On Fri, Jan 03, 2025 at 02:21:58PM -0500, Ulises Gonzalez Horta wrote:
> Can you please give an explanation of the full meaning?? That way we can
> learn because online it refers to invalid credentials, providing the user
> is good, then the password is what left over
> See this example where I intentionally put the wrong password

Hi Ulises,
all it means is that for whatever reason, the credentials (combination
of user and password in your case) is not accepted by the server.

Since confirming whether a user exists to a random passer-by (=anonymous
session) is generally considered a very bad idea, the server is
unwilling to disclose a reason for the failure. As you found out there
might be a lot of things that end up influencing the ability to bind as
a user: the user might not exist, there might be no useable password in
the DB, ACLs might prevent this too if they deny auth access to the user
or its password, the way you replicate the DB does not match up with
what you expected...

If in doubt, especially when you suspect a misconfiguration, it is up to
the administrator to investigate.

There might be reasons when more information actually gets returned,
it should always be something the admin explicitly configured - e.g.
password expiry information through the ppolicy overlay.

Regards,

--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP