I just removed all the db files, and did ldapadd again for both Manger and testuser ldif files. But, I still have problem running ldapsearch on testuser. (I don't see any difference between two while inserting the data)
/opt/etc/openldap]$ /opt/bin/ldapsearch -Z -x -W -D "uid=testuser,ou=People,dc=myorg,dc=com" "(objectclass=*)" ldap_start_tls: Protocol error (2) Enter LDAP Password: ldap_bind: Invalid credentials (49) /opt/etc/openldap]$ /opt/bin/ldapsearch -Z -x -W -D "cn=Manager,dc=myorg,dc=com" "(objectclass=*)" ldap_start_tls: Protocol error (2) Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=myorg,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # myorg.com dn: dc=myorg,dc=com objectClass: top objectClass: dcObject objectClass: nisDomainObject objectClass: organization dc: myorg o: My Organization nisDomain:: bXlvcmcuY29tIA== # Manager, myorg.com dn: cn=Manager,dc=myorg,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager # NonAnon, myorg.com dn: cn=NonAnon,dc=myorg,dc=com objectClass: account objectClass: posixAccount description: Non-anonymous ldap binds cn: NonAnon uid: nonanon uidNumber: 1005 gidNumber: 105 homeDirectory: /var/empty userPassword:: e0NSWVBUfWp6YkFUQWNhb3guIA== loginShell:: L2Jpbi9mYWxzZSA= host:: bXlsZGFwaG9zdC5teW9yZy5jb20g # People, myorg.com dn: ou=People,dc=myorg,dc=com objectClass: organizationalUnit ou: People description: User Accounts # Group, myorg.com dn: ou=Group,dc=myorg,dc=com objectClass: organizationalUnit ou: Group description: System Groups # testuser, People, myorg.com dn: uid=testuser,ou=People,dc=myorg,dc=com objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: inetLocalMailRecipient cn: Test User uid: testuser userPassword:: e2NyeXB0fXM1OFROaXVML3RjTS4= loginShell: /usr/bin/bash uidNumber: 1001 gidNumber: 500 homeDirectory: /home/admin/testuser mailLocalAddress: testuser@myorg.com mailRoutingAddress: testuser@mailhost.myorg.com host: somehost.myorg.com host: someotherhost.myorg.com host: anotherhost.myorg.com shadowLastChange: 12193 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 shadowInactive: 1 shadowExpire: 12999 gecos: Test User # search result search: 3 result: 0 Success # numResponses: 7 # numEntries: 6
Is something wrong with my acl?
this is my acl: access to attrs=userPassword by self write by * auth access to * by * read
Thanks,
On Tue, Mar 18, 2008 at 4:45 PM, Kevin Kim surelybless@gmail.com wrote:
Yes, that worked, but crypt library is same.. ldd /opt/libexec/slapd | grep crypt libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8 [16:36:19][root@bai-qadev-mw1:/usr/local/ssl/certs]$ ldd /opt/sbin/slappasswd | grep crypt libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8
Following error is output using -Z option: /opt/bin/ldapsearch -x -Z -W -D "uid=testuser,ou=People,dc=myorg,dc=com" "(objectclass=*)" ldap_start_tls: Protocol error (2) Enter LDAP Password: ldap_bind: Invalid credentials (49)
On Tue, Mar 18, 2008 at 4:19 PM, Patrick Shinpaugh shpatric@vt.edu wrote:
Try running the ldapsearch with the cn=Manager and its password - if that works then take a look at the response from Dieter Kluenter concerning the crypt library used... could be that when slapd is hashing your password it isn't matching.
Kevin Kim wrote:
When I try running it with -Z option, I got
Enter LDAP Password: connection_get(11): got connid=5 connection_read(11): checking for input on id=5 ber_get_next ber_get_next: tag 0x30 len 58 contents: ber_get_next conn=5 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <uid=testuser,ou=People,dc=myorg,dc=com>
<<< dnPrettyNormal: <uid=testuser,ou=People,dc=myorg,dc=com>, <uid=testuser,ou=people,dc=myorg,dc=com> do_bind: version=3 dn="uid=testuser,ou=People,dc=myorg,dc=com"
method=128
bdb_dn2entry("uid=testuser,ou=people,dc=myorg,dc=com") send_ldap_result: conn=5 op=1 p=3 send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 14 bytes to sd 11 ldap_bind: Invalid credentials (49)
Is ldapsearch requires special secuirity module compared to ldapadd?
On Tue, Mar 18, 2008 at 1:26 PM, Patrick Shinpaugh <shpatric@vt.edu mailto:shpatric@vt.edu> wrote:
The error from your ldapsearch may give a clue... ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required Try adding the -Z option to your ldapsearch Kevin Kim wrote: > I also did > > $ /opt/bin/ldapadd -Z -x -W -D "cn=Manager,dc=myorg,dc=com" -v-f
> person.ldif > ldap_initialize( <DEFAULT> ) > Enter LDAP Password: > add objectclass: > account > posixAccount > shadowAccount > inetLocalMailRecipient > add cn: > Test User > add uid: > testuser > add userPassword: > {crypt}s58TNiuL/tcM. > add loginShell: > /usr/bin/bash > add uidnumber: > 1001 > add gidnumber: > 500 > add homeDirectory: > /home/admin/testuser > add mailLocalAddress: > testuser@myorg.com <mailto:testuser@myorg.com> <mailto:testuser@myorg.com <mailto:testuser@myorg.com>> > add mailRoutingAddress: > testuser@mailhost.myorg.com <mailto:testuser@mailhost.myorg.com> <mailto:testuser@mailhost.myorg.com <mailto:testuser@mailhost.myorg.com>> > add host: > somehost.myorg.com <http://somehost.myorg.com/> <http://somehost.myorg.com <http://somehost.myorg.com/>> > someotherhost.myorg.com <http://someotherhost.myorg.com/> <http://someotherhost.myorg.com <http://someotherhost.myorg.com/>> > anotherhost.myorg.com <http://anotherhost.myorg.com/> <http://anotherhost.myorg.com <http://anotherhost.myorg.com/>> > add shadowLastChange: > 12193 > add shadowMin: > 0 > add shadowMax: > 99999 > add shadowWarning: > 7 > add shadowInactive: > 1 > add shadowExpire: > 12999 > add gecos: > Test User > adding new entry "uid=testuser,ou=People,dc=myorg,dc=com" > modify complete > > then, > > $ /opt/bin/ldapsearch -x -W -D > "uid=testuser,ou=People,dc=myorg,dc=com" "(objectclass=*)" > Enter LDAP Password: > ldap_bind: Confidentiality required (13) > additional info: TLS confidentiality required > > any help will be appreciated. > > On Tue, Mar 18, 2008 at 11:50 AM, Kevin Kim <surelybless@gmail.com <mailto:surelybless@gmail.com> > <mailto:surelybless@gmail.com <mailto:surelybless@gmail.com>>> wrote: > > Correction: I did ran with > /opt/bin/ldapsearch -x -W -D "uid=testuser,ou=People,dc=myorg,dc=com" > and I am still getting same error. > On Tue, Mar 18, 2008 at 11:44 AM, Kevin Kim <surelybless@gmail.com <mailto:surelybless@gmail.com> > <mailto:surelybless@gmail.com <mailto:surelybless@gmail.com>>> wrote: > > Can someone help me find the problem with ldapsearch? > > I can insert the data using ldapadd: > /opt/bin/ldapadd -Z -x -W -D"cn=Manager,dc=myorg,dc=com" -v
> -f toplevel.ldif > ldap_initialize( <DEFAULT> ) > Enter LDAP Password: > ........... > modify complete > but I am not able to run ldapsearch: > /opt/etc/openldap/ldif_files]$ /opt/bin/ldapsearch -x -W-D
> "uid=testuser,ou=People,dc=scivantage,dc=com" "(objectclass=*)" > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > > my slapd.conf files: > defaultsearchbase dc=myorg,dc=com > > access to attrs=userPassword > by self write > by anonymous auth > by * none > access to * > by self write > by users read > by * none > > database bdb > suffix "dc=myorg,dc=com" > rootdn "cn=Manager,dc=myorg,dc=com" > > Also, if run ldapwhoami: > /opt/bin/ldapwhoami > ldap_sasl_interactive_bind_s: Confidentiality required(13)
> > I will be appreciated, > > Kevin > > > -- Patrick Shinpaugh Virginia Tech UVAG System Administrator/Programmer 540-231-2054-- Patrick Shinpaugh Virginia Tech UVAG System Administrator/Programmer 540-231-2054