Hi, I am trying to modify cn=config, but I don't understand why It doesn't work any more. root@auth-dev:/etc/ldap# ldapsearch -v -x -D 'cn=admin,cn=config' -W ldap_initialize( <DEFAULT> )Enter LDAP Password: ldap_bind: Invalid credentials (49)root@auth-dev:/etc/ldap# ldapsearch -v -x -D 'cn=admin,^C-W root@auth-dev:/etc/ldap# cat /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldifdn: olcDatabase={0}configobjectClass: olcDatabaseConfigolcDatabase: {0}configolcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * breakolcRootDN: cn=admin,cn=configstructuralObjectClass: olcDatabaseConfigentryUUID: 7904eb62-0b79-1032-92e0-3d0a3fa53956creatorsName: cn=configcreateTimestamp: 20130215050825ZentryCSN: 20130215050825.984665Z#000000#000#000000modifiersName: cn=configmodifyTimestamp: 20130215050825Z Thanks.
On 02/20/2013 12:41 AM, Asmaa Ahmed wrote:
Hi,
I am trying to modify cn=config, but I don't understand why It doesn't work any more.
root@auth-dev:/etc/ldap# ldapsearch -v -x -D 'cn=admin,cn=config' -W ldap_initialize( <DEFAULT> ) Enter LDAP Password: ldap_bind: Invalid credentials (49)
^^^^^^^^^^^^^^^^^^^
Maybe try to use the correct password?
Regards, Patrick
--On Wednesday, February 20, 2013 10:41 AM +1100 Asmaa Ahmed asabatgirl@hotmail.com wrote:
Hi,
I am trying to modify cn=config, but I don't understand why It doesn't work any more.
root@auth-dev:/etc/ldap# ldapsearch -v -x -D 'cn=admin,cn=config' -W
It looks like you have configured your cn=config DB to use SASL/EXTERNAL auth, with mapping from the root user to the rootdn. However, your ldapsearch command is not using SASL/EXTERNAL. This would explain the error.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
yes, but how can I modify the configuration now?I can add users for instance, but I can't modify cn=config! ldapadd -v -x -D 'cn=admin,dc=domain,dc=com' -W -f sasl-config.ldif modifying entry "cn=config"ldap_modify: Insufficient access (50) Thanks.
Date: Tue, 19 Feb 2013 17:46:19 -0800 From: quanah@zimbra.com To: asabatgirl@hotmail.com; openldap-technical@openldap.org Subject: Re: modifying cn=config - Invalid credentials (49)
--On Wednesday, February 20, 2013 10:41 AM +1100 Asmaa Ahmed asabatgirl@hotmail.com wrote:
Hi,
I am trying to modify cn=config, but I don't understand why It doesn't work any more.
root@auth-dev:/etc/ldap# ldapsearch -v -x -D 'cn=admin,cn=config' -W
It looks like you have configured your cn=config DB to use SASL/EXTERNAL auth, with mapping from the root user to the rootdn. However, your ldapsearch command is not using SASL/EXTERNAL. This would explain the error.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
--On Wednesday, February 20, 2013 1:28 PM +1100 Asmaa Ahmed asabatgirl@hotmail.com wrote:
yes, but how can I modify the configuration now? I can add users for instance, but I can't modify cn=config!
ldapadd -v -x -D 'cn=admin,dc=domain,dc=com' -W -f sasl-config.ldif
modifying entry "cn=config" ldap_modify: Insufficient access (50)
You need to do a SASL/EXTERNAL bind using your rootdn as the root user on the system.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Do you mean something like that? ldapsearch -QY EXTERNAL -H ldapi:///ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: Thanks.
Date: Tue, 19 Feb 2013 18:34:32 -0800 From: quanah@zimbra.com To: asabatgirl@hotmail.com; openldap-technical@openldap.org Subject: RE: modifying cn=config - Invalid credentials (49)
--On Wednesday, February 20, 2013 1:28 PM +1100 Asmaa Ahmed asabatgirl@hotmail.com wrote:
yes, but how can I modify the configuration now? I can add users for instance, but I can't modify cn=config!
ldapadd -v -x -D 'cn=admin,dc=domain,dc=com' -W -f sasl-config.ldif
modifying entry "cn=config" ldap_modify: Insufficient access (50)
You need to do a SASL/EXTERNAL bind using your rootdn as the root user on the system.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
--On Wednesday, February 20, 2013 1:45 PM +1100 Asmaa Ahmed asabatgirl@hotmail.com wrote:
Do you mean something like that?
ldapsearch -QY EXTERNAL -H ldapi:/// ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available:
Yes. Looks like you've busted something somehow.
You could dump your cn=config db via slapcat, add an olcRootPassword value, and then reload it, so you can bind with -x -D -w
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 02/20/13 13:45 +1100, Asmaa Ahmed wrote:
Do you mean something like that?
ldapsearch -QY EXTERNAL -H ldapi:/// ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available:
Thanks.
You have likely misconfigured sasl, via your sasl slapd.conf file.
Within that file, comment out your 'mech_list' option, or add 'EXTERNAL' to it.
Hello,Actually I only added kerberos authentication for sasl.In '/etc/ldap/sasl2/slapd.conf', I added only mech_list: GSSAPICan I add other mechanisms too? ldapsearch -x -H ldapi:// -b '' -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
Thanks.
Date: Tue, 19 Feb 2013 22:31:34 -0600 From: dwhite@olp.net To: asabatgirl@hotmail.com Subject: Re: modifying cn=config - Invalid credentials (49) CC: openldap-technical@openldap.org
On 02/20/13 13:45 +1100, Asmaa Ahmed wrote:
Do you mean something like that?
ldapsearch -QY EXTERNAL -H ldapi:/// ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available:
Thanks.
You have likely misconfigured sasl, via your sasl slapd.conf file.
Within that file, comment out your 'mech_list' option, or add 'EXTERNAL' to it.
-- Dan White
On 02/20/13 16:20 +1100, Asmaa Ahmed wrote:
Actually I only added kerberos authentication for sasl. In '/etc/ldap/sasl2/slapd.conf', I added only mech_list: GSSAPI Can I add other mechanisms too?
ldapsearch -x -H ldapi:// -b '' -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
Yes, separated by a space:
mech_list: GSSAPI EXTERNAL
Date: Tue, 19 Feb 2013 22:31:34 -0600 From: dwhite@olp.net To: asabatgirl@hotmail.com Subject: Re: modifying cn=config - Invalid credentials (49) CC: openldap-technical@openldap.org
On 02/20/13 13:45 +1100, Asmaa Ahmed wrote:
Do you mean something like that?
ldapsearch -QY EXTERNAL -H ldapi:/// ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available:
Thanks.
You have likely misconfigured sasl, via your sasl slapd.conf file.
Within that file, comment out your 'mech_list' option, or add 'EXTERNAL' to it.
Thanks. The modification enabled the mechanism, and solved my problem.
Date: Tue, 19 Feb 2013 23:45:52 -0600 From: dwhite@olp.net To: asabatgirl@hotmail.com CC: openldap-technical@openldap.org Subject: Re: modifying cn=config - Invalid credentials (49)
On 02/20/13 16:20 +1100, Asmaa Ahmed wrote:
Actually I only added kerberos authentication for sasl. In '/etc/ldap/sasl2/slapd.conf', I added only mech_list: GSSAPI Can I add other mechanisms too?
ldapsearch -x -H ldapi:// -b '' -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
Yes, separated by a space:
mech_list: GSSAPI EXTERNAL
Date: Tue, 19 Feb 2013 22:31:34 -0600 From: dwhite@olp.net To: asabatgirl@hotmail.com Subject: Re: modifying cn=config - Invalid credentials (49) CC: openldap-technical@openldap.org
On 02/20/13 13:45 +1100, Asmaa Ahmed wrote:
Do you mean something like that?
ldapsearch -QY EXTERNAL -H ldapi:/// ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available:
Thanks.
You have likely misconfigured sasl, via your sasl slapd.conf file.
Within that file, comment out your 'mech_list' option, or add 'EXTERNAL' to it.
-- Dan White
openldap-technical@openldap.org
-
Asmaa Ahmed -
Dan White -
Patrick Lists -
Quanah Gibson-Mount