LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-30-2010, 01:36 AM   #1
vigilandy
Member
 
Registered: Mar 2010
Location: Tokyo
Distribution: Arch, Fedora
Posts: 71

Rep: Reputation: 23
openldap setup Invalid credentials error (49)


I'm trying to set up openLDAP on fedora 12 and am have not luck authenticating the root user after starting the service. I'm hoping someone with more experience might be willing to help. I left all the settings as default and get the following when I do a simple search:
Code:
[root@claudius ~]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: dc=my-domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
So the slapd service seems to be running ok. However, when I attempt to run a basic ldif file I get the following
Code:
[root@claudius ~]# ldapadd  -x -D "cn=Manager,dc=my-domain,dc=com" -W -f base.ldif 
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
Here is the base.ldif:
Code:
[root@claudius ~]# cat base.ldif 
dn: dc=my-domain,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: my-domain

dn: cn=Manager,dc=my-domain,dc=com
objectclass: organizationalRole
cn: Manager
I got the sample file from here.

I've tried substituting several different output strings from slappasswd, but all with the same result.
Finally, here is the slap.conf file:
Code:
[root@claudius ~]# grep -v ^# /etc/openldap/slapd.conf|cat -s

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

database        bdb
suffix          "dc=my-domain,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=my-domain,dc=com"

rootpw          {SSHA}7QH+zdRtuIpyJb9scodYkn1uUKIvQ8W6

directory       /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

database monitor

access to *
        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        by * none
As you can see, all the setting are default except the password, of which I've tried several types.

I'd appreciate any advice anyone has.

Thanks
 
Old 03-30-2010, 02:05 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,938

Rep: Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330
Hi,

You can stop slapd from running and use slapadd to add the ldif:
Code:
slapadd  -l base.ldif
Then start slapd and try to search with authentication:
Code:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -D "cn=Manager,dc=my-domain,dc=com" -W
 
Old 03-30-2010, 02:17 AM   #3
vigilandy
Member
 
Registered: Mar 2010
Location: Tokyo
Distribution: Arch, Fedora
Posts: 71

Original Poster
Rep: Reputation: 23
bathory, thanks for the suggestion. I tried the commands with the following results:
Code:
[root@claudius ~]# slapadd -l base.ldif 
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
and after restarting the slapd service:
Code:
[root@claudius ~]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -D "cn=Manager,dc=my-domain,dc=com" -W
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
a search without credentials has the same results as before.
 
Old 03-30-2010, 02:36 AM   #4
vigilandy
Member
 
Registered: Mar 2010
Location: Tokyo
Distribution: Arch, Fedora
Posts: 71

Original Poster
Rep: Reputation: 23
I just discovered slapcat, which produced the following:
Code:
[root@claudius ~]# slapcat
dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: organization
o: Example Company
dc: my-domain
structuralObjectClass: organization
entryUUID: 94a09be2-d016-102e-9b40-a962b0240786
creatorsName: cn=Manager,dc=my-domain,dc=com
createTimestamp: 20100330070700Z
entryCSN: 20100330070700.510148Z#000000#000#000000
modifiersName: cn=Manager,dc=my-domain,dc=com
modifyTimestamp: 20100330070700Z

dn: cn=Manager,dc=my-domain,dc=com
objectClass: organizationalRole
cn: Manager
structuralObjectClass: organizationalRole
entryUUID: 94add80c-d016-102e-9b41-a962b0240786
creatorsName: cn=Manager,dc=my-domain,dc=com
createTimestamp: 20100330070700Z
entryCSN: 20100330070700.596894Z#000000#000#000000
modifiersName: cn=Manager,dc=my-domain,dc=com
modifyTimestamp: 20100330070700Z
So I've verified that the ldif file was imported.
 
Old 03-30-2010, 04:09 AM   #5
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,938

Rep: Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330
The ldif was imported because slapadd does not care about credentials. I suspected the problem was due to the ACL:
Quote:
access to *
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
that does not allow "cn=Manager,dc=my-domain,dc=com" to write to the directory.
So are you sure that the rootpw you're using is correct?
You can stop slapd and then run it from CLI in debug mode to watch the output and see if you can find the reason why you get the "Invalid Credentials" error:
Code:
slapd -d -1
Just out of curiosity, why aren't you using the directory server that comes with Fedora?
 
Old 03-30-2010, 04:48 AM   #6
vigilandy
Member
 
Registered: Mar 2010
Location: Tokyo
Distribution: Arch, Fedora
Posts: 71

Original Poster
Rep: Reputation: 23
I believe the ACL you mentioned is for the "monitor" database. The comments in the slap.conf file seem to indicate that I should be able to leave the general ACL undefined.
Code:
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
As for the the correct password, I've tried several passwords, typing them all very meticulously. I'm pretty sure I've ruled that out.

I may go and use Fedora's Directory server. To be honest, this is my first Linux directory server and I wasn't aware that Fedora had a separate directory project.
 
Old 03-30-2010, 06:19 AM   #7
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,938

Rep: Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330
You can try to change the order of the included schema files and see if it makes any difference. At least core.schema should come first:
Code:
include	   /etc/openldap/schema/core.schema
include	   /etc/openldap/schema/cosine.schema
include	   /etc/openldap/schema/inetorgperson.schema
include	   /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
Also you can comment out those you don't need.
 
Old 03-31-2010, 08:34 AM   #8
vigilandy
Member
 
Registered: Mar 2010
Location: Tokyo
Distribution: Arch, Fedora
Posts: 71

Original Poster
Rep: Reputation: 23
Thanks for all your help bathory. I found the problem. I came across some info in the documentation about how the openldap server reads the settings files. Apparently the newest version of openldap reads the settings from the slapd.d directory. Any changes made to slapd.conf are ignored unless there is no slapd.d directory, in which case a new directory and setting file is created from the settings in slapd.conf. You can force the daemon to read the slapd.conf file and overwrite the slapd.d directory files, which is how I was able to resolve the problem.

thanks again.
 
Old 10-15-2010, 07:39 AM   #9
linuxunix
Member
 
Registered: Mar 2010
Location: California
Distribution: Slackware
Posts: 235

Rep: Reputation: 18
What command did you use to forcibly read that file?
Want to know how you resolved that issue?
 
Old 10-15-2010, 09:33 AM   #10
vigilandy
Member
 
Registered: Mar 2010
Location: Tokyo
Distribution: Arch, Fedora
Posts: 71

Original Poster
Rep: Reputation: 23
from the slapd man page:
Code:
       -f slapd-config-file
	      Specifies  the  slapd  configuration  file.   The   default   is
	      /usr/local/etc/openldap/slapd.conf.

       -F slapd-config-directory
	      Specifies  the  slapd  configuration  directory.	The default is
	      /usr/local/etc/openldap/slapd.d.	If both -f and -F  are	speci-
	      fied,  the  config  file	will  be  read and converted to config
	      directory format and written to  the  specified  directory.   If
	      neither  option  is  specified,  slapd  will attempt to read the
	      default config directory before trying to use the default config
	      file. If a valid config directory exists then the default config
	      file is ignored. All of the  slap  tools	that  use  the	config
	      options observe this same behavior.
So to force the config file to be read, just use the -f option.
 
  


Reply

Tags
openldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ldap error "ldap_sasl_interactive_bind_s: Invalid credentials (49)" knockout_artist Linux - Newbie 1 10-30-2009 03:56 PM
using ldapsearch gettting Invalid credentials (49) error p1111a Linux - Server 3 05-15-2009 05:44 PM
ldap_bind: Invalid credentials (49) soni_silver17 Linux - Server 1 01-24-2009 01:47 PM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Linux - Server 7 11-08-2007 09:03 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Fedora 2 11-05-2007 03:23 PM


All times are GMT -5. The time now is 07:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration