Hi all!
We have this in place:
olcAccess: {1}to attrs=userpassword by anonymous auth by * none break
Using the RootDN to set a user password:
# ldappasswd -H ldaps://my.ldapserver1.com -D "cn=admin,o=ldap,c=com" -W -S "uid=testuser,ou=Users,o=ldap,c=com" -v
New password: <newpassword>
Re-enter new password: <newpassword>
Enter LDAP Password: <very_secret_and_difficult>
ldap_initialize( ldaps://my.ldapserver1.com:636/??base )
Enter LDAP Password:
Result: Success (0)
We observe the password change replicate (master-master) to our other server.
Then to test access:
# ldapsearch -H ldaps://my.ldapserver1.com -s base -b o=ldap,c=com -D "uid=testuser,ou=Users,o=ldap,c=com" -w <newpassword> -v
ldap_initialize( ldaps://my.ldapserver1.com:636/??base )
ldap_bind: Invalid credentials (49)
More background: this is fresh a master-master setup, replication works with the root DN, and all other user authentications fails with the same Invalid credentials (49)
The server ldaps://my.ldapserver1.com is an actual single (master) server, no load balancers, no firewalling. Configured an with actual (and valid) certificate, ldapsearch uses the correct CA, and ldapsearch with the root DN works fine. This is latest symas openldap 2.5 on RHEL9.
Anyone with an idea why we can only authenticate as the RootDN, and all other authentications give Invalid credentials (49)?
We have double checked whatever we can think of, and are *really* unsure what is going on....
Hoping for some clues from the experts here :-)