Unable to use password during OpenLDAP setup
 

Hello All!

I'm busy trying to set up an OpenLDAP (on CentOS6) configuration that has run into a snag, hope some of my fellow big brains can help me out! I followed a howto setup on server-world, but when I try and use ldapadd on frontend.ldif I get the following error:

[root@sdserver ~]# ldapadd -x -D cn=admin,dc=server,dc=world -W -f frontend.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

The credentials are most certainly not incorrect! The setup is on CentOS6, sdserver.sddomain.local. Here is my exact setup:

[root@dir ~]#yum -y install openldap-servers openldap-clients
[root@dir ~]#vi /etc/sysconfig/ldap

# line 16: uncomment and change
SLAPD_LDAPI=yes

[root@dir ~]#vi /etc/openldap/slapd.conf

# create new
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

[root@dir ~]#rm -rf /etc/openldap/slapd.d/*
[root@dir ~]#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded

[root@dir ~]#vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif

# line 4: change
olcAccess:
{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

[root@dir ~]#vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif

# create new
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config

[root@dir ~]#chown -R ldap. /etc/openldap/slapd.d
[root@dir ~]#chmod -R 700 /etc/openldap/slapd.d
[root@dir ~]#/etc/rc.d/init.d/slapd start
Starting slapd: [ OK ]
[root@dir ~]#chkconfig slapd on

[root@dir ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"

[root@dir ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@dir ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@dir ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

[root@dir ~]#slappasswd
New password:
Re-enter new password: (spolier alert... pw is 1111)
{SSHA}jaBK/3Ofp0n2QW1YyNOb6/++dRBXHntz

[root@dir ~]#vi backend.ldif

# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=sddomain,dc=local
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=sddomain,dc=local
olcRootPW: {SSHA}jaBK/3Ofp0n2QW1YyNOb6/++dRBXHntz
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=sddomain,dc=local" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=sddomain,dc=local" write by * read

[root@dir ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
adding new entry "olcDatabase=hdb,cn=config"

[root@dir ~]#vi frontend.ldif

# create new
dn: dc=sddomain,dc=local
objectClass: top
objectClass: dcObject
objectclass: organization
o: Sddomain Local
dc: Sddomain

dn: cn=admin,dc=sddomain,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}jaBK/3Ofp0n2QW1YyNOb6/++dRBXHntz

dn: ou=people,dc=sddomain,dc=local
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=sddomain,dc=local
objectClass: organizationalUnit
ou: groups

[root@sdserver ~]# ldapadd -x -D cn=admin,dc=server,dc=world -W -f frontend.ldif
Enter LDAP Password: 1111
ldap_bind: Invalid credentials (49)

Sonofabeach! After hours of scouring trying to find a solution to my problem, I'm under the impression that OpenLDAP is not reading my password from the correct source... though I'm not sure if that's correct or how to remedy it if it is. It is my second run through on this (had the same problem on my 1st pass) and I even picked the temp password of 1111 this time to keep it simple and make sure it wasn't a simple error with inputting a long password.

Anyways, any help would be much appreciated! Thanks all and have a great one!

Looks like you're using the wrong DN.
According to your installation the admin DN is "cn=admin,dc=sddomain,dc=local"
Try the following and see if it works:
Regards

So... I got up this morning and checked out your post and I didn't see any difference between what I had written and what you had suggested. I didn't see any difference. Then my 8 year old son came downstairs, read it once and said, "he's saying you used the login from the howto you were reading and not the one in the file. Can I play Minecraft now?"

Many thanks for the response! You're the hero as of 09:36AM MST!