LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-14-2011, 05:54 PM   #1
dfinn
LQ Newbie
 
Registered: Mar 2010
Posts: 4

Rep: Reputation: 0
Getting "ldap_bind: Invalid credentials (49)" while trying to setup openldap


I followed the instructions here:

http://www.linuxmail.info/openldap-setup-howto/

This is on CentOS 5.5 with all the latest updates.

I changed rootdn and rootpw in /etc/openldap/slapd.conf with the info for my domain and with an encrypted password using slapcat.

Now when I try to use slapadd like so:

ldapadd -x -D "cn=admin,dc=domain,dc=com" -w passwd -f /tmp/base.ldif

I get the error:
ldap_bind: Invalid credentials (49)

I feel like this is a pretty basic/default setup, I haven't changed anything else in /etc/openldap/slapd.conf but for some reason it's not authenticating using the rootpw and rootdn information that I've provided in the config file.

Am I missing something?
 
Old 02-15-2011, 12:39 AM   #2
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 658

Rep: Reputation: 66
I think slappasswd generate encrypted password, not slapcat . By the way it would be better if you share your slapd.conf file here

Thanks
 
Old 02-15-2011, 10:06 AM   #3
dfinn
LQ Newbie
 
Registered: Mar 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Sorry, my mistake, that's what I meant. I'll post the config file when I get into the office.
 
Old 02-15-2011, 10:49 AM   #4
dfinn
LQ Newbie
 
Registered: Mar 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Code:
[root@ldaplab openldap]# rpm -qa|grep -i openldap
openldap-2.3.43-12.el5_5.3
openldap-clients-2.3.43-12.el5_5.3
openldap-2.3.43-12.el5_5.3
openldap-servers-2.3.43-12.el5_5.3

[root@ldaplab openldap]# cat /etc/openldap/slapd.conf 
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/lib64/openldap

# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=admin,dc=com"
rootdn          "cn=admin,dc=domain,dc=com"
rootpw          {SSHA}T6Dp/aVvewwMNF2w5aklTFdZNHU6c/WC

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM
 
Old 02-15-2011, 07:46 PM   #5
jspaces
LQ Newbie
 
Registered: Apr 2009
Location: Canada
Distribution: ArchLinux
Posts: 6

Rep: Reputation: 0
It looks like a simply syntax error;

Code:
database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=admin,dc=domain,dc=com"
rootpw          {SSHA}T6Dp/aVvewwMNF2w5aklTFdZNHU6c/WC
Should work for your test ...
 
Old 02-15-2011, 10:35 PM   #6
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 658

Rep: Reputation: 66
yes
suffix part is misconfigured . Correct it as mentioned by jspaces
 
Old 03-21-2011, 02:50 PM   #7
rmabeza
LQ Newbie
 
Registered: Mar 2011
Posts: 4

Rep: Reputation: 0
ldap_bind: Invalid credentials (49)

Im also having the same kind of error on my centos 5.2

Here's my info:

[root@kuto openldap]# rpm -qa | grep openldap-*
openldap-servers-overlays-2.3.43-12.el5_5.3
openldap-2.3.27-8.el5_1.3
openldap-devel-2.3.43-12.el5_5.3
openldap-2.3.43-12.el5_5.3
openldap-servers-sql-2.3.43-12.el5_5.3
openldap-clients-2.3.43-12.el5_5.3
openldap-servers-2.3.43-12.el5_5.3
======================================================
[root@kuto openldap]# cat 1st.ldif
dn: dc=deltanu,dc=site
objectclass: dcObject
objectclass: organization
o: LDAP Server
dc: deltanu

dn: cn=Manager,dc=deltanu,dc=site
objectclass: organizationalRole
cn: Manager
====================================================
my /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath /usr/lib/openldap

# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix "dc=deltanu,dc=site"
rootdn "cn=Manager,dc=deltanu,dc=site"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw {SSHA}jZrWfjDxP5Zsecret

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical


============================================================================
in my /etc/ldap.conf

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://deltanu.site
BASE dc=deltanu,dc=site
#TLS_CACERTDIR /etc/openldap/cacerts
~
===========================================
Using bind

[root@kuto openldap]# dig deltanu.site

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> deltanu.site
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62624
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;deltanu.site. IN A

;; ANSWER SECTION:
deltanu.site. 3600 IN A 192.168.0.196

;; AUTHORITY SECTION:
deltanu.site. 3600 IN NS kuto.deltanu.site.

;; ADDITIONAL SECTION:
kuto.deltanu.site. 3600 IN A 192.168.0.196

;; Query time: 132 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 22 00:55:41 2011
;; MSG SIZE rcvd: 81
===========================================================================
[root@kuto openldap]# /usr/bin/ldapadd -x -D 'cn=Manager,dc=deltanu,dc=site' -w secret -f 1st.ldif
ldap_bind: Invalid credentials (49)

Can anyone help me troubleshoot this problem?

Greatly appreciated...

Last edited by rmabeza; 03-21-2011 at 02:57 PM. Reason: modify
 
Old 03-21-2011, 03:22 PM   #8
rmabeza
LQ Newbie
 
Registered: Mar 2011
Posts: 4

Rep: Reputation: 0
i found some reading using the slapd -f slapdfile

so after testing
[root@kuto openldap]# /usr/bin/ldapadd -x -D 'cn=Manager,dc=deltanu,dc=site' -w secret -f 1st.ldif
ldap_bind: Can't contact LDAP server (-1)

furthermore:

[root@kuto openldap]# service ldap restart
Stopping slapd: [FAILED]
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]

[root@kuto openldap]# killall ldap
ldap: no process killed
[root@kuto openldap]#

ldap is no longer starting on the background =(

checking on my logs result this output:
Mar 22 01:49:59 kuto ps: nss_ldap: failed to bind to LDAP server ldap://192.168.0.196: Can't contact LDAP server
Mar 22 01:49:59 kuto ps: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Mar 22 01:50:31 kuto ps: nss_ldap: failed to bind to LDAP server ldap://192.168.0.196: Can't contact LDAP server
Mar 22 01:50:31 kuto ps: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...


any idea on this?

Last edited by rmabeza; 03-21-2011 at 03:43 PM.
 
Old 03-21-2011, 03:25 PM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
it's not listening on the default ports there. ldapadd interface with the running ldap service, slapcat and tools like that directly manipulate the database files. You've not specified a server there, so it'll be defaulting to whatever is set in /etc/openldap/ldap.conf (not /etc/ldap.conf - different file!)
 
Old 03-22-2011, 12:57 AM   #10
rmabeza
LQ Newbie
 
Registered: Mar 2011
Posts: 4

Rep: Reputation: 0
Hi Chris,

Its actually /etc/openldap/ldad.conf and not /etc/ldap.conf sorry for my typos, so what i did was to update the database using
[root@kuto openldap]# /usr/sbin/slapd_db_upgrade -v -h /var/lib/ldap/

and by restarting ldap its back to its original error:
[root@kuto openldap]# service ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@kuto openldap]# /usr/bin/ldapadd -x -D 'cn=Manager,dc=deltanu,dc=site' -w secret -f 1st.ldif
ldap_bind: Invalid credentials (49)
======================================================================================
i got my database populated using slapcat or slapadd:

[root@kuto openldap]# slapcat
dn: dc=deltanu,dc=site
objectClass: dcObject
objectClass: organization
o: First LDAP
dc: deltanu
structuralObjectClass: organization
entryUUID: e5cfa5c2-e824-102f-927c-c3eaf38a9801
creatorsName: cn=Manager,dc=deltanu,dc=site
modifiersName: cn=Manager,dc=deltanu,dc=site
createTimestamp: 20110321163455Z
modifyTimestamp: 20110321163455Z
entryCSN: 20110321163455Z#000000#00#000000

dn: cn=Manager,dc=deltanu,dc=site
objectClass: organizationalRole
cn: Manager
structuralObjectClass: organizationalRole
entryUUID: e621dcfc-e824-102f-927d-c3eaf38a9801
creatorsName: cn=Manager,dc=deltanu,dc=site
modifiersName: cn=Manager,dc=deltanu,dc=site
createTimestamp: 20110321163455Z
modifyTimestamp: 20110321163455Z
entryCSN: 20110321163455Z#000001#00#000000

[root@kuto openldap]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -D "cn=Manager,dc=deltanu,dc=site" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
======================================================
I got no other found solution yet =(
 
Old 03-22-2011, 09:47 AM   #11
dfinn
LQ Newbie
 
Registered: Mar 2010
Posts: 4

Original Poster
Rep: Reputation: 0
My problem ended up being fairly simple, I needed to adjust my /etc/ldap.conf to point to localhost, I had it pointing to a remote server.
 
Old 03-22-2011, 10:17 AM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
yes, hence what I said about the two different ldap.confs existing.
 
Old 03-22-2011, 01:12 PM   #13
rmabeza
LQ Newbie
 
Registered: Mar 2011
Posts: 4

Rep: Reputation: 0
Here's another scenario,

[root@kuto openldap]# ps -ef|grep slapd
ldap 8016 1 0 09:03 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -u ldap
root 8029 6620 0 09:06 pts/2 00:00:00 grep slapd
[root@kuto openldap]# netstat -an|grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 1 0 127.0.0.1:41357 127.0.0.1:389 CLOSE_WAIT
tcp 1 0 127.0.0.1:41356 127.0.0.1:389 CLOSE_WAIT
tcp 1 0 127.0.0.1:41359 127.0.0.1:389 CLOSE_WAIT
tcp 1 0 127.0.0.1:41358 127.0.0.1:389 CLOSE_WAIT
tcp 1 0 127.0.0.1:41361 127.0.0.1:389 CLOSE_WAIT
tcp 1 0 127.0.0.1:41360 127.0.0.1:389 CLOSE_WAIT
tcp 1 0 127.0.0.1:41363 127.0.0.1:389 CLOSE_WAIT
tcp 1 0 127.0.0.1:41362 127.0.0.1:389 CLOSE_WAIT
tcp 1 0 192.168.0.196:43885 192.168.0.196:389 CLOSE_WAIT
tcp 1 0 192.168.0.196:43896 192.168.0.196:389 CLOSE_WAIT
tcp 1 0 192.168.0.196:43895 192.168.0.196:389 CLOSE_WAIT
tcp 0 0 :::389 :::* LISTEN
unix 3 [ ] STREAM CONNECTED 13895 @/tmp/dbus-yznQKuwPay
unix 3 [ ] STREAM CONNECTED 13894
=========================================================================================
[root@kuto openldap]# vim /etc/sysconfig/selinux
[root@kuto openldap]# ps -ef|grep slapd
ldap 8016 1 0 09:03 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -u ldap
root 8050 6620 0 09:14 pts/2 00:00:00 grep slapd
=============================================================================================
when i try this command: another error rises

[root@kuto openldap]# ldapsearch -xh HOST -b '' -s base subschemaSubentry
ldap_bind: Can't contact LDAP server (-1) <<==== here's the problem.
====================================================================================
[root@kuto openldap]# service ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@kuto openldap]#
=====================================================================
a sample ldapadd shows:

[root@kuto openldap]# ldapadd -x -D "cn=Manager,dc=deltanu,dc=site" -W -f /etc/openldap/deltanu.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

I really dont know where the error is coming from as there is no logs to look for, i am totally stuck.

Help please.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] openldap ldap_bind: Invalid credentials (49) sanjaydelhi Linux - Newbie 9 03-16-2011 09:29 AM
ldap 2.4 rhel6 problem with openldap ldap_bind: Invalid credentials (49) dshivji Linux - Server 3 12-04-2010 03:23 AM
[SOLVED] openldap setup Invalid credentials error (49) vigilandy Linux - Server 9 10-15-2010 09:33 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Linux - Server 7 11-08-2007 09:03 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Fedora 2 11-05-2007 03:23 PM


All times are GMT -5. The time now is 11:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration