Thanks for the response. Step by step:

In most places below I've replaced my actual domain with "example.com".

I created the password "secret" like this:

[root@db workarea]# slappasswd -c crypt New password: Re-enter new password: {CRYPT}crcCmS9I6zJVQ

Then, the ldif:

dn: cn=Ron,ou=Zimbra,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Ron gn: Ron sn: Jones mail: ron@scbbs.com postalAddress: PO Box 1000 l: El Segundo st: California ou: Zimbra postalCode: 90222 telephoneNumber: +1-310.323.7033 mobile: +1-310.323.7033 homePhone: +1-310.323.7033 initials: RP userPassword: {CRYPT}crcCmS9I6zJVQ

Then I added it to the database:

[root@db workarea]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f zimbra03.ldif Enter LDAP Password: adding new entry "cn=Ron,ou=Zimbra,dc=example,dc=com"

Next, I checked to make sure it was there:

ldapsearch -H "ldap://example.com" -D 'cn=Manager,dc=example,dc=com' -x -W

# Ron, Zimbra, example.com dn: cn=Ron,ou=Zimbra,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Ron givenName: Ron sn: Jones mail: ron@example.com postalAddress: PO Box 1000 l: El Segundo st: California ou: Zimbra postalCode: 90222 telephoneNumber: +1-310.323.7033 mobile: +1-310.323.7033 homePhone: +1-310.323.7033 initials: RP userPassword:: e0NSWVBUfWNyY0NtUzlJNnpKVlE=

Finally, I try to log in as this user to do a search:

ldapsearch -H "ldap://example.com" -D 'cn=Ron,ou=Zimbra,dc=example,dc=com' -x -W

Enter LDAP Password: ldap_bind: Invalid credentials (49)

Here's the debug output (note that ber_flush: shows the actual domain I am using):

ldap_create ldap_url_parse_ext(ldap://example.com) Enter LDAP Password: ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP example.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying <my host ip>:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_flush: 58 bytes to sd 3 0000: 30 38 02 01 01 60 33 02 01 03 04 26 63 6e 3d 52 08...`3....&cn=R 0010: 6f 6e 2c 6f 75 3d 5a 69 6d 62 72 61 2c 64 63 3d on,ou=Zimbra,dc= 0020: 64 62 2c 64 63 3d 73 63 62 62 73 2c 64 63 3d 63 db,dc=scbbs,dc=c 0030: 6f 6d 80 06 73 65 63 72 65 74 om..secret ldap_write: want=58, written=58 0000: 30 38 02 01 01 60 33 02 01 03 04 26 63 6e 3d 52 08...`3....&cn=R 0010: 6f 6e 2c 6f 75 3d 5a 69 6d 62 72 61 2c 64 63 3d on,ou=Zimbra,dc= 0020: 64 62 2c 64 63 3d 73 63 62 62 73 2c 64 63 3d 63 db,dc=scbbs,dc=c 0030: 6f 6d 80 06 73 65 63 72 65 74 om..secret ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: example.com port: 389 (default) refcnt: 2 status: Connected last used: Fri Jul 13 19:58:03 2007

** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 61 07 0a 0....a.. ldap_read: want=6, got=6 0000: 01 31 04 00 04 00 .1.... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x08a58348 ptr=0x08a58348 end=0x08a58354 len=12 0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1.... ldap_read: message type bind msgid 1, original id 1 ber_scanf fmt ({iaa) ber: ber_dump: buf=0x08a58348 ptr=0x08a5834b end=0x08a58354 len=9 0000: 61 07 0a 01 31 04 00 04 00 a...1.... read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_dump: buf=0x08a58348 ptr=0x08a5834b end=0x08a58354 len=9 0000: 61 07 0a 01 31 04 00 04 00 a...1.... ber_scanf fmt (}) ber: ber_dump: buf=0x08a58348 ptr=0x08a58354 end=0x08a58354 len=0

ldap_msgfree ldap_perror ldap_bind: Invalid credentials (49)

Thanks!

-ron

matthew sporleder wrote:

On 7/13/07, Ron Parker sysop@scbbs.com wrote:

...

I have created a bdb database using openldap on a RH Linux server with basically the default configuration.

I'm able to log in with an LDAP client using the root dn and password: "cn=Manager, dc=example, dc=com" (using "example.com" here instead of my actual domain)

I've created an Organizational Unit called "Zimbra", and under Zimbra, I have inetOrgPerson "Ron"

com example organizationalUnit = Zimbra inetOrgPerson = Ron

Using ldapmodify (logging in as rootdn) I gave inetOrgPerson Ron a password (userPassword)

In slapd.conf, I've given Ron access to write to the Zimbra ou:

access to dn.base="ou=Zimbra,dc=example,dc=com" by dn="cn=Ron,ou=Zimbra,dc=example,dc=com" write

When I then use the following settings to log in as Ron using an LDAP client, I get "Invalid Credentials (49)" error:

Host: example.com Port: 389 Protocol: LDAP v3 DSML Service: Base DN: ou=Zimbra,dc=example,dc=com Level: User+Password User DN: cn=Ron,ou=Zimbra,dc=example,dc=com Password: <the password I set for inetOrgPerson Ron in userPassword field>

I thought this might have been an issue with my LDAP client, so I also tried logging in locally on the server, using only ldapsearch:

ldapsearch -v -H "ldap://example.com" -D 'cn=Ron,ou=Zimbra,dc=example,dc=com' -W -x -b 'ou=Zimbra,dc=example,dc=com'

And still get same error. Again, I can log in using rootdn (i.e., "Manger"), but not as any other user.

Can someone point out to me what I'm missing? Thanks so much for any assistance.

Can you show the ldif you used to add this user and the output of a search for him?

__________ NOD32 2398 (20070714) Information __________

This message was checked by NOD32 antivirus system. http://www.eset.com