On Tuesday, 6 April 2010 19:28:27 Marcelo de Moraes Serpa wrote:
Hello list,
I have a local OpenLDAP server with a couple of users. I'm using it for development purposes, here's the ldif:
#Top level - the organization dn: dc=site, dc=com dc: site description: OneLogin LLC objectClass: dcObject objectClass: organization o: OneLogin LLC
#Top level - manager dn: cn=Manager, dc=site, dc=com objectClass: organizationalRole cn: Manager
#Second level - organizational units dn: ou=people, dc=site, dc=com ou: people description: All people in the organization objectClass: organizationalunit
dn: ou=groups, dc=site, dc=com ou: groups description: All groups in the organization objectClass: organizationalunit
#Third level - people dn: uid=celoserpa, ou=people, dc=site, dc=com objectclass: pilotPerson objectclass: uidObject uid: celoserpa cn: Marcelo de Moraes Serpa sn: de Moraes Serpa userPassword: secret_12345 mail: marcelo@site.com
So far, so good. I can bind with "cn=Manager,dc=site,dc=com" and the 12345678 password (the local server password, setup on slapd.conf).
Hashed or clear?
However, I would like to bind with any user in under the people OU. In this case, I'd like to bind with: dn: uid=celoserpa, ou=people, dc=site, dc=com userPassword: secret_12345
But I'm getting a (49) - Invalid Credentials error everytime. I have tried through CLI tools (such as ldapadd, ldapwhoami, etc) and also ruby/ldap.
Can you supply your ldapwhoami commandline, and the exact error message.
The bind with these credentials fails with a invalid credentials error.
I was suspecting that maybe OpenLDAP doesn't compare against userPassword?
No. It could be that your build doesn't allow cleartext values for userPassword, you could try with a hashed value (created with slappasswd), or verify that your build allows cleartext (configure option: --enable-cleartext ).
Or maybe some ACL configuration I am missing that is somehow affecting the read access to userPassword for the specific DN.
If it is not that your build doesn't allow cleartext, then it's probably ACLs, but since you didn't include your ACL configuration this can't be answered definitively. And, it is actually "auth" access that is sufficient.
I'm really lost here, any suggestion appreciated!
Can't provide more help without more information.
Regards, Buchan