| View previous topic :: View next topic |
| Author |
Message |
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
 Posted: Wed Oct 28, 2015 8:04 pm Post subject: ldap_bind: Invalid credentials (49) |
 |
|
I've been following this wiki in order to get LDAP working across a small cluster of nodes.
https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP
I have ldap running, used slappasswd to make a hash which is added to slapd.conf (below), but when I try to add a user, I get the following:
| Code: |
/etc/openldap$ sudo ldapadd -x -W -D "cn=Manager,dc=mylan,dc=local" -f james.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
|
Here is my ldif for the user.
| Code: |
dn: uid=james,ou=users,dc=mylan,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: james
uid: james
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/james
loginShell: /bin/bash
gecos: james
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
|
I believe there is something wrong here in that, the domain is still my-domain and com.
| Code: |
/etc/openldap$ sudo slaptest -v -d 1 -F /etc/openldap/slapd.d/
... (snip) ...
561efc7d 2.5.13.0 (objectIdentifierMatch): 561efc7d matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
561efc7d slaptest startup: initiated.
561efc7d backend_startup_one: starting "cn=config"
561efc7d config_back_db_open
561efc7d backend_startup_one: starting "dc=my-domain,dc=com"
561efc7d hdb_db_open: database "dc=my-domain,dc=com": dbenv_open(/var/lib/openldap-data).
config file testing succeeded
561efc7d slaptest shutdown: initiated
561efc7d ====> bdb_cache_release_all
561efc7d slaptest destroy: freeing system resources.
|
| Code: |
/etc/openldap$ sudo slaptest -f /etc/openldap/slapd.conf -F slapd.d
config file testing succeeded
|
Here is my slapd.conf.
| Code: |
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
serverID 0
loglevel 256
## Certificate/SSL Section
TLSCipherSuite normal
TLSCACertificateFile /etc/openldap/ssl/ldap.crt
TLSCertificateFile /etc/openldap/ssl/ldap/pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.key
TLSVerifyClient never
# Load dynamic backend modules:
# modulepath /usr/lib64/openldap/openldap
# moduleload back_sock.so
# moduleload back_shell.so
# moduleload back_relay.so
# moduleload back_perl.so
# moduleload back_passwd.so
# moduleload back_null.so
# moduleload back_monitor.so
# moduleload back_meta.so
# moduleload back_ldap.so
# moduleload back_dnssrv.so
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous read
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "dc=mylan,dc=local"
# <kbyte> <min>
checkpoint 32 30
rootdn "cn=Manager,dc=mylan,dc=local"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw "{SSHA}aMXsx9o/AadbMQddaFL1ddLnsxdfCqbrc"
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/openldap-data
# Indices to maintain
index objectClass eq
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
|
Any help much appreciated.
Last edited by Wizumwalt on Thu Oct 29, 2015 1:47 am; edited 1 time in total |
|
| Back to top |
|
 |
kikko
Apprentice
Joined: 29 Apr 2014
Posts: 276
Location: Milan, IT
|
| Posted: Thu Oct 29, 2015 12:39 am Post subject: |
|
|
Hi Wizumwalt
I've spotted a possible typo in your config: LDAP suffix and RootDN differ:
suffix "dc=myplace,dc=local"
rootdn "cn=Manager,dc=mylan,dc=local"
I'm not an OpenLDAP guru, but... is that correct? 
Regards |
|
| Back to top |
|
|
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
| Posted: Thu Oct 29, 2015 1:50 am Post subject: |
|
|
| kikko wrote: | | but... is that correct? :?Regards |
Apologies, it was a typo in the post. I did edit it so that dc=mylan for both suffix and rootdn. But one thing I've noticed is that what's in the database is not mylan. It's my-domain. I think that may be the problem, but not sure how to reset it.
| Code: |
561efc7d backend_startup_one: starting "dc=my-domain,dc=com"
|
|
|
| Back to top |
|
|
kikko
Apprentice
Joined: 29 Apr 2014
Posts: 276
Location: Milan, IT
|
|
| Back to top |
|
|
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
| Posted: Tue Nov 03, 2015 3:29 pm Post subject: |
|
|
I now have the basedn correct and what I believe is a valid configuration. I can do an ldapsearch and see the results of my configuration from the running server.
I then create an ldif file for a normal user, enter the passwd I used when using slappasswd, and try ldapadd.
| Code: | $ ldapadd -x -W -D "cn=james,dc=mylan,dc=local" -f james.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
|
In the slapd.conf, I have the line:
| Code: | rootdn "cn=admin,dc=mylan,dc=local"
|
Could this possbily be due to the need for an admin user, or something along those lines? |
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Tue Nov 03, 2015 8:02 pm Post subject: |
|
|
Hi Wizumwalt,
have you tried it without the quotation marks around the rootpw?
| Code: | | rootpw {SSHA}aMXsx9o/AadbMQddaFL1ddLnsxdfCqbrc |
That's at least what I have...
HTH, cheers
_________________
Power to the people! |
|
| Back to top |
|
|
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
| Posted: Thu Nov 05, 2015 10:09 pm Post subject: |
|
|
I removed the quotes in the slapd.conf file, then did ...
| Code: |
slaptest -f /etc/openldap/slapd.conf -F slapd.d
|
Than ran ldapadd again and still get ...
| Code: |
ldap_bind: Invalid credentials (49)
|
|
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Fri Nov 06, 2015 5:28 am Post subject: |
|
|
| Wizumwalt wrote: |
| Code: | $ ldapadd -x -W -D "cn=james,dc=mylan,dc=local" -f james.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
|
In the slapd.conf, I have the line:
| Code: | rootdn "cn=admin,dc=mylan,dc=local"
|
Could this possbily be due to the need for an admin user, or something along those lines? |
After a second read, I guess i understand your problem...
You need the admin user to add other users! And you can't authenticate with a user that is not yet present!
You need to add at least one user with -D "cn=admin,dc=mylan,dc=local" (-D is the user to do the bind). Only after that you could set ACLs to allow that user to add others.....
You could also use slapadd to load ldifs "offline", so you won't need an authentication.
I'm not sure if you don't need to create the root node anymore through ldif!? http://etutorials.org/Server+Administration/ldap+system+administration/Part+I+LDAP+Basics/Chapter+4.+OpenLDAP+Building+a+Company+White+Pages/4.5+Adding+the+Initial+Directory+Entries/
_________________
Power to the people! |
|
| Back to top |
|
|
Syl20
l33t
Joined: 04 Aug 2005
Posts: 621
Location: France
|
| Posted: Fri Nov 06, 2015 4:35 pm Post subject: |
|
|
| nativemad wrote: | | And you can't authenticate with a user that is not yet present! |
Sure you can't.
| Quote: | | You could also use slapadd to load ldifs "offline", so you won't need an authentication. |
That's the usual way to populate a new directory at the first time. Much faster.
| Quote: | | I'm not sure if you don't need to create the root node anymore through ldif!? |
You don't need. OpenLDAP does the job. You can, if you want, but you may encounter problems, like two valid passords (one in slapd.conf, and one in the DIT)... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
)