| View previous topic :: View next topic |
| Author |
Message |
Nadie
n00b
Joined: 29 Oct 2005
Posts: 24
|
 Posted: Fri Jan 11, 2008 11:20 pm Post subject: Openldap Installation: Invalid credentials error |
 |
|
Hi there! I'm just following this howto:
http://gentoo-wiki.com/HOWTO_LDAPv3
And I'm stuck when testing the domain with user account authentification:
| Code: | | ldapsearch -d 128 -Hldap://darkness.occult.com.ar -b "" -s base -D "cn=admin,dc=darkness,dc=occult,dc=com,dc=ar" -W |
gives this error:
| Code: | Enter LDAP Password:
request done: ld 0x8058dc0 msgid 1
SASL/DIGEST-MD5 authentication started
request done: ld 0x8058dc0 msgid 2
request done: ld 0x8058dc0 msgid 3
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
|
Here goes my slapd.conf file:
| Code: |
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Include the needed data schemes
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/krb5-kdc.schema # google for this schema
# Use crypt to hash the passwords
password-hash {crypt}
# Define SSL and TLS properties (optional)
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ldap-key.pem
#TLSCACertificateFile /etc/ssl/ldap.pem
# you should set the loglevel to 256 initially, this will give you
# some good hints when debugging problems. Read man slapd.conf what the loglevel
# directive will give you
loglevel 256
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
sasl-regexp
uid=admin,cn=.*,cn=auth
cn=admin,dc=ooccult,dc=com,dc=ar
# Load dynamic backend modules:
modulepath /usr/lib/openldap/openldap
# moduleload back_shell.so
# moduleload back_relay.so
# moduleload back_perl.so
# moduleload back_passwd.so
# moduleload back_null.so
# moduleload back_monitor.so
# moduleload back_meta.so
moduleload back_hdb.so
# moduleload back_dnssrv.so
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# allow read access of root DSE
access to dn="" by * read
# deny all other access
access to * by * none
# Allow users to authenticate/update their password.
access to attrs=userPassword
by anonymous auth
by self write
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "dc=occult,dc=com,dc=ar"
checkpoint 32 30 # <kbyte> <min>
rootdn "cn=admin,dc=occult,dc=com,dc=ar"
directory /var/lib/openldap-data
# Indices to maintain
index objectClass eq
rootpw {MD5}encriptedpass
|
This is my ldap.conf:
| Quote: |
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=occult, dc=com, dc=ar
URI ldap://darkness.occult.com.ar
TLS_REQCERT never
#TLS_CERT /etc/ssl/ldap.pem
#TLS_KEY /etc/openldap/ldap-key.pem
|
This my /etc/conf.d/slapd:
And, finally, there is my database:
| Quote: |
dn: dc=occult,dc=com,dc=ar
objectclass: organization
objectclass: dcObject
o: darkness
dc: occult
description: My new LDAP domain
dn: ou=Hosts,dc=occult,dc=com,dc=ar
ou: Hosts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: occult
dn: ou=Rpc,dc=occult,dc=com,dc=ar
ou: Rpc
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: occult
dn: ou=Services,dc=occult,dc=com,dc=ar
ou: Services
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: occult
dn: nisMapName=netgroup.byuser,dc=occult,dc=com,dc=ar
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap
objectClass: domainRelatedObject
associatedDomain: occult
dn: ou=Mounts,dc=occult,dc=com,dc=ar
ou: Mounts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: occult
dn: ou=Networks,dc=occult,dc=com,dc=ar
ou: Networks
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: occult
dn: ou=People,dc=occult,dc=com,dc=ar
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: occult
dn: ou=Group,dc=occult,dc=com,dc=ar
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: occult
dn: ou=Netgroup,dc=occult,dc=com,dc=ar
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: occult
dn: ou=Protocols,dc=occult,dc=com,dc=ar
ou: Protocols
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: occult
dn: ou=Aliases,dc=occult,dc=com,dc=ar
ou: Aliases
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: occult
dn: nisMapName=netgroup.byhost,dc=occult,dc=com,dc=ar
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap
objectClass: domainRelatedObject
associatedDomain: occult
|
So...any ideas? Any help would be greatly appreciated..TIA!!! |
|
| Back to top |
|
 |
smerf
l33t
Joined: 06 Nov 2004
Posts: 778
Location: Polska
|
| Posted: Sat Jan 12, 2008 4:47 pm Post subject: |
|
|
Have you tried simple bind (without SASL, -x)?
_________________
Microsoft is not the answer, Microsoft is the question, the answer is no. |
|
| Back to top |
|
|
Nadie
n00b
Joined: 29 Oct 2005
Posts: 24
|
| Posted: Sat Jan 12, 2008 5:04 pm Post subject: |
|
|
Thanks for your answer! 
This is the result:
| Quote: | ldapsearch -d 128 -Hldap://darkness.occult.com.ar -b "" -s base -x -D "cn=admin,dc=darkness,dc=occult,dc=com,dc=ar" -W
Enter LDAP Password:
request done: ld 0x8058de0 msgid 1
ldap_bind: Invalid credentials (49)
|
Any ideas...? |
|
| Back to top |
|
|
smerf
l33t
Joined: 06 Nov 2004
Posts: 778
Location: Polska
|
| Posted: Sat Jan 12, 2008 5:07 pm Post subject: |
|
|
Inside your config: "cn=admin,dc=occult,dc=com,dc=ar"
What happened to 'darkness'?
_________________
Microsoft is not the answer, Microsoft is the question, the answer is no. |
|
| Back to top |
|
|
Nadie
n00b
Joined: 29 Oct 2005
Posts: 24
|
| Posted: Sun Jan 13, 2008 12:15 am Post subject: |
|
|
Darkness is the hostname running openldap...should be there also?
(thanks again =) ) |
|
| Back to top |
|
|
smerf
l33t
Joined: 06 Nov 2004
Posts: 778
Location: Polska
|
| Posted: Sun Jan 13, 2008 12:22 am Post subject: |
|
|
Seems that you're trying to authenticate yourself as
cn=admin,dc=darkness,dc=occult,dc=com,dc=ar
However you don't have such DN in your database... but only
cn=admin,dc=occult,dc=com,dc=ar
It does not matter what in this context 'darkness' mean...
You don't have to use domain names at all...
cn=boss,o=CIA,c=USA is fine
(okay, it has some implications, but at least not for authentication)
_________________
Microsoft is not the answer, Microsoft is the question, the answer is no. |
|
| Back to top |
|
|
Nadie
n00b
Joined: 29 Oct 2005
Posts: 24
|
| Posted: Sun Jan 13, 2008 2:02 am Post subject: |
|
|
Oh, thanks a lot. When I added the dc=darkness to the slapd.conf, I got this:
| Code: | ldapsearch -d 128 -Hldap://darkness.occult.com.ar -b "" -s base -x -D "cn=admin,dc=darkness,dc=occult,dc=com,dc=ar" -W
Enter LDAP Password:
request done: ld 0x8058de0 msgid 1
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
request done: ld 0x8058de0 msgid 2
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
|
But then, when I try whti sasl I get this one:
| Code: | ldapsearch -d 128 -Hldap://darkness.occult.com.ar -b "" -s base -D "cn=admin,dc=darkness,dc=occult,dc=com,dc=ar" -W
Enter LDAP Password:
request done: ld 0x8058de0 msgid 1
SASL/DIGEST-MD5 authentication started
request done: ld 0x8058de0 msgid 2
request done: ld 0x8058de0 msgid 3
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
|
I will try removing darkness (the host) from the sasld.conf file tomorrow and I will see...but since in the howto (both gentoo and gentoo-wikihow) mentioned the host must be present I added them.
Thanks a lot again, I will update my configs and post my results =) |
|
| Back to top |
|
|
Nadie
n00b
Joined: 29 Oct 2005
Posts: 24
|
| Posted: Sun Jan 13, 2008 10:03 am Post subject: |
|
|
| Code: | ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database |
Same problem. Removing Dc=Darkness from the ldapsearch solves the issue with basic authentification, but not with SASL...any ideas? |
|
| Back to top |
|
|
rogerx
Tux's lil' helper
Joined: 06 Apr 2004
Posts: 118
|
| Posted: Mon Jan 14, 2008 12:12 pm Post subject: |
|
|
| Nadie wrote: | | Code: | ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database |
Same problem. Removing Dc=Darkness from the ldapsearch solves the issue with basic authentification, but not with SASL...any ideas? |
I'm following the Gentoo howto/wiki also and am getting this same exact scenario with md5/gss auth too. "-x" works as seen above. :-/
This seems like a bug with the howto/wiki. Please update!
_________________
Roger
http://rogerx.freeshell.org/ |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
