I am attempting to setup an LDAP server under CentOS 5.4.
However I am unable to search my ldap directory even tho I am supplying the proper credentials for the Manager account:
[root@ldap openldap]# ldapsearch -x -h ldap -D 'cn=Manager,dc=example,dc=net' -W -b 'dc=example,dc=net' Enter LDAP Password: ldap_bind: Invalid credentials (49)
Anonymous searches do work however:
ldapsearch -x -h ldap -b "dc=example,dc=net" -s sub "objectclass=*"
[root@ldap openldap]# ldapsearch -x -h ldap -b "dc=example,dc=net" -s sub "objectclass=*" # extended LDIF # # LDAPv3 # base <dc=example,dc=net> with scope subtree # filter: objectclass=* # requesting: ALL #
# search result search: 2 result: 32 No such object
I am currently attempting to use the actual word 'secret' to authenticate the Manager account:
database bdb suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # rootpw {CRYPT}secret
And yet I am still getting error 49's in my openldap logs with loglevel set to 296
/var/log/openldap.log
Nov 2 15:45:58 ldap slapd[3522]: slapd starting Nov 2 15:46:14 ldap slapd[3522]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:44552 (IP=0.0.0.0:389) Nov 2 15:46:14 ldap slapd[3522]: conn=0 op=0 BIND dn="cn=Manager,dc=example,dc=net" method=128 Nov 2 15:46:14 ldap slapd[3522]: conn=0 op=0 RESULT tag=97 err=49 text= Nov 2 15:46:14 ldap slapd[3522]: conn=0 fd=11 closed (connection lost)
this is how I have configured my ldap.conf
BASE dc=example,dc=net HOST localhost URI ldap://ldap.example.net
thanks in advance for your help
Hello Tim,
the "password" you supply won't work, as it is not encoded in base64.
Try to generate a password hash + base64-enc with "slappasswd" and set this string as your password hash for rootpw. http://linux.die.net/man/8/slappasswd
Bye, Benjamin.
On Tue, Nov 2, 2010 at 22:50, Tim Dunphy bluethundr@gmail.com wrote:
I am attempting to setup an LDAP server under CentOS 5.4.
However I am unable to search my ldap directory even tho I am supplying the proper credentials for the Manager account:
[root@ldap openldap]# ldapsearch -x -h ldap -D 'cn=Manager,dc=example,dc=net' -W -b 'dc=example,dc=net' Enter LDAP Password: ldap_bind: Invalid credentials (49)
Anonymous searches do work however:
ldapsearch -x -h ldap -b "dc=example,dc=net" -s sub "objectclass=*"
[root@ldap openldap]# ldapsearch -x -h ldap -b "dc=example,dc=net" -s sub "objectclass=*" # extended LDIF # # LDAPv3 # base <dc=example,dc=net> with scope subtree # filter: objectclass=* # requesting: ALL #
# search result search: 2 result: 32 No such object
I am currently attempting to use the actual word 'secret' to authenticate the Manager account:
database bdb suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # rootpw {CRYPT}secret
And yet I am still getting error 49's in my openldap logs with loglevel set to 296
/var/log/openldap.log
Nov 2 15:45:58 ldap slapd[3522]: slapd starting Nov 2 15:46:14 ldap slapd[3522]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:44552 (IP=0.0.0.0:389) Nov 2 15:46:14 ldap slapd[3522]: conn=0 op=0 BIND dn="cn=Manager,dc=example,dc=net" method=128 Nov 2 15:46:14 ldap slapd[3522]: conn=0 op=0 RESULT tag=97 err=49 text= Nov 2 15:46:14 ldap slapd[3522]: conn=0 fd=11 closed (connection lost)
this is how I have configured my ldap.conf
BASE dc=example,dc=net HOST localhost URI ldap://ldap.example.net
thanks in advance for your help
-- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
Share and enjoy!!
--On Tuesday, November 02, 2010 11:07 PM +0100 Benjamin Griese der.darude@gmail.com wrote:
Hello Tim,
the "password" you supply won't work, as it is not encoded in base64.
Try to generate a password hash + base64-enc with "slappasswd" and set this string as your password hash for rootpw. http://linux.die.net/man/8/slappasswd
Benjamin,
There is no requirement that the password value for the rootpw entry in slapd.conf be SSHA hashed or Base 64 encoded.
I.e.,
rootpw secret
is perfectly valid.
Also, an LDIF file with
userPassword: secret
is also perfectly valid, as either slapadd or slapd (via ldapadd) will take care of encoding it to Base64.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Benjamin Griese wrote:
Hello Tim,
the "password" you supply won't work, as it is not encoded in base64.
Utter nonsense.
You missed the more obvious problem.
database bdb suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # rootpw {CRYPT}secret
The rootpw line has a leading space.
Ya know, that leading space thing confused the heck out of me when I started writing a slapf.conf from scratch. I'm guessing were ya'll to know at that start of spec'ing slapd.conf the methods that are now common to multi-line or 'containerize' options, something different, more readable, and less error (yes, user error) prone would have been selected.
Really, white space shouldn't kill a config.
Hindsight, eh?
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: Benjamin Griese der.darude@gmail.com Cc: Tim Dunphy bluethundr@gmail.com; openldap-technical@openldap.org openldap-technical@openldap.org Sent: Tue Nov 02 17:30:29 2010 Subject: Re: unable to perform authenticated binds
Benjamin Griese wrote:
Hello Tim,
the "password" you supply won't work, as it is not encoded in base64.
Utter nonsense.
You missed the more obvious problem.
database bdb suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # rootpw {CRYPT}secret
The rootpw line has a leading space.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Chris Jacobs wrote:
Ya know, that leading space thing confused the heck out of me when I started writing a slapf.conf from scratch. I'm guessing were ya'll to know at that start of spec'ing slapd.conf the methods that are now common to multi-line or 'containerize' options, something different, more readable, and less error (yes, user error) prone would have been selected.
Really, white space shouldn't kill a config.
Hindsight, eh?
Indeed, thanks so much for the exceedingly useful insight.
The practice was established long before I joined the Project. Enough people whine about all the other insignificant, backward-compatible changes we make that changing this is obviously a non-starter.
The use of whitespace is clearly described in the manpage and the Admin Guide. People who don't read the manpage deserve no sympathy.
Howard Chu wrote:
Chris Jacobs wrote:
Ya know, that leading space thing confused the heck out of me when I started writing a slapf.conf from scratch. I'm guessing were ya'll to know at that start of spec'ing slapd.conf the methods that are now common to multi-line or 'containerize' options, something different, more readable, and less error (yes, user error) prone would have been selected.
Really, white space shouldn't kill a config.
Hindsight, eh?
Indeed, thanks so much for the exceedingly useful insight.
The practice was established long before I joined the Project.
Since long before the Project existed, actually.
Enough people whine about all the other insignificant, backward-compatible changes we make that changing this is obviously a non-starter.
The use of whitespace is clearly described in the manpage and the Admin Guide. People who don't read the manpage deserve no sympathy.
Well, I dunno, there's a /ton/ of material to cover for openldap newbies, and a simple config detail like this could be easily overlooked when figuring out how to do other things like multiple master scenarios/methods, syncing, bdb indexing for performance, the new (and exotic!) olc config, nss, pam, etc.
Frankly, you're right though, they don't need sympathy. That's never helped a tech with a tech issue.
If you're not calling me out via "thanks so much for the exceedingly useful insight" then feel free to skip the rest of this.
If you were, why? I was being colloquial, friendly, and empathetic. We (well, maybe not you - I suspect you're very intelligent with a very high functioning memory/recall ability; no sarcasm!) will sometimes make silly mistakes or not understand something at first (or second!) pass.
I'm not now, nor was I then, faulting anyone's past decisions or recent replies.
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: Howard Chu hyc@symas.com To: Chris Jacobs Cc: 'der.darude@gmail.com' der.darude@gmail.com; 'bluethundr@gmail.com' bluethundr@gmail.com; 'openldap-technical@openldap.org' openldap-technical@openldap.org Sent: Tue Nov 02 19:23:27 2010 Subject: Re: unable to perform authenticated binds
Chris Jacobs wrote:
Ya know, that leading space thing confused the heck out of me when I started writing a slapf.conf from scratch. I'm guessing were ya'll to know at that start of spec'ing slapd.conf the methods that are now common to multi-line or 'containerize' options, something different, more readable, and less error (yes, user error) prone would have been selected.
Really, white space shouldn't kill a config.
Hindsight, eh?
Indeed, thanks so much for the exceedingly useful insight.
The practice was established long before I joined the Project. Enough people whine about all the other insignificant, backward-compatible changes we make that changing this is obviously a non-starter.
The use of whitespace is clearly described in the manpage and the Admin Guide. People who don't read the manpage deserve no sympathy.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
--On Tuesday, November 02, 2010 7:59 PM -0700 Chris Jacobs Chris.Jacobs@apollogrp.edu wrote:
If you're not calling me out via "thanks so much for the exceedingly useful insight" then feel free to skip the rest of this.
I didn't think he was calling you out, myself. ;) Just noting that things are documented, and people who don't take the time to read the official project documentation (which happens a lot, unfortunately) don't deserve sympathy on it. We get a lot of people who spend their time reading documents from other sources such as Zytrax, which contain completely wrong information, and then come here to talk about how bad the documentation is. It gets frustrating.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Benjamin Griese -
Chris Jacobs -
Howard Chu -
Quanah Gibson-Mount -
Tim Dunphy