OpenLdap v2.4.23 : ldap_bind: Invalid credentials (49)

bathory · 02-07-2014, 06:02 AM

Quote:

I get : 32 No Such Object

It means that your user does not have read rights in the directory, meaning he cannot do searches.
Add:

Code:

access to *
 by users read

to slapd.conf, reload the service and try again.
PS: The above is the same as the rule above that you had to add in case you're using slapd.d

jonaskellens · 02-07-2014, 09:02 AM

I can not make everything readable by all users.

This user U101001 is member of the group tbook1, and in my rules this group can read all objects inside ou=tbook1,ou=contacten,ou=101001,dc=mydomain :

Code:

access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain"
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read

But the objects in ou=tbook1,ou=contacten,ou=101001,dc=mydomain are not shown...

I really don't understand because the exact same configuration works on another LDAP-server, however with another LDAP-version (no new stupid syntax).

bathory · 02-07-2014, 03:28 PM

Quote:

I really don't understand because the exact same configuration works on another LDAP-server, however with another LDAP-version (no new stupid syntax).

I don't think it's a matter of ldap version, or because of the new syntax.
If the exact same configuration works in the old ldap server, then copy over the working slapd.conf and use it with the new server.

jonaskellens · 02-12-2014, 07:59 AM

When I start slapd with the slapd.conf file of the "old" openLDAP-server, then I get the following error :

Code:

[root@ldap1 openldap]# /sbin/service slapd start
Checking configuration files for slapd:                    [FAILED]
/etc/openldap/slapd.conf: line 100: unknown directive <defaultaccess> inside backend database definition.
slaptest: bad configuration file!

What I have in my slapd.conf file is the following :

Code:

database        bdb
suffix          "dc=mydomain"
rootdn          "cn=Manager,dc=mydomain"
rootpw         {SSHA}secret

defaultaccess   none

access to attrs=userPassword
        by * auth
...
...

Works fine on openLDAP version 2.3.43

Is there something else I should use on openldap version 2.4.23 ?

When I leave this out, I get no results (see post above) when I do a search. No problem with authentication. But problem with "no such object".

Same search gives results on "old" openLDAP-server.

Still don't know where the difference is situated.

bathory · 02-12-2014, 10:29 AM

Quote:

/etc/openldap/slapd.conf: line 100: unknown directive <defaultaccess> inside backend database definition.
<snip>
Works fine on openLDAP version 2.3.43

Is there something else I should use on openldap version 2.4.23 ?

Looks like "defaultaccess" that was deprecated in 2.3.x has been removed in 2.4.x (see here).
You may delete or comment it out and see what you get.

Quote:

When I leave this out, I get no results (see post above) when I do a search. No problem with authentication. But problem with "no such object".

As I've told you, the user does not have read/search rights on the directory

jonaskellens · 02-13-2014, 06:47 AM

OK.

When I have a user "cn=U101001,ou=101001,dc=mydomain"

which is member of the group "cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain"

and I have the following rule :

Code:

access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain"
        by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read

Shouldn't my user "cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" be able to get al the entries in "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" ?

bathory · 02-13-2014, 01:24 PM

Quote:

Shouldn't my user "cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" be able to get al the entries in "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" ?

It should.
Are you sure there are entries under "ou=tbook1,ou=contacten,ou=101001,dc=mydomain"?

jonaskellens · 02-14-2014, 05:27 AM

Quote:

Originally Posted by bathory

Are you sure there are entries under "ou=tbook1,ou=contacten,ou=101001,dc=mydomain"?

I use phpLDAPadmin to check my entries. And yes, there are entries in the tree "ou=tbook1,ou=contacten,ou=101001,dc=mydomain".

I can prove it when I log in with "root" :

Code:

[root@ldap1 ]# ldapsearch -x -D 'cn=Manager,dc=mydomain' -b "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=tbook1,ou=contacten,ou=101001,dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# tbook1, contacten, 101001, mydomain
dn: ou=tbook1,ou=contacten,ou=101001,dc=mydomain
ou: tbook1
objectClass: organizationalUnit
objectClass: top

...

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

There are 4 results (I deleted them in my output).

So there are results to be shown, but the user "cn=U101001,ou=101001,dc=mydomain" - for some reason - has no rights...

bathory · 02-15-2014, 04:41 PM

Quote:

There are 4 results (I deleted them in my output).

So there are results to be shown, but the user "cn=U101001,ou=101001,dc=mydomain" - for some reason - has no rights...

I've already told you that somehow the user has no search rights under that DN. Since there are entries under it, double check the ACLs and also make sure that this user belongs to the group cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain".
Other than that I don't know what else you have to check.

jonaskellens · 02-17-2014, 03:13 AM

Quote:

Originally Posted by bathory

double check the ACLs and also make sure that this user belongs to the group cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain".

When I consult phpLDAPadmin, it says that the user is member of the group.

Is there some ldap-command to double check this ?

bathory · 02-17-2014, 05:07 AM

Quote:

Is there some ldap-command to double check this ?

You can read the dn: cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain, to see who are the members of it:

Code:

ldapsearch -x -D 'cn=Manager,dc=mydomain' -W -b cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain

jonaskellens · 02-19-2014, 07:22 AM

Quote:

Originally Posted by bathory

Code:

ldapsearch -x -D 'cn=Manager,dc=mydomain' -W -b cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain

Output :

Code:

# tbook1, gebruikers, 101001, mydomain
dn: cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
cn: tbook1
member: cn=U101001,ou=101001,dc=mydomain
objectClass: groupOfNames
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Seems correct, no ?

bathory · 02-19-2014, 12:03 PM

Yes, it seems correct.
Sorry but I don't know what else to think.
You could ask your question to openldap mailing lists to get a more accurate answer.