LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 04-06-2010, 04:14 PM   #1
jonniebigodes
Member
 
Registered: Feb 2006
Posts: 42

Rep: Reputation: 15
Question another one with openldap bad credentials


hi.
i've followed the the guides provided here:
howtoforge
also this one:
roadrunner
but when i try to add the users using the command:
Code:
ldapadd -x -W -D "cn=Manager,dc=novabase,dc=com" -f passwd.ldif
i get the famous error
Quote:
ldap_bind: Invalid credentials (49)
.
this is my ldap.conf
Code:
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF          never
URI ldap://127.0.0.1/
BASE dc=novabase,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
here is my slapd.conf, i'm leaving out the commented part out.
Code:
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

database        bdb
suffix          "dc=novabase,dc=com"
checkpoint	1024 15
rootdn          "cn=Manager,dc=novabase,dc=com"
 rootpw                 {MD5}PLMVZZjKxEmI75sLIyKUFQ==
directory	/var/lib/ldap

# enable monitoring
database monitor

# allow onlu rootdn to read the monitor
access to *
        by dn.exact="cn=Manager,dc=novabase,dc=com" read
        by * none
below that i added the following as stated in post in a forum
Code:
access to attrs=userPassword
        by self write
        by dn="cn=Manager,dc=novabase,dc=com" write
        by anonymous auth
        by * none

access to *
        by dn="cn=Manager,dc=novabase,dc=com" write
        by self write
        by * read
with ldap stopped i've added the following to the database
Quote:
dn: dc=novabase,dc=com
objectClass: top
objectClass: domain
dc: novabase

dn: ou=People,dc=novabase,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: People

dn: ou=Group,dc=novabase,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: Group

dn: ou=addressbook,dc=novabase,dc=com
objectClass: top
objectClass: OrganizationalUnit
ou: addressbook
using
Code:
slapadd -f slapd.conf -l novabase.com.ldif -v
, but that defeats the whole purpose.
ohh and btw instead of starting openldap by doing service slapd start, i've started openldap using
Code:
/usr/sbin/slapd -f /etc/openldap/slapd.conf
.

i've been racking my brain with this, i've been trying to get this to work but to no avail.
 
Old 04-06-2010, 04:24 PM   #2
jonniebigodes
Member
 
Registered: Feb 2006
Posts: 42

Original Poster
Rep: Reputation: 15
changed the ldapadd command a bit and added -d 255
so the command now looks like this
Code:
ldapadd -x -d 255 -W -D "cn=Manager,dc=novabase,dc=com" -f passwd.ldif
and here's the output:
Quote:
ldapadd -x -d 255 -W -D "cn=Manager,dc=novabase,dc=com" -f /etc/openldap/passwd.ldif
ldap_create
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 127.0.0.1:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x1238560 ptr=0x1238560 end=0x123859b len=59
0000: 30 84 00 00 00 35 02 01 01 60 84 00 00 00 2c 02 0....5...`....,.
0010: 01 03 04 1d 63 6e 3d 4d 61 6e 61 67 65 72 2c 64 ....cn=Manager,d
0020: 63 3d 6e 6f 76 61 62 61 73 65 2c 64 63 3d 63 6f c=novabase,dc=co
0030: 6d 80 08 6e 6f 76 61 62 61 73 65 m..novabase
ber_scanf fmt ({i) ber:
ber_dump: buf=0x1238560 ptr=0x1238569 end=0x123859b len=50
0000: 60 84 00 00 00 2c 02 01 03 04 1d 63 6e 3d 4d 61 `....,.....cn=Ma
0010: 6e 61 67 65 72 2c 64 63 3d 6e 6f 76 61 62 61 73 nager,dc=novabas
0020: 65 2c 64 63 3d 63 6f 6d 80 08 6e 6f 76 61 62 61 e,dc=com..novaba
0030: 73 65 se
ber_flush2: 59 bytes to sd 4
0000: 30 84 00 00 00 35 02 01 01 60 84 00 00 00 2c 02 0....5...`....,.
0010: 01 03 04 1d 63 6e 3d 4d 61 6e 61 67 65 72 2c 64 ....cn=Manager,d
0020: 63 3d 6e 6f 76 61 62 61 73 65 2c 64 63 3d 63 6f c=novabase,dc=co
0030: 6d 80 08 6e 6f 76 61 62 61 73 65 m..novabase
ldap_write: want=59, written=59
0000: 30 84 00 00 00 35 02 01 01 60 84 00 00 00 2c 02 0....5...`....,.
0010: 01 03 04 1d 63 6e 3d 4d 61 6e 61 67 65 72 2c 64 ....cn=Manager,d
0020: 63 3d 6e 6f 76 61 62 61 73 65 2c 64 63 3d 63 6f c=novabase,dc=co
0030: 6d 80 08 6e 6f 76 61 62 61 73 65 m..novabase
ldap_result ld 0x1230310 msgid 1
wait4msg ld 0x1230310 msgid 1 (infinite timeout)
wait4msg continue ld 0x1230310 msgid 1 all 1
** ld 0x1230310 Connections:
* host: 127.0.0.1 port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Apr 6 22:03:05 2010


** ld 0x1230310 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x1230310 request count 1 (abandoned 0)
** ld 0x1230310 Response Queue:
Empty
ld 0x1230310 response count 0
ldap_chkResponseList ld 0x1230310 msgid 1 all 1
ldap_chkResponseList returns ld 0x1230310 NULL
ldap_int_select
read1msg: ld 0x1230310 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 84 00 00 00 10 02 01 0.......
ldap_read: want=14, got=14
0000: 01 61 84 00 00 00 07 0a 01 31 04 00 04 00 .a.......1....
ber_get_next: tag 0x30 len 16 contents:
ber_dump: buf=0x12398f0 ptr=0x12398f0 end=0x1239900 len=16
0000: 02 01 01 61 84 00 00 00 07 0a 01 31 04 00 04 00 ...a.......1....
read1msg: ld 0x1230310 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x12398f0 ptr=0x12398f3 end=0x1239900 len=13
0000: 61 84 00 00 00 07 0a 01 31 04 00 04 00 a.......1....
read1msg: ld 0x1230310 0 new referrals
read1msg: mark request completed, ld 0x1230310 msgid 1
request done: ld 0x1230310 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x12398f0 ptr=0x12398f3 end=0x1239900 len=13
0000: 61 84 00 00 00 07 0a 01 31 04 00 04 00 a.......1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x12398f0 ptr=0x1239900 end=0x1239900 len=0

ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
any ideas?
help would be appreciated
thanks in advance
 
Old 04-06-2010, 04:52 PM   #3
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,884

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
Hi,

Are you sure about the password? Can you do a search using your credentials?
Code:
ldapsearch -x -b "dc=novabase,dc=com" -W -D "cn=Manager,dc=novabase,dc=com" '(objectclass=*)'
 
Old 04-06-2010, 05:54 PM   #4
jonniebigodes
Member
 
Registered: Feb 2006
Posts: 42

Original Poster
Rep: Reputation: 15
didn't work same error.
i'm going to change the password, add it to slapd.conf and try again.
 
Old 04-06-2010, 06:09 PM   #5
jonniebigodes
Member
 
Registered: Feb 2006
Posts: 42

Original Poster
Rep: Reputation: 15
changed the password, added it to slapd.conf, did a restart to openldap tried the search and bam...same error.
 
Old 04-07-2010, 12:21 AM   #6
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,884

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
Hi,

This makes me think that you are using the new openldap configuration, that is based on the new cn=config DIT and not in slapd.conf.
In that case you need to take a look into slapd.d directory and especially in olcDatabase={1}bdb.ldif, to see the correct credentials (olcRootDN and olcRootPW)
You didn't say your distro and how you've install openldap, but you can take a look at this guide guide for Ubuntu.

Regards
 
Old 04-07-2010, 03:35 AM   #7
jonniebigodes
Member
 
Registered: Feb 2006
Posts: 42

Original Poster
Rep: Reputation: 15
i'm sorry about that.
i'm using fedora 12 64 bits, and the ldap version is 2.4.19.
i've been looking in the olcDatabase={1}bdb.ldif like you said and olcRootDN is there and has the following.
Quote:
olcRootDn: cn=Manager,dc=my-domain,dc=com
no olcRootPW entry.
can i adjust this to my end, configure dc=my-domain,dc=com directly and add the olcRootPw entry directly and if so do i had it with the hash provided? when i ran the command slapdpasswd?

Last edited by jonniebigodes; 04-07-2010 at 04:30 AM. Reason: more info
 
Old 04-07-2010, 04:31 AM   #8
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,884

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
I think you should read this (specially post #5)
If slapd finds a directory slapd.d it tries to use the cn=config way to run. So better delete that directory, or use the 1st link I gave you in the previous post to convert slapd.conf into slapd.d

Regards
 
Old 04-07-2010, 05:10 AM   #9
jonniebigodes
Member
 
Registered: Feb 2006
Posts: 42

Original Poster
Rep: Reputation: 15
removed the directory, did what the guy in here did (post 5 like you said).
started openldap using service slapd start gave two warnings.
Code:
/var/lib/ldap/objectClass.bdb is not owned by "ldap"
/var/lib/ldap/ou.bdb is not owned by "ldap"
then it gave me the ok.
issued a query like this
Code:
ldapsearch -x -b "dc=novabase,dc=com" -W -D "cn=Manager,dc=novabase,dc=com" '(objectclass=*)'
entered the password let's say 1234 and it gave me the same error
Code:
ldap_bind:Invalid Credentials
 
Old 04-07-2010, 05:22 AM   #10
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,884

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
I guess this is your 1st attempt to install openldap, so there is no data yet in the database.
If that's the case, stop slapd, delete everything in /var/lib/ldap/* (exceptDB_CONFIG if you have one) , use slapadd to add the initial ldif and restart slapd.
 
Old 04-07-2010, 05:34 AM   #11
jonniebigodes
Member
 
Registered: Feb 2006
Posts: 42

Original Poster
Rep: Reputation: 15
database

i believe that the database as something i forgot to mention:
this is the output of slapcat:
Quote:
dn: dc=novabase,dc=com
objectClass: top
objectClass: domain
dc: novabase
structuralObjectClass: domain
entryUUID: b110a08e-d5d3-102e-94c3-db99a38b5dae
creatorsName: cn=Manager,dc=novabase,dc=com
createTimestamp: 20100406142318Z
entryCSN: 20100406142318.916270Z#000000#000#000000
modifiersName: cn=Manager,dc=novabase,dc=com
modifyTimestamp: 20100406142318Z

dn: ou=People,dc=novabase,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
entryUUID: b11c5abe-d5d3-102e-94c4-db99a38b5dae
creatorsName: cn=Manager,dc=novabase,dc=com
createTimestamp: 20100406142318Z
entryCSN: 20100406142318.993129Z#000000#000#000000
modifiersName: cn=Manager,dc=novabase,dc=com
modifyTimestamp: 20100406142318Z

dn: ou=Group,dc=novabase,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Group
structuralObjectClass: organizationalUnit
entryUUID: b129331a-d5d3-102e-94c5-db99a38b5dae
creatorsName: cn=Manager,dc=novabase,dc=com
createTimestamp: 20100406142319Z
entryCSN: 20100406142319.077312Z#000000#000#000000
modifiersName: cn=Manager,dc=novabase,dc=com
modifyTimestamp: 20100406142319Z

dn: ou=addressbook,dc=novabase,dc=com
objectClass: top
objectClass: organizationalUnit
ou: addressbook
structuralObjectClass: organizationalUnit
entryUUID: b12c7160-d5d3-102e-94c6-db99a38b5dae
creatorsName: cn=Manager,dc=novabase,dc=com
createTimestamp: 20100406142319Z
entryCSN: 20100406142319.098570Z#000000#000#000000
modifiersName: cn=Manager,dc=novabase,dc=com
modifyTimestamp: 20100406142319Z
which i added using
Code:
slapadd -f slapd.conf -l novabase.com.ldif -v
novabase.com.ldif being the file which has that data
 
Old 04-07-2010, 06:15 AM   #12
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,884

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
OK, so you have a slapcat backup of the initial database.
If you delete the databases and the transaction logs in /var/lib/ldap/* you can use again slapadd to restore the novabase.com.ldif

Also you have to move the last acls
Quote:
access to attrs=userPassword
by self write
by dn="cn=Manager,dc=novabase,dc=com" write
by anonymous auth
by * none

access to *
by dn="cn=Manager,dc=novabase,dc=com" write
by self write
by * read
just above the "database monitor" line.
 
Old 04-07-2010, 08:25 AM   #13
jonniebigodes
Member
 
Registered: Feb 2006
Posts: 42

Original Poster
Rep: Reputation: 15
stopped the ldap, removed the files, created the database again.
changed the slapd.conf
now looks like this, leaving the commented part out
Code:
include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/duaconf.schema
include		/etc/openldap/schema/dyngroup.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/java.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/ppolicy.schema
include		/etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

database	bdb
suffix		"dc=novabase,dc=com"
checkpoint	1024 15
rootdn		"cn=Manager,dc=novabase,dc=com"
rootpw		{MD5}PLMVZZjKxEmI75sLIyKUFQ==
directory	/var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

access to attrs=userPassword
	by self write
	by dn="cn=Manager,dc=novabase,dc=com" write
	by anonymous auth
	by * none

access to * 
	by dn="cn=Manager,dc=novabase,dc=com" write
	by self write
	by * read

# enable monitoring
database monitor

# allow onlu rootdn to read the monitor
access to *
        by dn.exact="cn=Manager,dc=novabase,dc=com" read
        by * none
issued:
Code:
slapadd -f slapd.conf -l novabase.com.ldif -v
it imported ok,
started ldap using
service slapd start
it gave me the following output:
Quote:
Checking slapd configuration file: [WARNING]
/etc/openldap/slapd.conf: line 120: rootdn is always granted unlimited privileges.
/etc/openldap/slapd.conf: line 125: rootdn is always granted unlimited privileges.
config file testing succeeded
starting slapd: [OK]
ran the query
Code:
ldapsearch -x -b "dc=novabase,dc=com" -W -D "cn=Manager,dc=novabase,dc=com" '(objectclass=*)'
same error

Last edited by jonniebigodes; 04-07-2010 at 09:12 AM.
 
Old 04-07-2010, 08:40 AM   #14
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,884

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
I don't see any rootpw.
You can run
Code:
slappasswd -s my-password
and copy/paste the output in rootpw
Code:
rootpw {SSHA}-some gibberish-
Regarding the warning, you can delete or comment out the lines " by dn="cn=Manager,dc=novabase,dc=com" write" as the ldap aministrator can always write to DIT.
 
Old 04-07-2010, 09:13 AM   #15
jonniebigodes
Member
 
Registered: Feb 2006
Posts: 42

Original Poster
Rep: Reputation: 15
ups, forgot to paste it...
i've edited it now
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] openldap setup Invalid credentials error (49) vigilandy Linux - Server 9 10-15-2010 09:33 AM
nss_ldap, openldap and openldap-server ... what is openldap for? chakkerz Linux - Server 2 08-13-2009 07:16 PM
LXer: OpenLDAP Quick Tips: Regularly upgrade OpenLDAP! LXer Syndicated Linux News 0 11-25-2008 02:00 PM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Linux - Server 7 11-08-2007 09:03 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Fedora 2 11-05-2007 03:23 PM


All times are GMT -5. The time now is 01:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration