All
I am new to LDAP, reading through the quickstart guide, and the first 6 chapters of the OpenLDAP Admin Guide leaves me with being unable to add entries into LDAP. I've compiled from sources per chapter 4, and also tried the YUM installed versions of the ldap client and server on my CentOS-7, with the same result. Summarized, the steps I am performing after the build/install of both master (as of Dec-19-2019) and tag OPENLDAP_REL_ENG_2_4_48 are:
sudo mkdir /usr/local/etc/openldap/slapd.d sudo chmod 777 /usr/local/etc/openldap/slapd.d sudo mkdir /usr/local/var/openldap-data sudo chmod 700 /usr/local/var/openldap-data
# succeeds: using the install-provided- slapd.ldif (see below) sudo /usr/local/sbin/slapadd -n 0 -F /usr/local/etc/openldap/slapd.d -l /usr/local/etc/openldap/slapd.ldif
# succeeds: sudo /usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d
# succeeds: sudo /usr/local/bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# NOTE not sudo, per the quickstart guide, FAILS with "ldap_bind: Invalid credentials (49)" /usr/local/bin/ldapadd -x -D "cn=Manager,dc=example,dc=com" -w secret -f /usr/local/etc/openldap/example.ldif
Example.ldif per the quickstart guide: --------------------- dn: dc=my-example,dc=com objectclass: dcObject objectclass: organization o: Example Company dc: example
dn: cn=Manager,dc=example,dc=com objectclass: organizationalRole cn: Manager
slapd.ldif per the install --------------------- # # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config # # # Define global ACLs to disable default read access. # olcArgsFile: /usr/local/var/run/slapd.args olcPidFile: /usr/local/var/run/slapd.pid # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind #olcSecurity: ssf=1 update_ssf=112 simple_bind=64
# # Load dynamic backend modules: # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module #olcModulepath: /usr/local/libexec/openldap #olcModuleload: back_mdb.la #olcModuleload: back_ldap.la #olcModuleload: back_passwd.la #olcModuleload: back_shell.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
# Frontend settings # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #olcAccess: to dn.base="" by * read #olcAccess: to dn.base="cn=Subschema" by * read #olcAccess: to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! #
####################################################################### # LMDB database definitions ####################################################################### # dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /usr/local/var/openldap-data # Indices to maintain olcDbIndex: objectClass eq
--On Monday, December 23, 2019 2:54 PM +0000 "Dunne, Kenneth" kenneth.dunne@siemens.com wrote:
/usr/local/bin/ldapadd -x -D "cn=Manager,dc=example,dc=com" -w secret -f /usr/local/etc/openldap/example.ldif
olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com
dc=example,dc=com and dc=my-domain,dc=com clearly don't match.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah
Thank you for your response! I think part of the problem is that I don't understand LDAP, and the quick-start has diverged from the content of the installed slapd.ldif and slapd.conf.
I have modified my 'ldapadd' example.ldif file to hold the same 'dc' as what Is in the installed slapd.ldif and slapd.conf: Contents of example.ldif: ----------------------------- dn: dc=my-example,dc=com objectclass: dcObject objectclass: organization o: KEN Example Company dc: ken example
dn: cn=Manager,dc=my-example,dc=com objectclass: organizationalRole cn: Manager -----------------------------
The ldapadd still fails: /usr/local/bin/ldapadd -x -D "cn=Manager,dc=my-example,dc=com" -w secret -f /usr/local/etc/openldap/example.ldif ldap_bind: Invalid credentials (49)
Ken
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, December 23, 2019 10:00 AM To: Dunne, Kenneth (SMO NAM RC-US RI PE PE-ENG OF) kenneth.dunne@siemens.com; openldap-technical@openldap.org Subject: Re: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
--On Monday, December 23, 2019 2:54 PM +0000 "Dunne, Kenneth" kenneth.dunne@siemens.com wrote:
/usr/local/bin/ldapadd -x -D "cn=Manager,dc=example,dc=com" -w secret -f /usr/local/etc/openldap/example.ldif
olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com
dc=example,dc=com and dc=my-domain,dc=com clearly don't match.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.symas.com&data=02%7C01%7Ckenneth.dunne%40siemens.com%7Cd1980f78ca234429882b08d787c125a6%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637127135952925748&sdata=WKkUwbMSfsR5S99ysQZAdtKQCg5dh7xt7MORYXOBfHs%3D&reserved=0
Ooops, I noticed that the 'dc' field in the new 'example.ldif' is perhaps wrong, modified to the following, but the ldapadd still fails similarly ( ldap_bind: Invalid credentials (49)) Contents of example.ldif: ----------------------------- dn: dc=my-example,dc=com objectclass: dcObject objectclass: organization o: KEN Example Company dc: example
dn: cn=Manager,dc=my-example,dc=com objectclass: organizationalRole cn: Manager -----------------------------
-----Original Message----- From: openldap-technical openldap-technical-bounces@openldap.org On Behalf Of [ext] Dunne, Kenneth Sent: Monday, December 23, 2019 10:50 AM To: Quanah Gibson-Mount quanah@symas.com; openldap-technical@openldap.org Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
Quanah
Thank you for your response! I think part of the problem is that I don't understand LDAP, and the quick-start has diverged from the content of the installed slapd.ldif and slapd.conf.
I have modified my 'ldapadd' example.ldif file to hold the same 'dc' as what Is in the installed slapd.ldif and slapd.conf: Contents of example.ldif: ----------------------------- dn: dc=my-example,dc=com objectclass: dcObject objectclass: organization o: KEN Example Company dc: ken example
dn: cn=Manager,dc=my-example,dc=com objectclass: organizationalRole cn: Manager -----------------------------
The ldapadd still fails: /usr/local/bin/ldapadd -x -D "cn=Manager,dc=my-example,dc=com" -w secret -f /usr/local/etc/openldap/example.ldif ldap_bind: Invalid credentials (49)
Ken
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, December 23, 2019 10:00 AM To: Dunne, Kenneth (SMO NAM RC-US RI PE PE-ENG OF) kenneth.dunne@siemens.com; openldap-technical@openldap.org Subject: Re: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
--On Monday, December 23, 2019 2:54 PM +0000 "Dunne, Kenneth" kenneth.dunne@siemens.com wrote:
/usr/local/bin/ldapadd -x -D "cn=Manager,dc=example,dc=com" -w secret -f /usr/local/etc/openldap/example.ldif
olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com
dc=example,dc=com and dc=my-domain,dc=com clearly don't match.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.symas.com&data=02%7C01%7Ckenneth.dunne%40siemens.com%7Cfe5226474ed54b498cb808d787c96964%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637127171430943891&sdata=mzPVAMldnyOFkj1A0yv7v%2BYYLb85IEmWWtksbzlzq8w%3D&reserved=0
--On Monday, December 23, 2019 5:01 PM +0000 "Dunne, Kenneth" kenneth.dunne@siemens.com wrote:
Ooops, I noticed that the 'dc' field in the new 'example.ldif' is perhaps wrong, modified to the following, but the ldapadd still fails similarly ( ldap_bind: Invalid credentials (49)) Contents of example.ldif:
Hi Kenneth,
What is the identity of the rootdn in your configuration LDIF?
I.e., these lines:
olcRootDN: cn=Manager,dc=my-domain,dc=com olcRootPW: secret
Those are the initial credentials you are actually binding as, as there is nothing in the database yet.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah
I believe the "identity of the rootdn" in my configuration LDIF is what was contained within the 'installed slapd.ldif' olcRootDN: cn=Manager,dc=my-domain,dc=com
mentioned in the first email of this thread, and installed with this line: sudo /usr/local/sbin/slapadd -n 0 -F /usr/local/etc/openldap/slapd.d -l /usr/local/etc/openldap/slapd.ldif
cat /usr/local/etc/openldap/slapd.ldif # # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config # # # Define global ACLs to disable default read access. # olcArgsFile: /usr/local/var/run/slapd.args olcPidFile: /usr/local/var/run/slapd.pid # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind #olcSecurity: ssf=1 update_ssf=112 simple_bind=64
# # Load dynamic backend modules: # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module #olcModulepath: /usr/local/libexec/openldap #olcModuleload: back_mdb.la #olcModuleload: back_ldap.la #olcModuleload: back_passwd.la #olcModuleload: back_shell.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
# Frontend settings # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #olcAccess: to dn.base="" by * read #olcAccess: to dn.base="cn=Subschema" by * read #olcAccess: to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! #
####################################################################### # LMDB database definitions ####################################################################### # dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /usr/local/var/openldap-data # Indices to maintain olcDbIndex: objectClass eq
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, December 23, 2019 11:18 AM To: Dunne, Kenneth (SMO NAM RC-US RI PE PE-ENG OF) kenneth.dunne@siemens.com; openldap-technical@openldap.org Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
--On Monday, December 23, 2019 5:01 PM +0000 "Dunne, Kenneth" kenneth.dunne@siemens.com wrote:
Ooops, I noticed that the 'dc' field in the new 'example.ldif' is perhaps wrong, modified to the following, but the ldapadd still fails similarly ( ldap_bind: Invalid credentials (49)) Contents of example.ldif:
Hi Kenneth,
What is the identity of the rootdn in your configuration LDIF?
I.e., these lines:
olcRootDN: cn=Manager,dc=my-domain,dc=com olcRootPW: secret
Those are the initial credentials you are actually binding as, as there is nothing in the database yet.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.symas.com&data=02%7C01%7Ckenneth.dunne%40siemens.com%7Cb941ffe8cfe646c1043008d787cc07ea%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637127182685612052&sdata=9mykv2cn2WD29F3cr9qERVZZJbrtxomakTkiwvgpOLs%3D&reserved=0
Quanah The default slapd.ldif file is (fixing bad line-wrapping by outlook) Ken
# # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config # # # Define global ACLs to disable default read access. # olcArgsFile: /usr/local/var/run/slapd.args olcPidFile: /usr/local/var/run/slapd.pid # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind #olcSecurity: ssf=1 update_ssf=112 simple_bind=64
# # Load dynamic backend modules: # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module #olcModulepath: /usr/local/libexec/openldap #olcModuleload: back_mdb.la #olcModuleload: back_ldap.la #olcModuleload: back_passwd.la #olcModuleload: back_shell.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
# Frontend settings # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #olcAccess: to dn.base="" by * read #olcAccess: to dn.base="cn=Subschema" by * read #olcAccess: to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! #
####################################################################### # LMDB database definitions ####################################################################### # dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /usr/local/var/openldap-data # Indices to maintain olcDbIndex: objectClass eq
-----Original Message----- From: openldap-technical openldap-technical-bounces@openldap.org On Behalf Of [ext] Dunne, Kenneth Sent: Monday, December 23, 2019 11:25 AM To: Quanah Gibson-Mount quanah@symas.com; openldap-technical@openldap.org Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
Quanah
I believe the "identity of the rootdn" in my configuration LDIF is what was contained within the 'installed slapd.ldif' olcRootDN: cn=Manager,dc=my-domain,dc=com
mentioned in the first email of this thread, and installed with this line: sudo /usr/local/sbin/slapadd -n 0 -F /usr/local/etc/openldap/slapd.d -l /usr/local/etc/openldap/slapd.ldif
cat /usr/local/etc/openldap/slapd.ldif # # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config # # # Define global ACLs to disable default read access. # olcArgsFile: /usr/local/var/run/slapd.args olcPidFile: /usr/local/var/run/slapd.pid # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind #olcSecurity: ssf=1 update_ssf=112 simple_bind=64
# # Load dynamic backend modules: # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module #olcModulepath: /usr/local/libexec/openldap #olcModuleload: back_mdb.la #olcModuleload: back_ldap.la #olcModuleload: back_passwd.la #olcModuleload: back_shell.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
# Frontend settings # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #olcAccess: to dn.base="" by * read #olcAccess: to dn.base="cn=Subschema" by * read #olcAccess: to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! #
####################################################################### # LMDB database definitions ####################################################################### # dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /usr/local/var/openldap-data # Indices to maintain olcDbIndex: objectClass eq
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, December 23, 2019 11:18 AM To: Dunne, Kenneth (SMO NAM RC-US RI PE PE-ENG OF) kenneth.dunne@siemens.com; openldap-technical@openldap.org Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
--On Monday, December 23, 2019 5:01 PM +0000 "Dunne, Kenneth" kenneth.dunne@siemens.com wrote:
Ooops, I noticed that the 'dc' field in the new 'example.ldif' is perhaps wrong, modified to the following, but the ldapadd still fails similarly ( ldap_bind: Invalid credentials (49)) Contents of example.ldif:
Hi Kenneth,
What is the identity of the rootdn in your configuration LDIF?
I.e., these lines:
olcRootDN: cn=Manager,dc=my-domain,dc=com olcRootPW: secret
Those are the initial credentials you are actually binding as, as there is nothing in the database yet.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.symas.com&data=02%7C01%7Ckenneth.dunne%40siemens.com%7C3707630fd5f14c04c96008d787cd56bc%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637127188301252989&sdata=Vatuw29lZrQ6Ne8PmIEy99z%2FajwSMcidDLO6nGlyeTk%3D&reserved=0
One more time:, line wrapping problems with Outlook
# # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config # # # Define global ACLs to disable default read access. # olcArgsFile: /usr/local/var/run/slapd.args olcPidFile: /usr/local/var/run/slapd.pid # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind #olcSecurity: ssf=1 update_ssf=112 simple_bind=64
# # Load dynamic backend modules: # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module #olcModulepath: /usr/local/libexec/openldap #olcModuleload: back_mdb.la #olcModuleload: back_ldap.la #olcModuleload: back_passwd.la #olcModuleload: back_shell.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
# Frontend settings # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #olcAccess: to dn.base="" by * read #olcAccess: to dn.base="cn=Subschema" by * read #olcAccess: to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! #
####################################################################### # LMDB database definitions ####################################################################### # dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /usr/local/var/openldap-data # Indices to maintain olcDbIndex: objectClass eq
-----Original Message----- From: Dunne, Kenneth (SMO NAM RC-US RI PE PE-ENG OF) kenneth.dunne@siemens.com Sent: Monday, December 23, 2019 11:31 AM To: Dunne, Kenneth (SMO NAM RC-US RI PE PE-ENG OF) kenneth.dunne@siemens.com; Quanah Gibson-Mount quanah@symas.com; openldap-technical@openldap.org Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
Quanah The default slapd.ldif file is (fixing bad line-wrapping by outlook) Ken
# # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config # # # Define global ACLs to disable default read access. # olcArgsFile: /usr/local/var/run/slapd.args olcPidFile: /usr/local/var/run/slapd.pid
# # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind #olcSecurity: ssf=1 update_ssf=112 simple_bind=64
# # Load dynamic backend modules: # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module #olcModulepath: /usr/local/libexec/openldap #olcModuleload: back_mdb.la #olcModuleload: back_ldap.la #olcModuleload: back_passwd.la #olcModuleload: back_shell.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
# Frontend settings # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #olcAccess: to dn.base="" by * read #olcAccess: to dn.base="cn=Subschema" by * read #olcAccess: to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! #
####################################################################### # LMDB database definitions ####################################################################### # dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /usr/local/var/openldap-data # Indices to maintain olcDbIndex: objectClass eq
-----Original Message----- From: openldap-technical openldap-technical-bounces@openldap.org On Behalf Of [ext] Dunne, Kenneth Sent: Monday, December 23, 2019 11:25 AM To: Quanah Gibson-Mount quanah@symas.com; openldap-technical@openldap.org Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
Quanah
I believe the "identity of the rootdn" in my configuration LDIF is what was contained within the 'installed slapd.ldif' olcRootDN: cn=Manager,dc=my-domain,dc=com
mentioned in the first email of this thread, and installed with this line: sudo /usr/local/sbin/slapadd -n 0 -F /usr/local/etc/openldap/slapd.d -l /usr/local/etc/openldap/slapd.ldif
cat /usr/local/etc/openldap/slapd.ldif # # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config # # # Define global ACLs to disable default read access. # olcArgsFile: /usr/local/var/run/slapd.args olcPidFile: /usr/local/var/run/slapd.pid # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind #olcSecurity: ssf=1 update_ssf=112 simple_bind=64
# # Load dynamic backend modules: # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module #olcModulepath: /usr/local/libexec/openldap #olcModuleload: back_mdb.la #olcModuleload: back_ldap.la #olcModuleload: back_passwd.la #olcModuleload: back_shell.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
# Frontend settings # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #olcAccess: to dn.base="" by * read #olcAccess: to dn.base="cn=Subschema" by * read #olcAccess: to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! #
####################################################################### # LMDB database definitions ####################################################################### # dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /usr/local/var/openldap-data # Indices to maintain olcDbIndex: objectClass eq
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, December 23, 2019 11:18 AM To: Dunne, Kenneth (SMO NAM RC-US RI PE PE-ENG OF) kenneth.dunne@siemens.com; openldap-technical@openldap.org Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
--On Monday, December 23, 2019 5:01 PM +0000 "Dunne, Kenneth" kenneth.dunne@siemens.com wrote:
Ooops, I noticed that the 'dc' field in the new 'example.ldif' is perhaps wrong, modified to the following, but the ldapadd still fails similarly ( ldap_bind: Invalid credentials (49)) Contents of example.ldif:
Hi Kenneth,
What is the identity of the rootdn in your configuration LDIF?
I.e., these lines:
olcRootDN: cn=Manager,dc=my-domain,dc=com olcRootPW: secret
Those are the initial credentials you are actually binding as, as there is nothing in the database yet.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.symas.com&data=02%7C01%7Ckenneth.dunne%40siemens.com%7Cc89f2232beba4a23326108d787cde7e2%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637127190731789285&sdata=y%2BQ%2Fc2e70UKN%2BBT92zhFhOO8fIv9xtSjm5VogAATpdk%3D&reserved=0
--On Monday, December 23, 2019 5:34 PM +0000 "Dunne, Kenneth" kenneth.dunne@siemens.com wrote:
olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com olcRootPW: secret
And what is your ldapadd line?
Also your LDIF has:
dn: dc=my-example,dc=com objectclass: dcObject objectclass: organization o: KEN Example Company dc: example
dn: cn=Manager,dc=my-example,dc=com objectclass: organizationalRole cn: Manager
which clearly does not match "dc=my-domain,dc=com". So even if you get the credentials right, the add will still fail, because you're trying to add a database for "dc=my-example,dc=com" into a namespace of "dc=my-domain,dc=com". You need to use a consistent namespace throughout the configuration, the credentials you will be using, and the database you will be loading.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah
Thank you so very much. Strangely, I could not see that difference in those 'dc' values. This now works:
# cat example.ldif dn: dc=my-domain,dc=com objectclass: dcObject objectclass: organization o: My Example Company dc: my-domain
dn: cn=Manager,dc=my-domain,dc=com objectclass: organizationalRole cn: Manager
/usr/local/bin/ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -w secret -f /usr/local/etc/openldap/example.ldif adding new entry "dc=my-domain,dc=com" adding new entry "cn=Manager,dc=my-domain,dc=com"
/usr/local/bin/ldapsearch -x -b 'dc=my-domain,dc=com' '(objectclass=*)' # my-domain.com dn: dc=my-domain,dc=com objectClass: dcObject objectClass: organization o: My Example Company dc: my-domain
# Manager, my-domain.com dn: cn=Manager,dc=my-domain,dc=com objectClass: organizationalRole cn: Manager
# search result search: 2 result: 0 Success
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, December 23, 2019 12:02 PM To: Dunne, Kenneth (SMO NAM RC-US RI PE PE-ENG OF) kenneth.dunne@siemens.com; openldap-technical@openldap.org Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
--On Monday, December 23, 2019 5:34 PM +0000 "Dunne, Kenneth" <kenneth.dunne@siemens.commailto:kenneth.dunne@siemens.com> wrote:
olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com olcRootPW: secret
And what is your ldapadd line?
Also your LDIF has:
dn: dc=my-example,dc=com objectclass: dcObject objectclass: organization o: KEN Example Company dc: example
dn: cn=Manager,dc=my-example,dc=com objectclass: organizationalRole cn: Manager
which clearly does not match "dc=my-domain,dc=com". So even if you get the credentials right, the add will still fail, because you're trying to add a database for "dc=my-example,dc=com" into a namespace of "dc=my-domain,dc=com". You need to use a consistent namespace throughout the configuration, the credentials you will be using, and the database you will be loading.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.symas.com&data=02%7C01%7Ckenneth.dunne%40siemens.com%7C5734c2f900e64879018708d787d24d09%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637127209624839114&sdata=h6eh0QXNokPeXs%2FNwpoorIZAt9AoU9b2baWFLqKKV0c%3D&reserved=0
openldap-technical@openldap.org
-
Dunne, Kenneth -
Quanah Gibson-Mount