Permission denied for /etc/ldap2/slapd.d/cn=config.ldif

Question

I'm trying to start second slapd instance on port 400 and /var/log/syslog is reporting the error from title. The steps I took so far are:

• 1) copied /etc/ldap/slapd.d to /etc/ldap2/slapd.d
• 2) copied /etc/default/slapd to /etc/default/slapd2 which looks like this: http://pastebin.com/QKA436v8
• 3) copied /etc/init.d/slapd to /etc/init.d/slapd2 which looks like this: http://pastebin.com/sqVzZ1jA

This is the output from /var/log/syslog:

Jun  6 12:39:39 luka-VB-Ubuntu slapd2[3138]: @(#) $OpenLDAP: slapd  (Ubuntu) (Sep 15 2015 18:19:13) $#012#011buildd@lgw01-53:/build/openldap-2QUgtL/openldap-2.4.31/debian/build/servers/slapd
Jun  6 12:39:39 luka-VB-Ubuntu slapd2[3138]: ldif_read_file: Permission denied for "/etc/ldap2/slapd.d/cn=config.ldif"
Jun  6 12:39:39 luka-VB-Ubuntu slapd2[3138]: slapd stopped.
Jun  6 12:39:39 luka-VB-Ubuntu slapd2[3138]: connections_destroy: nothing to destroy.
Jun  6 12:39:39 luka-VB-Ubuntu kernel: [11912.288340] audit: type=1400 audit(1465209579.742:68): apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/etc/ldap2/slapd.d/cn=config.ldif" pid=3138 comm="slapd2" requested_mask="r" denied_mask="r" fsuid=117 ouid=117

EDIT:

These are the permissions for that file and for the directory it resides in (/etc/ldap2/slapd.d/):

drwxr-xr-x 3 openldap openldap 4096 Jun  6 15:16 ./
drwxr-xr-x 5 root     root     4096 Jun  1 14:23 ../
drwxr-x--- 3 openldap openldap 4096 Jun  1 14:23 cn=config/
-rw------- 1 openldap openldap  480 Jun  6 15:16 cn=config.ldif

and these are for the cn=config/ dir:

drwxr-x--- 3 openldap openldap 4096 Jun  1 14:23 .
drwxr-xr-x 3 openldap openldap 4096 Jun  6 15:16 ..
-rw-rw-rw- 1 openldap openldap  436 Jun  1 14:23 cn=module{0}.ldif
drw-rw-rw- 2 openldap openldap 4096 Jun  1 14:23 cn=schema
-rw-rw-rw- 1 openldap openldap  378 Jun  1 14:23 cn=schema.ldif
-rw-rw-rw- 1 openldap openldap  396 Jun  1 14:23 olcBackend={0}hdb.ldif
-rw-rw-rw- 1 openldap openldap  513 Jun  1 14:23 olcDatabase={0}config.ldif
-rw-rw-rw- 1 openldap openldap  657 Jun  1 14:23 olcDatabase={-1}frontend.ldif
-rw-rw-rw- 1 openldap openldap 1131 Jun  1 14:23 olcDatabase={1}hdb.ldif

The permissions for equivalent default files are as follows (/etc/ldap/slapd.d/):

drwxr-xr-x 3 openldap openldap 4096 Mar 18 13:51 ./
drwxr-xr-x 5 root     root     4096 May 31 16:49 ../
drwxr-x--- 3 openldap openldap 4096 Mar 18 14:06 cn=config/
-rw------- 1 openldap openldap  478 Mar 18 13:51 cn=config.ldif

and for the cn=config/:

drwxr-x--- 3 openldap openldap 4096 Mar 18 14:06 .
drwxr-xr-x 3 openldap openldap 4096 Mar 18 13:51 ..
-rw------- 1 openldap openldap  436 Mar 18 13:51 cn=module{0}.ldif
drwxr-x--- 2 openldap openldap 4096 Mar 18 13:51 cn=schema
-rw------- 1 openldap openldap  378 Mar 18 13:51 cn=schema.ldif
-rw------- 1 openldap openldap  396 Mar 18 13:51 olcBackend={0}hdb.ldif
-rw------- 1 openldap openldap  513 Mar 18 13:51 olcDatabase={0}config.ldif
-rw------- 1 openldap openldap  657 Mar 18 13:51 olcDatabase={-1}frontend.ldif
-rw------- 1 openldap openldap 1131 Mar 18 14:06 olcDatabase={1}hdb.ldif

Answer 1

I have just run into the same problem on Ubuntu 1604. Looking into the logs, it turned out to be an apparmor restriction.

slapd[10245]: ldif_read_file: Permission denied for "/home/vagrant/ldap/slapd.d/cn=config.ldif"
kernel: [77635.949937] audit: type=1400 audit(1489959083.939:65): apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/home/vagrant/ldap/slapd.d/cn=config.ldif" pid=10245 comm="slapd" requested_mask="r" denied_mask="r" fsuid=0 ouid=113

If you have the same error then you either need to edit /etc/apparmor.d/usr.sbin.slapd to include your paths or just disable the profile with the following:

ln -s /etc/apparmor.d/usr.sbin.slapd /etc/apparmor.d/disable/
service apparmor reload

aa-disable slapd does the same if you have apparmor-utils installed. In case you still want to see the warnings then use aa-complain slapd.