ActiveLdap wants to find your subschemaSubentry

Today was the second time I had to research the same problem with OpenLDAP and ActiveLdap. I have no idea what happened to the solution that I found and employed, but it’s gone. Can’t find it. No love from grep.

The problem is this error in ActiveLdap

 
 undefined method `[]' for nil:NilClass - (NoMethodError)
 ../active_ldap/adapter/base.rb:99:in `schema'
 

The solution is to add two ACL lines to my slapd.conf or one of its includes:

 
 access to dn.base="" by * read
 access to dn.base="cn=Subschema" by * read
 

The reason why come is that ActiveLdap apparently queries anonymously for the schema, and my acls are too mean and stingy. If you start your development with strict ACLs, you hit the problem early. If you wait until near deployment-time to tighten up the security, you will be surprised when stuff just stops working.

You can see whether your ACLs are preventing access to the schema by running the following ldapsearch command:

ldapsearch -xh http://www.example.com -b '' -s base subschemaSubentry

If the result doesn't look something like the example below, then you can try adding the two ACL lines above. The important section is the second, where you see that the value of subschemaSubentry is 'cn=Subschema'

 
 # extended LDIF
 #
 # LDAPv3
 # base  with scope base
 # filter: (objectclass=*)
 # requesting: subschemaSubentry 
 #

 #
 dn:
 subschemaSubentry: cn=Subschema

 # search result
 search: 2
 result: 0 Success

 # numResponses: 2
 # numEntries: 1
 
About these ads
Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: