring this out.

Tan Nhu said...

Thank you very much, this is the best post on the Internet right now for solving issues with multiple databases.

Anonymous said...

A slight modification on this that is a more granular modification of the existing configuration.

/var/lib/ldap/** rw,
/var/lib/ldap/{,**/}alock kw,

[BOFH]Basilisk said...

Thanks anonymous! I'll give that config a try and update the post when I get it to work! Cheers,