Ubuntu
openldap package

"Our attempts to find your SCHEMA for "attributetypes" have FAILED"

Bug #489619 reported by Bruneel Michaël
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Incomplete
Low
Unassigned
phpldapadmin (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: phpldapadmin slapd

After an upgrade from 9.04 Server to 9.10 Server, after login into phpldapadmin (with a normal user and also with the admin user) we got the error message :

"Our attempts to find your SCHEMA for "attributetypes" have FAILED"

Like it is mentioned on the phpldapadmin's FAQ we have to allow anonymous acess to the schemas.

We can do this by :

1. Add the ACL rule in the frontendDB "olcDatabase={-1}frontend,cn=config" :

We can edit the file "olcDatabase={-1}frontend.ldif" located in "/etc/ldap/slapd.d/cn=config" and add the line "olcAccess: {1}to dn.base="cn=subschema" by * read" just after
"olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage by * break"

2. Restart openldap : "sudo /etc/init.d/slapd restart"

Note that after the upgrade I got the version 2.4.18-0ubuntu1 of OpenLDAP server.

I think it's a bug because :
1. before the upgrade everthing was working fine and
2. we have to manualy add the rule (it's not so easy)

See original description
Bruneel Michaël (mbruneel)
description: updated
Bruneel Michaël (mbruneel)
description: updated
Bruneel Michaël (mbruneel)
description: updated
Bruneel Michaël (mbruneel)
affects: openldap2.2 (Ubuntu) → openldap (Ubuntu)
Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 489619] [NEW] "Our attempts to find your SCHEMA for "attributetypes" have FAILED"

Hi,

Thanks for taking the time to report a bug and help making Ubuntu better.

On Sun, Nov 29, 2009 at 03:13:23AM -0000, Launchpad Bug Tracker wrote:
>
> After an upgrade from 9.04 Server to 9.10 Server, after login into
> phpldapadmin (with a normal user and also with the admin user) we got
> the error message :
>
> "Our attempts to find your SCHEMA for "attributetypes" have FAILED"
>
> Like it is mentioned on the phpldapadmin's FAQ we have to allow
> anonymous acess to the schemas.
>
 [...]
> Note that after the upgrade I got the version 2.4.18-0ubuntu1 of
> OpenLDAP server.
>

Could you try to compare the ACL configuration between 9.04 and 9.10 and figure
out what has changed during the upgrade?

  status incomplete
  importance low

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Changed in openldap (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Anton Kudris (kudris) wrote :

this is really nasty bug. I've spent hours after upgrading my server to Karmic and finding that phpldapadmin is broken.
The solution in description works just well for me. Thanks a lot!

Revision history for this message
Akom (akomakom) wrote :

I've spent 4 weeks (on and off) before I found this solution/bug. Thank you!
Even granting write to * system-wide did not fix the issue.

Revision history for this message
PiersHarding (piersharding) wrote :

I'd like to add my thanks for this too - it caused me no end of grief.

Cheers,
Piers Harding.

Revision history for this message
Quanah Gibson-Mount (mishikal) wrote :

This is *not* a low priority bug. The ability to read the cn=subschema entry is critical to all applications that need to retrieve schema data from the LDAP server. The first two ACL's for an LDAP server should pretty much always be:

olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read

The first so that access to the controls available, etc, is there, and the second so that access to the cn=subschema entry is available.

These access issues both broken with Ubuntu, and very serious.

--Quanah

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.