LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-29-2011, 02:04 PM   #1
lefty.crupps
Member
 
Registered: Apr 2005
Location: Minneap USA
Distribution: Debian, Mepis, Sidux
Posts: 470

Rep: Reputation: 32
Angry Slave slapd / LDAP: ldap_bind: Invalid credentials (49)


I've set up slapd (2.4.23-7.2) on two Debian 6.0.2 servers.

I've set them to use /etc/ldap/slapd.conf file (not /etc/ldap/slapd.d/ directory)

I've set them both up with the same database, from a dump and import.

They're both listening on "ldap:/// ldapi:/// ldaps:///" successfully.

I've set them up to successfully replicate LDAP entries from the Provider (Master) and the Consumer (Slave) servers.

From any machine in our office (including the slave), I can query the Master successfully:
Code:
shell#  /usr/bin/ldapsearch -x -D "uid=authuser,dc=ourdomain,dc=net" -w 'secret' -H ldaps://master.fqdn.com/
(lots of expected output)
But from any machine (including the slave), doing this same thing fails against the slave (errors further below from this failed attempt):
Code:
shell#  /usr/bin/ldapsearch -x -D "uid=authuser,dc=ourdomain,dc=net" -w 'secret' -H ldaps://slave.fqdn.com/
ldap_bind: Invalid credentials (49)
I don't know what is wrong, the ACLs are identical; here is the slave slapd.conf:
Code:
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        128 256 32768
modulepath      /usr/lib/ldap
moduleload      back_bdb
moduleload      syncprov.la
sizelimit 1000
tool-threads 1

backend         bdb
database        bdb
suffix          "dc=ourdomain,dc=net"
rootdn          "cn=root,dc=ourdomain,dc=net"
rootpw          {SSHA}tLys7G2CCeZ/9H7E2xiGsQzl4VY6cOBm

directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0

dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index   objectClass             eq
index   cn                      pres,sub,eq
index   sn                      pres,sub,eq
index   uid                     pres,sub,eq
index   displayName             pres,sub,eq
index   default                 sub
index   uidNumber               eq
index   gidNumber               eq
index   mail,givenName          eq,subinitial
index   dc                      eq


lastmod         on

syncrepl rid=001
  provider=ldap://master.ourdomain.net
  type=refreshAndPersist
  retry="5 5 300 +"
  searchbase="dc=ourdomain,dc=net"
  attrs="*,+"
  bindmethod=simple
  binddn="cn=root,dc=ourdomain,dc=net"
  credentials=secret2

access to *
 by dn.base="cn=root,dc=ourdomain,dc=net" read
 by * break

access to * filter=(businessCategory=disabled)
 by dn="uid=authuser,dc=ourdomain,dc=net" none
 by dn="uid=authadmin,dc=ourdomain,dc=net" write

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
 by dn="cn=root,dc=ourdomain,dc=net" write
 by dn="uid=authuser,dc=ourdomain,dc=net" write
 by dn="uid=authadmin,dc=ourdomain,dc=net" write
 by anonymous auth
 by self write
 by * none

access to dn.base="" by * read

access to *
 by dn="cn=root,dc=ourdomain,dc=net" write
 by dn="uid=authuser,dc=ourdomain,dc=net" read
 by dn="uid=authadmin,dc=ourdomain,dc=net" write
 by * read



TLSCACertificateFile /etc/ldap/cacert.pem
TLSCertificateFile /etc/ldap/servercrt.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem

database config
rootpw          {SSHA}tLys7G2CCeZ/9H7E2xiGsQzl2gfgt

Errors on the Slave from loglevel 128 256 32768
Code:
==> /var/log/syslog <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 ACCEPT from IP=10.10.10.220:55086 (IP=0.0.0.0:636)

==> /var/log/debug <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 ACCEPT from IP=10.10.10.220:55086 (IP=0.0.0.0:636)

==> /var/log/syslog <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 TLS established tls_ssf=128 ssf=128

==> /var/log/debug <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 TLS established tls_ssf=128 ssf=128

==> /var/log/syslog <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 op=0 BIND dn="uid=authuser,dc=ourdomain,dc=net" method=128
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 op=0 RESULT tag=97 err=49 text=

==> /var/log/debug <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 op=0 BIND dn="uid=authuser,dc=ourdomain,dc=net" method=128
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 op=0 RESULT tag=97 err=49 text=

==> /var/log/syslog <==

==> /var/log/debug <==

==> /var/log/syslog <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 closed (connection lost)

==> /var/log/debug <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 closed (connection lost)
 
Old 08-29-2011, 03:12 PM   #2
lefty.crupps
Member
 
Registered: Apr 2005
Location: Minneap USA
Distribution: Debian, Mepis, Sidux
Posts: 470

Original Poster
Rep: Reputation: 32
I was able to resolve this from help on irc.freenode.net #openldap ; I had comments in my replication lines:
Code:
syncrepl rid=001
  provider=ldap://master.ourdomain.net
  type=refreshAndPersist
  retry="5 5 300 +"
  searchbase="dc=ourdomain,dc=net"
  attrs="*,+"
  bindmethod=simple
  binddn="cn=root,dc=ourdomain,dc=net"
  credentials=secret2
which I had taken out when I posted here. Apparently, those lines cause that stanza to 'be completed' so the additional info wasn't being used to correctly replicate my data. After taking out those #commented lines, I stopped the slapd server, removed its DB, and restarted the server and it pulled everything in correctly.

This was useful to track down the failure; on the Master it has a password field but on the Slave it did not have a Password:
Code:
shell#  /usr/bin/ldapsearch -x -D "cn=root,dc=ourdomain,dc=net"  -W "(uid=authuser)"

Big thanks to JoBbZ for the assistance on #openldap
 
  


Reply

Tags
debian, ldap, slapd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] getting error while adding account in LDAP "ldap_bind: Invalid credentials (49)" csravi88 Linux - Server 6 10-14-2013 07:43 AM
Enter LDAP Password keeps saying ldap_bind: Invalid credentials (49) Cheetara63 Linux - Newbie 2 06-04-2011 04:41 AM
ldap 2.4 rhel6 problem with openldap ldap_bind: Invalid credentials (49) dshivji Linux - Server 3 12-04-2010 03:23 AM
LEARNING LDAP -> ldap_bind: Invalid Credentials (49) peterson.julia Linux - Newbie 1 09-19-2010 11:28 PM
ldap: ldap_bind: Invalid credentials (49) (using user migrated with padl) eantoranz Linux - Software 1 09-05-2008 09:52 AM


All times are GMT -5. The time now is 06:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration