Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ldap_bind: Invalid credentials (49)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Wizumwalt
Guru
Guru


Joined: 20 Aug 2006
Posts: 470

PostPosted: Wed Oct 28, 2015 8:04 pm    Post subject: ldap_bind: Invalid credentials (49) Reply with quote

I've been following this wiki in order to get LDAP working across a small cluster of nodes.
https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP

I have ldap running, used slappasswd to make a hash which is added to slapd.conf (below), but when I try to add a user, I get the following:
Code:

/etc/openldap$ sudo ldapadd -x -W -D "cn=Manager,dc=mylan,dc=local" -f james.ldif     
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

Here is my ldif for the user.
Code:

dn: uid=james,ou=users,dc=mylan,dc=local

objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount

cn: james
uid: james
uidNumber: 1000
gidNumber: 1000

homeDirectory: /home/james
loginShell: /bin/bash
gecos: james
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

I believe there is something wrong here in that, the domain is still my-domain and com.
Code:

/etc/openldap$ sudo slaptest -v -d 1 -F /etc/openldap/slapd.d/
... (snip) ...
561efc7d     2.5.13.0 (objectIdentifierMatch): 561efc7d matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
561efc7d slaptest startup: initiated.
561efc7d backend_startup_one: starting "cn=config"
561efc7d config_back_db_open
561efc7d backend_startup_one: starting "dc=my-domain,dc=com"
561efc7d hdb_db_open: database "dc=my-domain,dc=com": dbenv_open(/var/lib/openldap-data).
config file testing succeeded
561efc7d slaptest shutdown: initiated
561efc7d ====> bdb_cache_release_all
561efc7d slaptest destroy: freeing system resources.


Code:

/etc/openldap$ sudo slaptest -f /etc/openldap/slapd.conf -F slapd.d
config file testing succeeded

Here is my slapd.conf.
Code:

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/misc.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

serverID 0
loglevel 256

## Certificate/SSL Section
TLSCipherSuite normal
TLSCACertificateFile /etc/openldap/ssl/ldap.crt
TLSCertificateFile /etc/openldap/ssl/ldap/pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.key
TLSVerifyClient never

# Load dynamic backend modules:
# modulepath    /usr/lib64/openldap/openldap
# moduleload    back_sock.so
# moduleload    back_shell.so
# moduleload    back_relay.so
# moduleload    back_perl.so
# moduleload    back_passwd.so
# moduleload    back_null.so
# moduleload    back_monitor.so
# moduleload    back_meta.so
# moduleload    back_ldap.so
# moduleload    back_dnssrv.so

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
        by self write
        by users read
        by anonymous read
#       by self write
#       by users read
#       by anonymous auth
#

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################
database        hdb
suffix          "dc=mylan,dc=local"
#         <kbyte> <min>
checkpoint      32      30
rootdn          "cn=Manager,dc=mylan,dc=local"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw         "{SSHA}aMXsx9o/AadbMQddaFL1ddLnsxdfCqbrc"

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/openldap-data
# Indices to maintain
index   objectClass     eq

database        config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none


Any help much appreciated.


Last edited by Wizumwalt on Thu Oct 29, 2015 1:47 am; edited 1 time in total
Back to top
View user's profile Send private message
kikko
Apprentice
Apprentice


Joined: 29 Apr 2014
Posts: 256
Location: Milan, IT

PostPosted: Thu Oct 29, 2015 12:39 am    Post subject: Reply with quote

Hi Wizumwalt
I've spotted a possible typo in your config: LDAP suffix and RootDN differ:
    suffix "dc=myplace,dc=local"
    rootdn "cn=Manager,dc=mylan,dc=local"
I'm not an OpenLDAP guru, but... is that correct? :?

Regards
Back to top
View user's profile Send private message
Wizumwalt
Guru
Guru


Joined: 20 Aug 2006
Posts: 470

PostPosted: Thu Oct 29, 2015 1:50 am    Post subject: Reply with quote

kikko wrote:
but... is that correct? :?Regards

Apologies, it was a typo in the post. I did edit it so that dc=mylan for both suffix and rootdn. But one thing I've noticed is that what's in the database is not mylan. It's my-domain. I think that may be the problem, but not sure how to reset it.
Code:

561efc7d backend_startup_one: starting "dc=my-domain,dc=com"
Back to top
View user's profile Send private message
kikko
Apprentice
Apprentice


Joined: 29 Apr 2014
Posts: 256
Location: Milan, IT

PostPosted: Thu Oct 29, 2015 8:08 pm    Post subject: Reply with quote

Hi Wizumwalt
"dc=my-domain,dc=com" is the default BaseDN (source: I've installed OpenLDAP :) )
Renaming it seems to be tricky: https://stackoverflow.com/questions/19537319/change-basedn-in-openldap (Debianish)

Regards
Back to top
View user's profile Send private message
Wizumwalt
Guru
Guru


Joined: 20 Aug 2006
Posts: 470

PostPosted: Tue Nov 03, 2015 3:29 pm    Post subject: Reply with quote

I now have the basedn correct and what I believe is a valid configuration. I can do an ldapsearch and see the results of my configuration from the running server.

I then create an ldif file for a normal user, enter the passwd I used when using slappasswd, and try ldapadd.

Code:
$ ldapadd -x -W -D "cn=james,dc=mylan,dc=local" -f james.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


In the slapd.conf, I have the line:
Code:
rootdn    "cn=admin,dc=mylan,dc=local"


Could this possbily be due to the need for an admin user, or something along those lines?
Back to top
View user's profile Send private message
nativemad
Developer
Developer


Joined: 30 Aug 2004
Posts: 903
Location: Switzerland

PostPosted: Tue Nov 03, 2015 8:02 pm    Post subject: Reply with quote

Hi Wizumwalt,

have you tried it without the quotation marks around the rootpw?
Code:
rootpw         {SSHA}aMXsx9o/AadbMQddaFL1ddLnsxdfCqbrc


That's at least what I have...

HTH, cheers
_________________
Power to the people!
Back to top
View user's profile Send private message
Wizumwalt
Guru
Guru


Joined: 20 Aug 2006
Posts: 470

PostPosted: Thu Nov 05, 2015 10:09 pm    Post subject: Reply with quote

I removed the quotes in the slapd.conf file, then did ...
Code:

slaptest -f /etc/openldap/slapd.conf -F slapd.d


Than ran ldapadd again and still get ...
Code:

ldap_bind: Invalid credentials (49)
Back to top
View user's profile Send private message
nativemad
Developer
Developer


Joined: 30 Aug 2004
Posts: 903
Location: Switzerland

PostPosted: Fri Nov 06, 2015 5:28 am    Post subject: Reply with quote

Wizumwalt wrote:

Code:
$ ldapadd -x -W -D "cn=james,dc=mylan,dc=local" -f james.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


In the slapd.conf, I have the line:
Code:
rootdn    "cn=admin,dc=mylan,dc=local"


Could this possbily be due to the need for an admin user, or something along those lines?


After a second read, I guess i understand your problem...
You need the admin user to add other users! And you can't authenticate with a user that is not yet present!
You need to add at least one user with -D "cn=admin,dc=mylan,dc=local" (-D is the user to do the bind). Only after that you could set ACLs to allow that user to add others.....
You could also use slapadd to load ldifs "offline", so you won't need an authentication.
I'm not sure if you don't need to create the root node anymore through ldif!? http://etutorials.org/Server+Administration/ldap+system+administration/Part+I+LDAP+Basics/Chapter+4.+OpenLDAP+Building+a+Company+White+Pages/4.5+Adding+the+Initial+Directory+Entries/
_________________
Power to the people!
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 551
Location: France

PostPosted: Fri Nov 06, 2015 4:35 pm    Post subject: Reply with quote

nativemad wrote:
And you can't authenticate with a user that is not yet present!

Sure you can't.

Quote:
You could also use slapadd to load ldifs "offline", so you won't need an authentication.

That's the usual way to populate a new directory at the first time. Much faster.

Quote:
I'm not sure if you don't need to create the root node anymore through ldif!?

You don't need. OpenLDAP does the job. You can, if you want, but you may encounter problems, like two valid passords (one in slapd.conf, and one in the DIT)...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum