LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-24-2012, 04:17 PM   #1
Sma11T0wnITGuy
LQ Newbie
 
Registered: Aug 2009
Posts: 13

Rep: Reputation: 0
ldap_bind: Invalid credentials (49) when trying OpenLDAP query


I'm running OpenLDAP 2.4-2 on Ubuntu 10.04.3.

I'm reading "Mastering OpenLDAP" and configuring along with the book.

I've only really touched two files in this process, /etc/ldap/slapd.con, and /etc/ldap/ldap.conf both which I'm including in my post. I've read several posts here from people with similar problems and I've tried encrypting the password using slappasswd but it's still not working.

Code:
root@ubuntu1:/etc/ldap# cat ldap.conf
# LDAP Client Settings
URI  ldap://localhost
BASE  dc=example,dc=com
BINDDN  cn=Manager,dc=example,dc=com
SIZELIMIT  0
TIMELIMIT  0
Code:
root@ubuntu1:/etc/ldap# cat ldap.conf
# LDAP Client Settings
URI  ldap://localhost
BASE  dc=example,dc=com
BINDDN  cn=Manager,dc=example,dc=com
SIZELIMIT  0
TIMELIMIT  0
root@ubuntu1:/etc/ldap# cat slapd.conf
# slapd.conf - Configuration file for LDAP SLAPD
##########
# Basics #
##########
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
# modulepath /usr/local/libexec/openldap
moduleload back_hdb
##########################
# Database Configuration #
##########################
database hdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}aJMj6exy5el7e+lqZrnc3mlMbkQO0+fq
directory /var/lib/ldap
# directory /usr/local/var/openldap-data
index objectClass,cn eq
########
# ACLs #
########
access to attrs=userPassword
 by anonymous auth
 by self write
 by * none
access to *
 by self write
 by * none
Here's the search I'm running:

Code:
ldapsearch -D uid=Manager,dc=example,dc=com -W -x -b ""
Thanks for any assistance anyone can provide!
 
Old 04-24-2012, 04:27 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
do NOT bind with the manager account in ldap.conf, that's so so insecure!

if you use a different password encryption, does it work? Try a crypt for testing:

perl -e "print crypt('passwd','a_salt_string');"
 
Old 04-24-2012, 04:57 PM   #3
Sma11T0wnITGuy
LQ Newbie
 
Registered: Aug 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Hi Chris,

This is a test environment, running only on a local virtual machine on my laptop. The book explains the security issue and says it will be resolved in a future chapter. I did try crypt as well, but here's the output I get when I run your script:

Code:
perl -e "print crypt('passwd','a_salt_string');"
a_OOAbS2vPWRY
[edit]
It looks like you wanted me to input the password a salt string to generate a crypt password? Would that be the same as if I used slpasswd -h {crypt} -c 'passwd'?

Thanks!

Last edited by Sma11T0wnITGuy; 04-24-2012 at 05:06 PM. Reason: Reread previous response.
 
Old 04-24-2012, 05:16 PM   #4
Sma11T0wnITGuy
LQ Newbie
 
Registered: Aug 2009
Posts: 13

Original Poster
Rep: Reputation: 0
LDAP Search

That LDAP search I'm using was wrong in my original post above.

Here's the search the book provided:


Code:
ldapsearch -W -D 'cn=Manager,dc=example,dc=com' -b "" -s base
And the results:

Code:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
 
Old 04-24-2012, 05:22 PM   #5
Sma11T0wnITGuy
LQ Newbie
 
Registered: Aug 2009
Posts: 13

Original Poster
Rep: Reputation: 0
crypt password result

Chris,

I ran the following:

Code:
perl -e "print crypt('clGviUh5DG9StH40AeVs','aJMj6exy5el7e+lqZrnc3mlMbkQO0+fq');"
took the resulting string, and pasted into /etc/ldap/slapd.conf:

Code:
rootpw {crypt}aJ4SmFKM9WuzY
restarted slapd, and got the same result.

Code:
root@ubuntu1:/etc/ldap# ldapsearch -W -D 'cn=Manager,dc=example,dc=com' -b "" -s base
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
I put clGviUh5DG9StH40AeV in when asked for my password.
 
Old 04-25-2012, 01:33 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
start up slapd in debug mode and try to bind to it then, and see what lovely stuff falls out.
 
Old 04-25-2012, 08:57 AM   #7
Sma11T0wnITGuy
LQ Newbie
 
Registered: Aug 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Debug mode output

Chris,

I ran the search in debug mode and got the following output:


Code:
ted@ubuntu1:~$ sudo ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b "" -s base -d 255
ldap_create
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x2165ecc0 ptr=0x2165ecc0 end=0x2165ecfe len=62
  0000:  30 3c 02 01 01 60 37 02  01 03 04 1c 63 6e 3d 4d   0<...`7.....cn=M
  0010:  61 6e 61 67 65 72 2c 64  63 3d 65 78 61 6d 70 6c   anager,dc=exampl
  0020:  65 2c 64 63 3d 63 6f 6d  80 14 63 6c 47 76 69 55   e,dc=com..clGviU
  0030:  68 35 44 47 39 53 74 48  34 30 41 65 56 73         h5DG9StH40AeVs
ber_scanf fmt ({i) ber:
ber_dump: buf=0x2165ecc0 ptr=0x2165ecc5 end=0x2165ecfe len=57
  0000:  60 37 02 01 03 04 1c 63  6e 3d 4d 61 6e 61 67 65   `7.....cn=Manage
  0010:  72 2c 64 63 3d 65 78 61  6d 70 6c 65 2c 64 63 3d   r,dc=example,dc=
  0020:  63 6f 6d 80 14 63 6c 47  76 69 55 68 35 44 47 39   com..clGviUh5DG9
  0030:  53 74 48 34 30 41 65 56  73                        StH40AeVs
ber_flush2: 62 bytes to sd 3
  0000:  30 3c 02 01 01 60 37 02  01 03 04 1c 63 6e 3d 4d   0<...`7.....cn=M
  0010:  61 6e 61 67 65 72 2c 64  63 3d 65 78 61 6d 70 6c   anager,dc=exampl
  0020:  65 2c 64 63 3d 63 6f 6d  80 14 63 6c 47 76 69 55   e,dc=com..clGviU
  0030:  68 35 44 47 39 53 74 48  34 30 41 65 56 73         h5DG9StH40AeVs
ldap_write: want=62, written=62
  0000:  30 3c 02 01 01 60 37 02  01 03 04 1c 63 6e 3d 4d   0<...`7.....cn=M
  0010:  61 6e 61 67 65 72 2c 64  63 3d 65 78 61 6d 70 6c   anager,dc=exampl
  0020:  65 2c 64 63 3d 63 6f 6d  80 14 63 6c 47 76 69 55   e,dc=com..clGviU
  0030:  68 35 44 47 39 53 74 48  34 30 41 65 56 73         h5DG9StH40AeVs
ldap_result ld 0x21656270 msgid 1
wait4msg ld 0x21656270 msgid 1 (infinite timeout)
wait4msg continue ld 0x21656270 msgid 1 all 1
** ld 0x21656270 Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Apr 25 06:56:26 2012


** ld 0x21656270 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x21656270 request count 1 (abandoned 0)
** ld 0x21656270 Response Queue:
   Empty
  ld 0x21656270 response count 0
ldap_chkResponseList ld 0x21656270 msgid 1 all 1
ldap_chkResponseList returns ld 0x21656270 NULL
ldap_int_select
read1msg: ld 0x21656270 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 61 07 0a                            0....a..
ldap_read: want=6, got=6
  0000:  01 31 04 00 04 00                                  .1....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x2165fd28 ptr=0x2165fd28 end=0x2165fd34 len=12
  0000:  02 01 01 61 07 0a 01 31  04 00 04 00               ...a...1....
read1msg: ld 0x21656270 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x2165fd28 ptr=0x2165fd2b end=0x2165fd34 len=9
  0000:  61 07 0a 01 31 04 00 04  00                        a...1....
read1msg: ld 0x21656270 0 new referrals
read1msg:  mark request completed, ld 0x21656270 msgid 1
request done: ld 0x21656270 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x2165fd28 ptr=0x2165fd2b end=0x2165fd34 len=9
  0000:  61 07 0a 01 31 04 00 04  00                        a...1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x2165fd28 ptr=0x2165fd34 end=0x2165fd34 len=0

ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
 
Old 04-25-2012, 10:35 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
yes, but we know the client gets a 49. it's WHY it does that matters, and that's up to the server to explain.
 
Old 04-25-2012, 11:00 AM   #9
Sma11T0wnITGuy
LQ Newbie
 
Registered: Aug 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Any other info I can provide?

Hi Chris,

Thanks for your reply. I ran the search command in debug mode by adding -d 255. Anything else I can run to provide more info for troubleshooting? Did you mean something else when you asked me to run OpenLDAP in debug mode?

Ted
 
Old 04-25-2012, 11:39 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
you need to run the slapd process on the server in the foreground. the error to the client is deliberately vague, and will never have a clue what actually happened outside of the standard error code.
 
Old 04-25-2012, 01:31 PM   #11
Sma11T0wnITGuy
LQ Newbie
 
Registered: Aug 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Debug mode from server side

Hi Chris,

Thanks for your patience and your help.

Here's a debug capture in interactive mode from the server's perspective:

Code:
ldif_read_file: read entry file: "/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif"
=> str2entry: "dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: 8c829f02-1f4a-1031-8fb7-5395168dc80f
creatorsName: cn=config
createTimestamp: 20120420153757Z
entryCSN: 20120420153757.923358Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120420153757Z
"
>>> dnPrettyNormal: <olcDatabase={0}config>
=> ldap_bv2dn(olcDatabase={0}config,0)
<= ldap_bv2dn(olcDatabase={0}config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(olcDatabase={0}config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(olcDatabase={0}config)=0
<<< dnPrettyNormal: <olcDatabase={0}config>, <olcDatabase={0}config>
>>> dnNormalize: <cn=config>
=> ldap_bv2dn(cn=config,0)
<= ldap_bv2dn(cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=config)=0
<<< dnNormalize: <cn=config>
>>> dnNormalize: <cn=config>
=> ldap_bv2dn(cn=config,0)
<= ldap_bv2dn(cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=config)=0
<<< dnNormalize: <cn=config>
<= str2entry(olcDatabase={0}config) -> 0x21a15f34
=> test_filter
    PRESENT
=> access_allowed: search access to "olcDatabase={0}config,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
<= test_filter 6
>>> dnNormalize: <gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth>
=> ldap_bv2dn(gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth,0)
<= ldap_bv2dn(gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth)=0
<<< dnNormalize: <gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth>
Backend ACL: access to *
        by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * +0 break

/etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=0 matched="" text=""
>>> dnNormalize: <cn=Subschema>
=> ldap_bv2dn(cn=Subschema,0)
<= ldap_bv2dn(cn=Subschema)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=subschema)=0
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
    1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout ) )
    1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout ) )
    1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ mail $ dc $ associatedDomain $ email ) )
    1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ mail $ dc $ associatedDomain $ email ) )
    2.5.13.39 (certificateListMatch):     2.5.13.38 (certificateListExactMatch): matchingRuleUse: ( 2.5.13.38 NAME 'certificateListExactMatch' APPLIES ( authorityRevocationList $ certificateRevocationList $ deltaRevocationList ) )
    2.5.13.35 (certificateMatch):     2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
    2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) )
    2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout ) )
    2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) )
    2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation )
    2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember )
    2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress )
    2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES telephoneNumber )
    2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES userPassword )
    2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )
    2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout ) )
    2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcSyncUseSubentry ) )
    2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress ) )
    2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
    2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
    2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
    2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym ) )
    2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
    2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
    2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym ) )
    1.2.36.79672281.1.13.3 (rdnMatch):     2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ member $ owner $ roleOccupant ) )
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
slapd starting
daemon: added 4r listener=(nil)
daemon: added 7r listener=0x219e0028
daemon: added 8r listener=0x219e00f0
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(8):
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 busy
>>> slap_listener(ldap:///)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: listen=8, new connection on 10
daemon: activity on 1 descriptor
daemon: activity on: 10r
daemon: read active on 10
daemon: added 10r (active) listener=(nil)
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
conn=1000 fd=10 ACCEPT from IP=[::1]:36072 (IP=[::]:389)
connection_get(10)
connection_get(10): got connid=1000
connection_read(10): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
  0000:  30 3b 02 01 01 60 36 02                            0;...`6.
ldap_read: want=53, got=53
  0000:  01 03 04 1c 63 6e 3d 4d  61 6e 61 67 65 72 2c 64   ....cn=Manager,d
  0010:  63 3d 65 78 61 6d 70 6c  65 2c 64 63 3d 63 6f 6d   c=example,dc=com
  0020:  80 13 63 6c 47 76 69 55  68 35 44 47 39 53 74 48   ..clGviUh5DG9StH
  0030:  34 30 41 65 56                                     40AeV
ber_get_next: tag 0x30 len 59 contents:
ber_dump: buf=0x21a49128 ptr=0x21a49128 end=0x21a49163 len=59
  0000:  02 01 01 60 36 02 01 03  04 1c 63 6e 3d 4d 61 6e   ...`6.....cn=Man
  0010:  61 67 65 72 2c 64 63 3d  65 78 61 6d 70 6c 65 2c   ager,dc=example,
  0020:  64 63 3d 63 6f 6d 80 13  63 6c 47 76 69 55 68 35   dc=com..clGviUh5
  0030:  44 47 39 53 74 48 34 30  41 65 56                  DG9StH40AeV
op tag 0x60, time 1335376644
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x21a49128 ptr=0x21a4912b end=0x21a49163 len=56
  0000:  60 36 02 01 03 04 1c 63  6e 3d 4d 61 6e 61 67 65   `6.....cn=Manage
  0010:  72 2c 64 63 3d 65 78 61  6d 70 6c 65 2c 64 63 3d   r,dc=example,dc=
  0020:  63 6f 6d 80 13 63 6c 47  76 69 55 68 35 44 47 39   com..clGviUh5DG9
  0030:  53 74 48 34 30 41 65 56                            StH40AeV
ber_scanf fmt (m}) ber:
ber_dump: buf=0x21a49128 ptr=0x21a4914e end=0x21a49163 len=21
  0000:  00 13 63 6c 47 76 69 55  68 35 44 47 39 53 74 48   ..clGviUh5DG9StH
  0010:  34 30 41 65 56                                     40AeV
>>> dnPrettyNormal: <cn=Manager,dc=example,dc=com>
=> ldap_bv2dn(cn=Manager,dc=example,dc=com,0)
<= ldap_bv2dn(cn=Manager,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=Manager,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,dc=example,dc=com)=0
<<< dnPrettyNormal: <cn=Manager,dc=example,dc=com>, <cn=manager,dc=example,dc=com>
conn=1000 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
do_bind: version=3 dn="cn=Manager,dc=example,dc=com" method=128
send_ldap_result: conn=1000 op=0 p=3
send_ldap_result: err=49 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 10
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
daemon: activity on 1 descriptor
daemon: activity on: 10r
daemon: read active on 10
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
conn=1000 op=0 RESULT tag=97 err=49 text=
connection_get(10)
connection_get(10): got connid=1000
connection_read(10): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=0

ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=1000, closing.
connection_closing: readying conn=1000 sd=10 for close
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
connection_close: conn=1000 sd=10
daemon: removing 10
conn=1000 fd=10 closed (connection lost)
^Cdaemon: shutdown requested and initiated.
daemon: closing 7
daemon: closing 8
slapd shutdown: waiting for 0 operations/tasks to finish
slapd shutdown: initiated
slapd destroy: freeing system resources.
slapd stopped.
I used the command:

Code:
slapd -d -1
The output is truncated [edit]at the top, but I hope we have what's needed here.

Last edited by Sma11T0wnITGuy; 04-25-2012 at 02:30 PM.
 
Old 04-25-2012, 03:44 PM   #12
Sma11T0wnITGuy
LQ Newbie
 
Registered: Aug 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Definitely an Auth issue

Chris,

I changed the ACL in /etc/ldap/slapd.conf to allow read access by anonymous:

Code:
access to *
 by anonymous read
 by * none
and it worked:

Client output #1:
Code:
ted@ubuntu1:/etc/ldap$ ldapsearch -x -b "" -s base
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
Client output #2:
Code:
ted@ubuntu1:/etc/ldap$ ldapsearch -x -b "" -s base '(objectclass=*)' +
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
It looks like the backend is working. Just auth isn't.
 
Old 04-26-2012, 02:42 AM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
There have been a few similar questions about passwords not working recently, and they've all come down to config errors etc. If you just put in a plaintext password, does that work? Have you tried just putting in a trivial password using SSHA too?
 
Old 04-26-2012, 07:17 AM   #14
Sma11T0wnITGuy
LQ Newbie
 
Registered: Aug 2009
Posts: 13

Original Poster
Rep: Reputation: 0
Basic Password

Hi Chris,

Here's what I did:

Tried a plain text password of secret. Same result.

Tried creating an SSHA password hash for the password secret and pasting that into /etc/ldap/slapd.conf:

Code:
root@ubuntu1:/etc/ldap# slappasswd -s secret
{SSHA}Lkg6TG16YEhbaxyF9FjiVZPXwlKXBKZV
Pasted that password hash into /etc/ldap/slapd.conf (entire Database section follows):

Code:
database hdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}Lkg6TG16YEhbaxyF9FjiVZPXwlKXBKZV
directory /var/lib/ldap
# directory /usr/local/var/openldap-data
index objectClass,cn eq
Restarted ldap:

Code:
invoke-rc.d slapd restart
Tried the search again:

Code:
root@ubuntu1:/etc/ldap# ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b "" -s base
Enter LDAP Password: secret
ldap_bind: Invalid credentials (49)
Is there some place else where the password for Manager could be defined, or is it only in /etc/ldap/slapd.conf?
 
Old 04-26-2012, 07:25 AM   #15
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
Ahhhhhhhhh you shouldn't be using slapd.conf any more on 2.4... http://www.howtoforge.com/install-an...u-karmic-koala
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeBSD : OpenLDAP : ldap_bind: Invalid credentials (49) problem. Need Help id2login *BSD 12 06-05-2011 06:15 PM
[SOLVED] openldap ldap_bind: Invalid credentials (49) sanjaydelhi Linux - Newbie 9 03-16-2011 09:29 AM
ldap 2.4 rhel6 problem with openldap ldap_bind: Invalid credentials (49) dshivji Linux - Server 3 12-04-2010 03:23 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Linux - Server 7 11-08-2007 09:03 AM
ldap_bind: Invalid credentials (49) on OpenLDAP server gergaholic Fedora 2 11-05-2007 03:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration