• Bug
  • 203.11.3: "Operation not permitted" error when saving LDAP configuration

Every time I hit the Save button at the LDAP configuration page, I am getting the following error message:
Configuration updated, but save to disk failed: 1 - Operation not permitted

The changes are saved just fine, but still, the error message on red background is still shown every time. This even happens on a newly installed Grommunio Server.

I was able to reproduce this using the Grommunio Appliance with supported sources.

Affected Version:
S | Name | Type | Version | Arch | Repository
---+-------------------------------------+------------+---------------------------------+--------+------------------
| branding-grommunio | srcpackage | 1-lp155.17.1 | noarch | grommunio
i | grommunio | pattern | 1-lp155.9.1 | x86_64 | grommunio
i+ | grommunio-admin-api | package | 1.15.1.3b491ef-lp155.33.1 | noarch | grommunio
| grommunio-admin-api | srcpackage | 1.15.1.3b491ef-lp155.33.1 | noarch | grommunio
| grommunio-admin-api-bash-completion | package | 1.15.1.3b491ef-lp155.33.1 | noarch | grommunio
i+ | grommunio-admin-common | package | 35.36c09d4-lp155.20.1 | noarch | grommunio
| grommunio-admin-common | srcpackage | 35.36c09d4-lp155.20.1 | noarch | grommunio
i+ | grommunio-admin-web | package | 2.9.0.49.ad47567-lp155.13.1 | noarch | grommunio
| grommunio-admin-web | srcpackage | 2.9.0.49.ad47567-lp155.13.1 | noarch | grommunio
i+ | grommunio-antispam | package | 3.8.4-lp155.1.1 | x86_64 | grommunio
| grommunio-antispam | srcpackage | 3.8.4-lp155.1.1 | noarch | grommunio
| grommunio-antispam-debuginfo | package | 3.8.4-lp155.1.1 | x86_64 | grommunio
| grommunio-antispam-debugsource | package | 3.8.4-lp155.1.1 | x86_64 | grommunio
| grommunio-archive | package | 1.3.13.g137.d1b0df1b-lp155.6.24 | x86_64 | grommunio
| grommunio-archive | srcpackage | 1.3.13.g137.d1b0df1b-lp155.6.27 | noarch | grommunio
| grommunio-archive | srcpackage | 1.3.13.g137.d1b0df1b-lp155.6.26 | noarch | grommunio
| grommunio-archive | srcpackage | 1.3.13.g137.d1b0df1b-lp155.6.24 | noarch | grommunio
| grommunio-archive | srcpackage | 1.3.13.g137.d1b0df1b-lp155.6.18 | noarch | grommunio
| grommunio-archive-debuginfo | package | 1.3.13.g137.d1b0df1b-lp155.6.24 | x86_64 | grommunio
| grommunio-archive-debugsource | package | 1.3.13.g137.d1b0df1b-lp155.6.24 | x86_64 | grommunio
| grommunio-auth | package | 0.2.16.e187c26-lp155.20.1 | noarch | grommunio
| grommunio-chat | package | 7.8.0-lp155.5.1 | x86_64 | grommunio
i+ | grommunio-common | package | 24.0cedcbe-lp155.21.1 | x86_64 | grommunio
| grommunio-common | srcpackage | 24.0cedcbe-lp155.21.1 | noarch | grommunio
i+ | grommunio-cui | package | 1.0.265.2c7abfc-lp155.26.1 | noarch | grommunio
| grommunio-cui | srcpackage | 1.0.265.2c7abfc-lp155.26.1 | noarch | grommunio
i+ | grommunio-dav | package | 1.3.20.45e9e18-lp155.1.1 | noarch | grommunio
| grommunio-dav | srcpackage | 1.3.20.45e9e18-lp155.1.1 | noarch | grommunio
i+ | grommunio-dbconf | package | 1.1.1.da20a46-lp155.16.1 | x86_64 | grommunio
| grommunio-dbconf | srcpackage | 1.1.1.da20a46-lp155.16.1 | noarch | grommunio
| grommunio-dbconf-debuginfo | package | 1.1.1.da20a46-lp155.16.1 | x86_64 | grommunio
| grommunio-dbconf-debugsource | package | 1.1.1.da20a46-lp155.16.1 | x86_64 | grommunio
i | grommunio-error-pages | package | 1.0.10.bb2df37-lp155.17.1 | noarch | grommunio
| grommunio-error-pages | srcpackage | 1.0.10.bb2df37-lp155.17.1 | noarch | grommunio
| grommunio-files | package | 26.0.12-lp155.5.1 | noarch | grommunio
| grommunio-files | package | 26.0.12-lp155.4.2 | noarch | grommunio
i+ | grommunio-imapsync | package | 2.264-lp155.2.1 | noarch | grommunio
i+ | grommunio-index | package | 1.0.1.gd50c1fd-lp155.21.1 | x86_64 | grommunio
| grommunio-index | srcpackage | 1.0.1.gd50c1fd-lp155.21.1 | noarch | grommunio
| grommunio-index-debuginfo | package | 1.0.1.gd50c1fd-lp155.21.1 | x86_64 | grommunio
| grommunio-index-debugsource | package | 1.0.1.gd50c1fd-lp155.21.1 | x86_64 | grommunio
| grommunio-keycloak | package | 22.0.5-lp155.3.2 | noarch | grommunio
| grommunio-office | package | 7.4.1-lp155.4.4 | x86_64 | grommunio
| grommunio-office-debuginfo | package | 7.4.1-lp155.4.4 | x86_64 | grommunio
| grommunio-office-fonts | package | 7.4.1-lp155.4.4 | noarch | grommunio
i+ | grommunio-release | package | 2023.11.3-lp155.12.1 | x86_64 | grommunio
| grommunio-release | srcpackage | 2023.11.3-lp155.12.1 | noarch | grommunio
i+ | grommunio-setup | package | 1.0.109.048c9c5-lp155.28.1 | noarch | grommunio
| grommunio-setup | srcpackage | 1.0.109.048c9c5-lp155.28.1 | noarch | grommunio
i+ | grommunio-sync | package | 2.0.80.655dec9-lp155.34.1 | noarch | grommunio
| grommunio-sync | srcpackage | 2.0.80.655dec9-lp155.34.1 | noarch | grommunio
i+ | grommunio-web | package | 3.7.10.5218bbf5-lp155.11.6 | noarch | grommunio
| grommunio-web | srcpackage | 3.7.10.5218bbf5-lp155.11.6 | noarch | grommunio
i+ | grub2-theme-grommunio | package | 1-lp155.17.1 | noarch | grommunio
| jitsi-meet-branding-grommunio | package | 2.0.6726-lp155.11.1 | noarch | grommunio
| jitsi-meet-branding-grommunio | package | 2.0.6726-lp155.10.1 | noarch | grommunio
| jitsi-meet-branding-grommunio | srcpackage | 2.0.6726-lp155.11.1 | noarch | grommunio
| jitsi-meet-branding-grommunio | srcpackage | 2.0.6726-lp155.10.1 | noarch | grommunio
i+ | NAME="grommunio" | product | "2023.11.3" | noarch | (System Packages)
i+ | patterns-grommunio | package | 1-lp155.9.1 | x86_64 | grommunio
| patterns-grommunio | srcpackage | 1-lp155.9.1 | noarch | grommunio
i+ | plymouth-theme-grommunio | package | 1-lp155.17.1 | noarch | grommunio
i | system-user-grommunio | package | 3-lp155.10.6 | noarch | grommunio
v | system-user-grommunio | package | 3-lp155.10.5 | noarch | grommunio
v | system-user-grommunio | package | 3-lp155.10.4 | noarch | grommunio
v | system-user-grommunio | package | 3-lp155.10.3 | noarch | grommunio
v | system-user-grommunio | package | 3-bp155.1.4 | noarch | base
| system-user-grommunio | srcpackage | 3-lp155.10.6 | noarch | grommunio
| system-user-grommunio | srcpackage | 3-lp155.10.5 | noarch | grommunio
| system-user-grommunio | srcpackage | 3-lp155.10.4 | noarch | grommunio
| system-user-grommunio | srcpackage | 3-lp155.10.3 | noarch | grommunio
i+ | systemd-coredump-grommunio | package | 1-lp155.3.1 | noarch | grommunio
| systemd-coredump-grommunio | srcpackage | 1-lp155.3.1 | noarch | grommunio
i | systemd-presets-branding-grommunio | package | 2023.11-lp155.1.1 | noarch | grommunio
| systemd-presets-branding-grommunio | srcpackage | 2023.11-lp155.1.1 | noarch | grommunio

Check your filepermissions

# ls -ld /etc/gromox/ /etc/gromox/ldap_adaptor.cfg
drwxr-xr-x 1 grommunio gromoxcf  414 Mar 25 13:18 /etc/gromox/
-rw-rw---- 1 grommunio gromoxcf 1042 Mar 30 04:46 /etc/gromox/ldap_adaptor.cfg
  • ckd replied to this.

    crpb

    ls -ld /etc/gromox/ /etc/gromox/ldap_adaptor.cfg
    drwxr-xr-x 2 grommunio gromoxcf 333 Mar 25 13:18 /etc/gromox/
    -rw-r--r-- 1 grommunio nginx 1078 Mar 29 21:55 /etc/gromox/ldap_adaptor.cfg

    Perhaps deleting the LDAP configuration and re-creating it has caused this.

    Problem persists even when changing the ownership and file permissions accordingly.
    Configuration updated, but save to disk failed: 1 - Operation not permitted

    ...

    chown grommunio:gromoxcf /etc/gromox/{ldap_adaptor,authmgr}.cfg
    chmod 0660 /etc/gromox/{ldap_adaptor,authmgr}.cfg
    • ckd replied to this.

      I have sees this issue to, but the configuration was saved and LDAP worked.

      So i looked a bit at the code and even found the logic to set the correct permissions.

      BUT...

      back to permission problems ++ introduction of g:gromoxcf

      • permission defaults we want

        # grommunio-admin config dump mconf
        authmgrPath: /etc/gromox/authmgr.cfg
        fileGid: gromoxcf
        fileUid: grommunio
        ldapPath: /etc/gromox/ldap_adaptor.cfg
      • the admin-api is run as u:grommunio:g:nginx + sup. g:grommunio

        • we are missing g:gromoxcf in supplementary at least for this su/ExecStart= 🦖
      • u:grommunio isn't a member of g:gromoxcf ⚠️

        • which means we can't set g:gromoxcf as u:grommunio because it isn't allowed.
          • (can be ignored if sup. groups are always set correct ⁉️
      • grommunio-admin mconf save {ldap,authmgr} calls w/ a file

      • /system/mconf/ldap calls with json

        • which ends in _dumpConf and tries to set perms but doesn't have the groupmemberships to do so. 😞

      ... i think... *duck*

      👋 @mwilliams @jengelh @jschroeder 👋

      crpb

      Confirmed. When setting the proper permissions for both, ldap_adaptor.cfg and authmgr.cfg the error no longer occurs. I am getting a green "Success" message now. 🙂

      One more thing I noticed, when you have STARTTLS enabled, you sometimes see the following when saving instead of "Success":
      Could not connect to LDAP server: 'NoneType' object has no attribute 'start_tls'

      © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice