LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-27-2014, 10:33 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
OpenLdap v2.4.23 : ldap_bind: Invalid credentials (49)


Hello,

I have done the following to set up an openldap server.

1. create root password :
Code:
/usr/sbin/slappasswd -s MyPassWd
2. edit /etc/openldap/slapd.conf and pass rootpw of above command :
Code:
database        bdb 
suffix          "dc=mydomain" 
rootdn          "cn=Manager,dc=mydomain" 
rootpw         {SSHA}MXK+JWBDq1vGu4FZzovd5oHGQST5quut
2. restart ldap

When I try to add a simpel DN to the LDAP server, I get "Invalid credentials" :
Code:
[root@ldap1 ]# /usr/bin/ldapadd -x -D "cn=Manager,dc=domain" -W -f /etc/openldap/basic.ldif 
Enter LDAP Password: MyPassWd
ldap_bind: Invalid credentials (49)
I copy/paste the output of slappasswd to the slapd.conf file, but I still get the message that it's invalid ?
 
Old 01-28-2014, 03:44 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,596

Rep: Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520
Hi,

In newer openldap versions the configuration is stored under the cn=config DIT and not in the /etc/openldap/slapd.conf file.
To setup a password for the admin user follow steps 2-4 here (written for Centos, but it's valid in general)

Regards
 
Old 01-28-2014, 04:15 AM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Hello,

I have made the conversion :

Code:
[root@ldap1 openldap]# /usr/sbin/slaptest -f /etc/openldap/slapd.conf -v
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=mydomain".
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
But I still can not connect :

Code:
root@ldap1 openldap]# ldapsearch -x 'cn=Manager,dc=mydomain' -D "dc=mydomain" -W
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
Don't know how to make it work in version 2.4
 
Old 01-28-2014, 05:01 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,596

Rep: Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520
Quote:
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=mydomain".
You didn't mention your diistro, but there should be a DB_CONFIG.example (or similar) file, that you need to copy into /var/lib/ldap, renaming it DB_CONFIG


Quote:
ldapsearch -x 'cn=Manager,dc=mydomain' -D "dc=mydomain" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
The syntax is wrong. Try
Code:
ldapsearch -x -D='cn=Manager,dc=mydomain' -b "dc=mydomain" -W
 
Old 01-28-2014, 05:17 AM   #5
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Done.
Code:
[root@slap01 openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/
I have made a step forward :

Code:
[root@ldap1 openldap]# ldapsearch -x -D='cn=Manager,dc=mydomain' -b "dc=mydomain" -W
Enter LDAP Password: 
ldap_bind: Invalid DN syntax (34)
	additional info: invalid DN
Now on to the next problem. Will check logfiles.
 
Old 01-28-2014, 06:01 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,596

Rep: Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520
Quote:
openldap]# ldapsearch -x -D='cn=Manager,dc=mydomain' -b "dc=mydomain" -W
Oops my bad. Didn't notice the = after -D!!!
Remove it and hopefully it should work
And use double quotes to include DNs for readability
Code:
ldapsearch -x -D "cn=Manager,dc=mydomain" -b "dc=mydomain" -W
 
Old 01-28-2014, 06:04 AM   #7
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by bathory View Post
Oops my bad. Didn't notice the = after -D!!!
Yes I know.

Error "Invalid credentials" stays...

So I'm no closer to a solution. Now following your guide.
 
Old 01-28-2014, 08:10 AM   #8
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Followed your guide and made settings for rootDN and root passwd.

I did another conversion :
Code:
[root@ldap1 openldap]# /usr/sbin/slaptest -f /etc/openldap/slapd.conf -v
bdb_db_open: DB_CONFIG for suffix "dc=mydomain" has changed.
Performing database recovery to activate new settings.
bdb_db_open: database "dc=mydomain": recovery skipped in read-only mode. Run manual recovery if errors are encountered.
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
Then a search :
Code:
[root@ldap1 openldap]# ldapsearch -x -D 'cn=Manager,dc=mydomain' -b "dc=mydomain" -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
But as you see, my LDAP tree is still not existing.

In my original slapd.conf I have :
Code:
database        bdb
suffix          "dc=mydomain"
rootdn          "cn=Manager,dc=mydomain"
rootpw         {SSHA}tlhvb6SeOg9B4vzaOHV16Aos+yX3FvDB

access to attrs=userPassword
        by * auth

access to dn="ou=contacten,ou=user8001,dc=mydomain" attrs=children
        by group.exact="cn=admins,ou=user8001,dc=mydomain" write
        by * none break

access to dn.one="ou=contacten,ou=user8001,dc=mydomain"
        by group.exact="cn=admins,ou=user8001,dc=mydomain" write
        by group.exact="cn=gebruikers,ou=user8001,dc=mydomain" read

access to dn.regex="ou=tbook[12345],ou=contacten,ou=user1001,dc=mydomain" attrs=children
        by group.exact="cn=admins,ou=user1001,dc=mydomain" write
        by * none break

access to dn.one="ou=tbook1,ou=contacten,ou=user1001,dc=mydomain"
        by group.exact="cn=admins,ou=user1001,dc=mydomain" write
        by group.exact="cn=tbook1,ou=gebruikers,ou=user1001,dc=mydomain" read

access to dn.one="ou=tbook2,ou=contacten,ou=user1001,dc=mydomain"
        by group.exact="cn=admins,ou=user1001,dc=mydomain" write
        by group.exact="cn=tbook2,ou=gebruikers,ou=user1001,dc=mydomain" read

access to dn.one="ou=tbook3,ou=contacten,ou=user1001,dc=mydomain"
        by group.exact="cn=admins,ou=user1001,dc=mydomain" write
        by group.exact="cn=tbook3,ou=gebruikers,ou=user1001,dc=mydomain" read

access to dn.one="ou=tbook4,ou=contacten,ou=user1001,dc=mydomain"
        by group.exact="cn=admins,ou=user1001,dc=mydomain" write
        by group.exact="cn=tbook4,ou=gebruikers,ou=user1001,dc=mydomain" read

access to dn.one="ou=tbook5,ou=contacten,ou=user1001,dc=mydomain"
        by group.exact="cn=admins,ou=user1001,dc=mydomain" write
        by group.exact="cn=tbook5,ou=gebruikers,ou=user1001,dc=mydomain" read

... and many more
It is not converted...
 
Old 01-28-2014, 08:53 AM   #9
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,596

Rep: Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520
Quote:
[root@ldap1 openldap]# ldapsearch -x -D 'cn=Manager,dc=mydomain' -b "dc=mydomain" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
Now you need to populate your ldap directory using a ldif file.
 
Old 01-29-2014, 03:28 AM   #10
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
To populate the LDAP with content, I know I can do it with a ldif file. Thanks.

But what about my access definitions ?

I have different subdomains, and I need to restrict access to each subdomain to only be accessible by the correct user.

This is what I mean (like I posted earlier) :
Code:
access to dn="ou=contacten,ou=user8001,dc=mydomain" attrs=children
        by group.exact="cn=admins,ou=user8001,dc=mydomain" write
        by * none break

access to dn.one="ou=contacten,ou=user8001,dc=mydomain"
        by group.exact="cn=admins,ou=user8001,dc=mydomain" write
        by group.exact="cn=gebruikers,ou=user8001,dc=mydomain" read

access to dn.regex="ou=tbook[12345],ou=contacten,ou=user1001,dc=mydomain" attrs=children
        by group.exact="cn=admins,ou=user1001,dc=mydomain" write
        by * none break

access to dn.one="ou=tbook1,ou=contacten,ou=user1001,dc=mydomain"
        by group.exact="cn=admins,ou=user1001,dc=mydomain" write
        by group.exact="cn=tbook1,ou=gebruikers,ou=user1001,dc=mydomain" read

access to dn.one="ou=tbook2,ou=contacten,ou=user1001,dc=mydomain"
        by group.exact="cn=admins,ou=user1001,dc=mydomain" write
        by group.exact="cn=tbook2,ou=gebruikers,ou=user1001,dc=mydomain" read
How can I import/convert these ? Because I have many of them...
 
Old 01-29-2014, 04:54 AM   #11
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,596

Rep: Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520
Quote:
But what about my access definitions ?

I have different subdomains, and I need to restrict access to each subdomain to only be accessible by the correct user.

This is what I mean (like I posted earlier) :
Code:

access to dn="ou=contacten,ou=user8001,dc=mydomain" attrs=children
by group.exact="cn=admins,ou=user8001,dc=mydomain" write
by * none break
<-snip->

How can I import/convert these ? Because I have many of them...
The ACLs are also converted when you convert slapd.conf to slapd.d. Search for the "olcAccess" keyword in olcDatabase={2}bdb.ldif to verify it.
 
Old 01-29-2014, 05:26 AM   #12
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
I find there only the "root" definitions, no other ACLs.

There are only the lines present that were also originally in the file. There are no extra lines added after conversion...
 
Old 01-29-2014, 07:11 AM   #13
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,596

Rep: Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520
Quote:
Originally Posted by jonaskellens View Post
I find there only the "root" definitions, no other ACLs.

There are only the lines present that were also originally in the file. There are no extra lines added after conversion...
I'm afraid you have to redo the conversion from scratch to include the ACLs
 
Old 01-29-2014, 10:15 AM   #14
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by bathory View Post
I'm afraid you have to redo the conversion from scratch to include the ACLs
What do you mean "from scratch" ?

With conversion I mean this :

/usr/sbin/slaptest -f /etc/openldap/slapd.conf -v

Given this command several times now...
 
Old 01-29-2014, 03:39 PM   #15
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,596

Rep: Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520Reputation: 1520
Quote:
Originally Posted by jonaskellens View Post
What do you mean "from scratch" ?

With conversion I mean this :

/usr/sbin/slaptest -f /etc/openldap/slapd.conf -v

Given this command several times now...
I mean that you have to delete the slapd.d directory and recreate it with the command above.
Or you can change the slapd startup script to use /etc/openldap/slapd.conf and not /etc/openldap/slapd.d/ (i.e. the cn=config DIT)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ldap_bind: Invalid credentials (49) when trying OpenLDAP query Sma11T0wnITGuy Linux - Server 19 08-17-2016 07:12 PM
FreeBSD : OpenLDAP : ldap_bind: Invalid credentials (49) problem. Need Help id2login *BSD 12 06-05-2011 07:15 PM
[SOLVED] openldap ldap_bind: Invalid credentials (49) sanjaydelhi Linux - Newbie 9 03-16-2011 10:29 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Linux - Server 7 11-08-2007 10:03 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Fedora 2 11-05-2007 04:23 PM


All times are GMT -5. The time now is 11:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration