RE: [EXT] Re: Re: Understanding ldappasswd: ldap_bind: Invalid credentials (49) - openldap-technical

22 Aug 2025

      (shame!)
Bastian, you are right!
One should never do a "quick hack" to existing scripts:
In the original version the MAANGER was specified without the common CONTEXT, so the script used -D "$MANAGER","$CONTEXT".
The DN however was including the CONTEXT (maybe to shorten the script line that uses it).
When using MANAGER="$DN" I got a MANAGER that includes the CONTEXT already.
The idea was "use the user name as manager, so the user will change its own password". The idea was correct, but "MANAGER=$DN was not. 8-(
Kind regards,
Ulrich Windl
...
-----Original Message-----
From: btwe@eva05.jsc.fz-juelich.de btwe@eva05.jsc.fz-juelich.de On
Behalf Of Bastian Tweddell
Sent: Friday, August 22, 2025 8:58 AM
To: Windl, Ulrich u.windl@ukr.de
Subject: [EXT] Re: Re: Understanding ldappasswd: ldap_bind: Invalid
credentials (49)
Hi Ulrich,
Given that ldappasswd basically works, maybe check your variables.
I think you append `$CONTEXT` two times:
On 22Aug25 06:43+0000, Windl, Ulrich wrote:
...
...
...
CONTEXT='dc=...'
if [ -n "$1" ]; then
    DN="uid=${1},ou=people,$CONTEXT"
=> DN="uid=username_from_arg1,ou=people,dc=..."
                                        ^^^^^^
...
...
...
MANAGER="$DN"

=> MANAGER="uid=username_from_arg1,ou=people,dc=..."
                                             ^^^^^^
...
...
...
echo "$MANAGER changing password for $DN"
ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W

${2:+-S
=> -D "uid=username_from_arg1,ou=people,dc=...","dc=..."
                                        ^^^^^^   ^^^^^^
This would be wrong, wouldn't it?
In general, think about using `set -euo pipefail` in bash scripts, and
in this case also use `set -x`. So you could spot that easily.
Also ldap cmdline tools usually take `-d -1` to print all debug info,
but you know that.
Das hätte ich wohl auch auf Deutsch schreiben können :)
Ich habs nicht an die Liste geschickt.
Viele Grüße,
Bastian Tweddell
Juelich Supercomputing Centre
phone: +49 (2461) 61-6586

Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers