I am sorry if I am not able to provide the exact information. What I meant was that I am using VI editor to modify the slapd.conf file. Here is exactly what I have done: I compiled and installed openldap version 2.2.20 on red hat Linux 8.0. I did everything according to the manual and was able to install the software successfully. The only catch being that I was never asked to supply any password during the installation, which some of the posts in the mailing list suggested. I have a running version of 2.2.20 on Solaris 8.0. I first copied all of the slapd.conf from solaris server file to my red hat server, but the slapd gave errors and was not able to start initially. I then started copying the slapd.conf from my production to new server bit by bit, adding few lines and then checking if I can start the slapd or not, and eventually I had exact replica of the slapd.conf file on my red hat server and slapd was starting without any errors. I then used slapcat on my production system to generate an ldif which I imported on red hat server using slapadd. I had few errors about the syntax of "clientOrg" attribute being not correct, but those entries contained the extended character set in their values and I deleted them from the ldif file till I was able to import all the ldif from the production system to red hat server. Now the slapd was running perfectly and I could bind anonymously to my ldap server on the red hat and it was fetching all the entries correctly. The problem started when i try to bind to ldap using the credentials which were used on the production system. The slapd.conf file on the production system had the "rootpw secret" line hashed. When I unhashed it, slap did not start stating that rootdn should be under the suffix. While it was not on the production server, I added to my rootdn my suffix as well, and slapd started perfectly. Now as Piotr suggested that after creating a password I can hash the rootpw line again, so that the authentication can be done using only the passwords in the database. So using slappasswd i generated a hash value of the password and copied it into the slapd.conf. While slapd starts fine it still cannot connect to ldap using the supplied credentials saying invalid credentials. Same happens if I try to modify any uid using slapmodify it asks for an ldap password and when I give the password which i pasted in my slapd.conf it says invalid credentials. Hope this is a more clearer explanation. Please let me know if you want to have a look at my slapd.conf file or anything else. This is the only point where I am stuck, rest is fine. Thank you so much for your help. P.S the command I use to modfy the entries in the database is: ldapmodify -v -x -f /path-to-ldif -w -D "cn=nsadmin,o=trac" Thanks and Regards On 10/30/07, Gavin Henry <ghenry(a)suretecsystems.com&gt; wrote:

When you try to modify ldap entry, using ldif file, how do you add "userPassword" field ? In ldif file usually hashed password value, e.g. if you have password "foobar", hashed {CRYPT} string will be $1$J/E/qSv7$SQtxGHJ2UTwkQ40qX8WcN/ Now, with some gui tool like GQ or LdapStudio, you should add prefix {CRYPT} and paste {CRYPT}$1$J/E/qSv7$SQtxGHJ2UTwkQ40qX8WcN/ into ldap object. This should also work, if you paste above string with {CRYPT} prefix (or {MD5} or other, depending how you hashed the password. Note that with slapcat/slapadd user password should be additionaly base64 encoded, and AFAIR, "userPassword" attribute name should be prepended with double colon, e.g perl -MMIME::Base64 -e "print encode_base64('{CRYPT}$1$J/E/qSv7$SQtxGHJ2UTwkQ40qX8WcN/');" userPassword:: e0NSWVBUfS9FL3FTdjcv Anyway does authentication work with slapd.conf including plain or hashed password? P.

This is not modify operation ldap file. Modify operation ldif file should look like this: (in example two values of userPassword will be added to "cn=admin,dc=foo" object, and all old values of userPassword attribute will be removed. dn: cn=admin,dc=foo changetype: modify replace: userPassword userPassword: {CRYPT}hashpasswordvaluehere userPassword: {MD5}passwordhashedinotherway Regards, Piotr

Hi Piotr, Here is my ldif file. dn: cn=nsadmin changetype: modify userpassword: {SHA}R0f182La8UTJewHKUWIr2ltHPXc= and the command I used is: [root@syru156 bin]# ./ldapmodify -x -v -f /main/backup/nsadmin.ldif ldap_initialize( <DEFAULT> ) replace userpassword: {SHA}R0f182La8UTJewHKUWIr2ltHPXc= modifying entry "cn=nsadmin" modify complete ldap_modify: Strong(er) authentication required (8) additional info: modifications require authentication and I cannot still connect bind to ldap through credentials. It says invalid credentials when I try to connect it through ldap browser. Regards On 10/30/07, Naufal Sheikh <naufalzamir(a)gmail.com&gt; wrote:

Ezzel a dátummal: Tuesday 30 October 2007 21.54.49 Naufal Sheikh ezt írta: You didn't specify what DN you want to connect. "Use ldapmodify -D cn=nsadmin,o=trac -x ...". And use the password you gave in slapd.conf. The "rootdn" and "rootpw" have precedence over the one you have in the directory. Bye, György

On Thursday 01 November 2007 18:59:56 Naufal Sheikh wrote: The DN exists in the directory (under a different suffix/database?), and the password is set on the DN, in which case (since rootpw is commented out), the DN is authenticated against the in-directory password. entry in LDAP. In the directory But you can use an encrypted password, see the slappasswd command. Regards, Buchan

Naufal Sheikh wrote: It lets you connect because that's what you have written in the rootdn field. You probably mean you see base64 encoding. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/