My OpenLDAP slapd was working just fine, until I tried to run multiple databases. I had created multiple new directories under /var/lib/ldap and moved the original contents of /var/lib/ldap to one of these new subdirectories. In this setup, when starting slapd, it would fail and I would get the following error in the syslog:
[10871.644142] audit(1216392346.825:24): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::"
name="/var/lib/ldap/database1/DUMMY" pid=16406 profile="/usr/sbin/slapd" namespace="default"
/etc/ldap/slapd.conf: line 64: invalid path: Permission denied
The audit entry is an audit from AppArmor. It seems that in Ubuntu AppArmor is configured for slapd, and in such a way that it cannot support multiple databases. In the /etc/apparmor.d/usr.sbin.slapd file it says:
# the databases and logs
The single * means everything except when it contains a / (excluding subdirectories). So in order to support multiple LDAP databases, one needs to rewrite the /var/lib/ldap/* rw entry as:
This will grant read/ write access to slapd on this directory and all subdirectories thereof. Another thing that I had to do is appending the k to rw, in order for slapd to be allowed to lock files as well (I got audit messages complaining about operation="file_lock"). After a restart of AppArmor, e.g. "/etc/init.d/apparmor restart", it is now possible to start slapd again and have multiple databases, e.g. /var/lib/ldap/database1, /var/lib/ldap/database2, etc.