Can someone help me find the problem with ldapsearch?
I can insert the data using ldapadd: /opt/bin/ldapadd -Z -x -W -D "cn=Manager,dc=myorg,dc=com" -v -f toplevel.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: ........... modify complete but I am not able to run ldapsearch: /opt/etc/openldap/ldif_files]$ /opt/bin/ldapsearch -x -W -D "uid=testuser,ou=People,dc=scivantage,dc=com" "(objectclass=*)" Enter LDAP Password: ldap_bind: Invalid credentials (49)
my slapd.conf files: defaultsearchbase dc=myorg,dc=com
access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by users read by * none
database bdb suffix "dc=myorg,dc=com" rootdn "cn=Manager,dc=myorg,dc=com"
Also, if run ldapwhoami: /opt/bin/ldapwhoami ldap_sasl_interactive_bind_s: Confidentiality required (13)
I will be appreciated,
Kevin
Correction: I did ran with /opt/bin/ldapsearch -x -W -D "uid=testuser,ou=People,dc=myorg,dc=com" and I am still getting same error. On Tue, Mar 18, 2008 at 11:44 AM, Kevin Kim surelybless@gmail.com wrote:
Can someone help me find the problem with ldapsearch?
I can insert the data using ldapadd: /opt/bin/ldapadd -Z -x -W -D "cn=Manager,dc=myorg,dc=com" -v -f toplevel.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: ........... modify complete but I am not able to run ldapsearch: /opt/etc/openldap/ldif_files]$ /opt/bin/ldapsearch -x -W -D "uid=testuser,ou=People,dc=scivantage,dc=com" "(objectclass=*)" Enter LDAP Password: ldap_bind: Invalid credentials (49)
my slapd.conf files: defaultsearchbase dc=myorg,dc=com
access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by users read by * none
database bdb suffix "dc=myorg,dc=com" rootdn "cn=Manager,dc=myorg,dc=com"
Also, if run ldapwhoami: /opt/bin/ldapwhoami ldap_sasl_interactive_bind_s: Confidentiality required (13)
I will be appreciated,
Kevin
I also did
$ /opt/bin/ldapadd -Z -x -W -D "cn=Manager,dc=myorg,dc=com" -v -f person.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: add objectclass: account posixAccount shadowAccount inetLocalMailRecipient add cn: Test User add uid: testuser add userPassword: {crypt}s58TNiuL/tcM. add loginShell: /usr/bin/bash add uidnumber: 1001 add gidnumber: 500 add homeDirectory: /home/admin/testuser add mailLocalAddress: testuser@myorg.com add mailRoutingAddress: testuser@mailhost.myorg.com add host: somehost.myorg.com someotherhost.myorg.com anotherhost.myorg.com add shadowLastChange: 12193 add shadowMin: 0 add shadowMax: 99999 add shadowWarning: 7 add shadowInactive: 1 add shadowExpire: 12999 add gecos: Test User adding new entry "uid=testuser,ou=People,dc=myorg,dc=com" modify complete
then,
$ /opt/bin/ldapsearch -x -W -D "uid=testuser,ou=People,dc=myorg,dc=com" "(objectclass=*)" Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
any help will be appreciated.
On Tue, Mar 18, 2008 at 11:50 AM, Kevin Kim surelybless@gmail.com wrote:
Correction: I did ran with /opt/bin/ldapsearch -x -W -D "uid=testuser,ou=People,dc=myorg,dc=com" and I am still getting same error. On Tue, Mar 18, 2008 at 11:44 AM, Kevin Kim surelybless@gmail.com wrote:
Can someone help me find the problem with ldapsearch?
I can insert the data using ldapadd: /opt/bin/ldapadd -Z -x -W -D "cn=Manager,dc=myorg,dc=com" -v -f toplevel.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: ........... modify complete but I am not able to run ldapsearch: /opt/etc/openldap/ldif_files]$ /opt/bin/ldapsearch -x -W -D "uid=testuser,ou=People,dc=scivantage,dc=com" "(objectclass=*)" Enter LDAP Password: ldap_bind: Invalid credentials (49)
my slapd.conf files: defaultsearchbase dc=myorg,dc=com
access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by users read by * none
database bdb suffix "dc=myorg,dc=com" rootdn "cn=Manager,dc=myorg,dc=com"
Also, if run ldapwhoami: /opt/bin/ldapwhoami ldap_sasl_interactive_bind_s: Confidentiality required (13)
I will be appreciated,
Kevin
"Kevin Kim" surelybless@gmail.com writes:
I also did
$ /opt/bin/ldapadd -Z -x -W -D "cn=Manager,dc=myorg,dc=com" -v -f person.ldif ldap_initialize( <DEFAULT> )
add userPassword: {crypt}s58TNiuL/tcM.
with which crypt library did you create the attribute value for userPassword? and with which crypt library is slapd is linked?
-Dieter
On Tuesday 18 March 2008 17:59:16 Kevin Kim wrote:
I also did
$ /opt/bin/ldapadd -Z -x -W -D "cn=Manager,dc=myorg,dc=com" -v -f person.ldif
[...]
$ /opt/bin/ldapsearch -x -W -D "uid=testuser,ou=People,dc=myorg,dc=com" "(objectclass=*)" Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
This one seems quite obvious to me, but you use -Z on your ldapadd, but not on your ldapsearch, while you have slapd configured to require transport security. Surely it is obvious you should use -Z with the ldapsearch?
Regarding ldapwhoami, did you read the man page, or the --help output? It takes similar options to ldapsearch, and you didn't provide any (while you need to for "simple" binds).
Regards, Buchan
I did same option as ldapadd, but I am not getting any output.
/opt/bin/ldapsearch -Z -x -W -D "ou=People,dc=myorg,dc=com" "(objectclass=*)" Enter LDAP Password: daemon: activity on 1 descriptor daemon: activity on: 11r daemon: read activity on 11 daemon: select: listen=7 active_threads=0 tvp=NULL connection_get(11) connection_get(11): got connid=3 connection_read(11): checking for input on id=3 ber_get_next ldap_read: want=8, got=8 0000: 30 2d 02 01 02 60 28 02 0-...`(. ldap_read: want=39, got=39 0000: 01 03 04 19 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 ....ou=People,dc 0010: 3d 6d 79 6f 72 67 2c 64 63 3d 63 6f 6d 80 08 64 =myorg,dc=com..d 0020: 32 65 6b 77 32 6e 67 password ber_get_next: tag 0x30 len 45 contents: ber_dump: buf=2ee5e0 ptr=2ee5e0 end=2ee60d len=45 0000: 02 01 02 60 28 02 01 03 04 19 6f 75 3d 50 65 6f ...`(.....ou=Peo 0010: 70 6c 65 2c 64 63 3d 6d 79 6f 72 67 2c 64 63 3d ple,dc=myorg,dc= 0020: 63 6f 6d 80 08 64 32 65 6b 77 32 6e 67 com..password ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=3 op=1 do_bind daemon: activity on 1 descriptor ber_scanf fmt ({imt) ber: ber_dump: buf=2ee5e0 ptr=2ee5e3 end=2ee60d len=42 0000: 60 28 02 01 03 04 19 6f 75 3d 50 65 6f 70 6c 65 `(.....ou=People 0010: 2c 64 63 3d 6d 79 6f 72 67 2c 64 63 3d 63 6f 6d ,dc=myorg,dc=com 0020: 80 08 64 32 65 6b 77 32 6e 67 ..password ber_scanf fmt (m}) ber: daemon: waked ber_dump: buf=2ee5e0 ptr=2ee603 end=2ee60d len=10 0000: 00 08 64 32 65 6b 77 32 6e 67 ..password
dnPrettyNormal: <ou=People,dc=myorg,dc=com>
=> ldap_bv2dn(ou=People,dc=myorg,dc=com,0) <= ldap_bv2dn(ou=People,dc=myorg,dc=com)=0 daemon: select: listen=7 active_threads=0 tvp=NULL => ldap_dn2bv(272) <= ldap_dn2bv(ou=People,dc=myorg,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=people,dc=myorg,dc=com)=0 <<< dnPrettyNormal: <ou=People,dc=myorg,dc=com>, <ou=people,dc=myorg,dc=com> conn=3 op=1 BIND dn="ou=People,dc=myorg,dc=com" method=128 do_bind: version=3 dn="ou=People,dc=myorg,dc=com" method=128 ==> bdb_bind: dn: ou=People,dc=myorg,dc=com bdb_dn2entry("ou=people,dc=myorg,dc=com") send_ldap_result: conn=3 op=1 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 14 bytes to sd 11 0000: 30 0c 02 01 02 61 07 0a 01 31 04 00 04 00 0....a...1.... ldap_write: want=14, written=14 0000: 30 0c 02 01 02 61 07 0a 01 31 04 00 04 00 0....a...1.... conn=3 op=1 RESULT tag=97 err=49 text= ldap_bind: Invalid credentials (49) daemon: activity on 1 descriptor daemon: activity on: 11r daemon: read activity on 11 daemon: select: listen=7 active_threads=0 tvp=NULL connection_get(11) connection_get(11): got connid=3 connection_read(11): checking for input on id=3 ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 11 failed errno=0 (Error 0) connection_read(11): input error=-2 id=3, closing. connection_closing: readying conn=3 sd=11 for close connection_close: conn=3 sd=11 daemon: activity on 1 descriptor daemon: removing 11 daemon: waked conn=3 fd=11 closed (connection lost) daemon: select: listen=7 active_threads=0 tvp=NULL
Is this might be a bug on solaris 10? On Wed, Mar 19, 2008 at 4:07 AM, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Tuesday 18 March 2008 17:59:16 Kevin Kim wrote:
I also did
$ /opt/bin/ldapadd -Z -x -W -D "cn=Manager,dc=myorg,dc=com" -v -f person.ldif
[...]
$ /opt/bin/ldapsearch -x -W -D "uid=testuser,ou=People,dc=myorg,dc=com" "(objectclass=*)" Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
This one seems quite obvious to me, but you use -Z on your ldapadd, but not on your ldapsearch, while you have slapd configured to require transport security. Surely it is obvious you should use -Z with the ldapsearch?
Regarding ldapwhoami, did you read the man page, or the --help output? It takes similar options to ldapsearch, and you didn't provide any (while you need to for "simple" binds).
Regards, Buchan
On Wednesday 19 March 2008 15:40:13 Kevin Kim wrote:
I did same option as ldapadd, but I am not getting any output.
/opt/bin/ldapsearch -Z -x -W -D "ou=People,dc=myorg,dc=com" "(objectclass=*)" Enter LDAP Password:
Generally, debugging at the client side is not useful if you know exactly what the client was trying, the error:
ldap_bind: Invalid credentials (49)
is sufficient.
So, to me it looks like ou=People,dc=myorg,dc=com does not have the password you think it does, or the access controls to userPassword are too strict, or the password hash you are using is not supported by your build.
At this point it's probably best asking how you compiled slapd (what configure options, what linker flags you used).
Regards, Buchan
This is output for ldapsearch, I am not sure it's much different from the previous post. => access_allowed: auth access to "uid=testuser,ou=People,dc=myorg,dc=com" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "uid=testuser,ou=People,dc=myorg,dc=com", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying write(=wrscxd) (stop) <= acl_mask: [1] mask: write(=wrscxd) => slap_access_allowed: auth access granted by write(=wrscxd) => access_allowed: auth access granted by write(=wrscxd) send_ldap_result: conn=0 op=1 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=2 tag=97 err=49 Here is my ACL now: access to attrs=userPassword by * write by * read access to * by * read This is my LDAP build options: ./configure --prefix=/opt --enable-bdb --enable-crypt --enable-spasswd --with-threads --with-tls --with-cyrus-sasl --without-kerberos --disable-ipv6 --enable-slurpd --enable-cleartext --enable-wrappers I am not sure this info will help anything : LDFLAGS=-L/opt/lib -L/usr/local/BerkeleyDB.4.6/lib -L/opt/ssl/lib -L/opt/lib/sasl2 -L/usr/lib -R/opt/ssl/lib -R/opt/lib/sasl -L/usr/local/ssl/lib CPPFLAGS=-I/opt/lib -I/opt/ssl/include -I/usr/local/BerkeleyDB.4.6/include -I/opt/include/sasl
Thanks,
On Wed, Mar 19, 2008 at 10:23 AM, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Wednesday 19 March 2008 15:40:13 Kevin Kim wrote:
I did same option as ldapadd, but I am not getting any output.
/opt/bin/ldapsearch -Z -x -W -D "ou=People,dc=myorg,dc=com" "(objectclass=*)" Enter LDAP Password:
Generally, debugging at the client side is not useful if you know exactly what the client was trying, the error:
ldap_bind: Invalid credentials (49)
is sufficient.
So, to me it looks like ou=People,dc=myorg,dc=com does not have the password you think it does, or the access controls to userPassword are too strict, or the password hash you are using is not supported by your build.
At this point it's probably best asking how you compiled slapd (what configure options, what linker flags you used).
Regards, Buchan
openldap-software@openldap.org
-
Buchan Milne -
Dieter Kluenter -
Kevin Kim