Hi all,

 

 

I am trying to bind openldap-2.4.33 to vendor SSO using simple bind and I am getting invalid credentials. I have reset the rootdn password more than once to make sure there were no typos, and I am still getting same Invalid Credentials error.

 

This is a copy of my slapd.conf

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /opt/local/etc/openldap/schema/core.schema

include         /opt/local/etc/openldap/schema/ppolicy.schema

# Define global ACLs to disable default read access.

include     /opt/local/etc/openldap/schema/cosine.schema

include         /opt/local/etc/openldap/schema/nis.schema

include     /opt/local/etc/openldap/schema/inetorgperson.schema

 

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

 

pidfile         /opt/local/var/run/slapd.pid

argsfile        /opt/local/var/run/slapd.args

sizelimit  unlimited

#serverID 1

 

allow bind_v2

loglevel sync

 

"/opt/local/etc/openldap/slapd.conf" 180L, 5417C

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /opt/local/etc/openldap/schema/core.schema

include         /opt/local/etc/openldap/schema/ppolicy.schema

# Define global ACLs to disable default read access.

include     /opt/local/etc/openldap/schema/cosine.schema

include         /opt/local/etc/openldap/schema/nis.schema

include     /opt/local/etc/openldap/schema/inetorgperson.schema

 

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

 

 

 

 

# Load dynamic backend modules:

# modulepath    /opt/local/libexec/openldap

# moduleload    back_bdb.la

# moduleload    back_hdb.la

# moduleload    back_ldap.la

#modulepath  /usr/lib/openldap

#moduleload accesslog.la

moduleload auditlog.la

#moduleload denyop.la

#moduleload dyngroup.la

moduleload dynlist.la

#moduleload lastmod.la

#moduleload pcache.la

moduleload ppolicy.la

#moduleload refint.la

#moduleload retcode.la

#moduleload rwm.la

#moduleload smbk5pwd.la

moduleload syncprov.la

moduleload  syncprov

#moduleload translucent.la

moduleload unique.la

moduleload valsort.la

 

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

 

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

# CA singed Certificate and server cert entries:

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /opt/local/etc/openldap/cacert.pem

TLSCertificateFile /opt/local/etc/openldap/ldap-tls.curry.edu.cert.pem

TLSCertificateKeyFile /opt/local/etc/openldap/ldap-tls.curry.edu.key.pem

 

# Clinet verification not required

 

#TLSVerifyClient never

 

 

#######################################################################

# BDB database definitions

#######################################################################

 

database        bdb

suffix          "dc=curry,dc=edu"

rootdn          "cn=ldap,dc=curry,dc=edu"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw {SSHA}gMePUFraA8Fjn63t8FzpYHbp+6g8N6Mz

 

 

 

 

#access to *

#     by dn.base="cn=ldap,dc=curry,dc=edu" read

#     by * break

 

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /opt/local/var/openldap-data

 

 

 

syncrepl rid=006

  provider=ldap://192.168.60.42

tls_cert=/etc/pki/tls/certs/ldap-tls.curry.edu.cert.pem

  tls_key=/etc/pki/tls/private/ldap-tls.curry.edu.key.pem

  tls_cacert=/etc/pki/tls/certs/cacert.pem

  tls_reqcert=demand

  searchbase="dc=curry,dc=edu"

  schemachecking=on

  timelimit=unlimited

  sizelimit=unlimited

  type=refreshAndPersist

  retry="60 +"

 

# Index to maintain

index entryUUID                         eq

index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres

index nisMapName,nisMapEntry            eq,pres,sub

 

 

#mirrormode TRUE

mirrormode on

# define the provider to use the syncprov overlay

# (last directives in database section)

 

overlay syncprov

# contextCSN saved to database every 100 updates or ten minutes

syncprov-checkpoint 100 1

syncprov-sessionlog 100

#################################################################################

#                         Password Policy                                       #

################################################################################

#################################################################################

# This implies the password policy should be for the entire base DN

#ppolicy_default

overlay ppolicy

ppolicy_default "cn=default,ou=policies,dc=curry,dc=edu"

 

# This implies the passwords should not be in clear text and this directive takes no parameters

ppolicy_hash_cleartex