[Date Prev][Date Next] [Chronological] [Thread] [Top]

Invalid credentials

To: openldap-software@OpenLDAP.org
Subject: Invalid credentials
From: Mathew Hennessy <hennessy@netomat.net>
Date: Wed, 29 May 2002 14:48:41 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) Gecko/20020523

Hi, I'm trying to do a simple bind from various ldap clients (ldapsearch, php's ldap, perl's ldap) and I keep getting 'Invalid credentials' errors. All passwords are stored as {crypt} on my server (openldap 2.0.19 on linux). Here's the auth section of my slapd.conf:

access to attr=userPassword,ntPassword,lmPassword
       by self write
       by sockname=127.0.0.1 read
       by peername=127.0.0.1 read
       by anonymous auth
       by * none

access to *
       by users read
       by * read

Here's the command:

ldapsearch -x -h eddie -W -D "uid=hennessy,ou=people,o=netomat.net" uid=hennessy

Here's the logfile from loglevel=384:

May 29 14:36:49 eddie slapd[24492]: daemon: conn=24 fd=25 connection from IP=10.0.0.53:41666 (IP=0.0.0.0:34049) accepted. May 29 14:36:49 eddie slapd[24499]: conn=24 op=0 BIND dn="UID=HENNESSY,OU=PEOPLE,O=NETOMAT.NET" method=128 May 29 14:36:49 eddie slapd[24499]: => access_allowed: auth access to "uid=hennessy,ou=people,o=netomat.net" "userPassword" requested May 29 14:36:49 eddie slapd[24499]: => acl_get: [1] check attr userPassword May 29 14:36:49 eddie slapd[24499]: <= acl_get: [1] acl uid=hennessy,ou=people,o=netomat.net attr: userPassword May 29 14:36:49 eddie slapd[24499]: => acl_mask: access to entry "uid=hennessy,ou=people,o=netomat.net", attr "userPassword" requested May 29 14:36:49 eddie slapd[24499]: => acl_mask: to all values by "", (=n) May 29 14:36:49 eddie slapd[24499]: <= check a_dn_pat: self May 29 14:36:49 eddie slapd[24499]: <= check a_sockname_path: 127.0.0.1 May 29 14:36:49 eddie slapd[24499]: <= check a_peername_path: 127.0.0.1 May 29 14:36:49 eddie slapd[24499]: <= check a_dn_pat: anonymous May 29 14:36:49 eddie slapd[24499]: <= acl_mask: [4] applying auth (=x) (stop) May 29 14:36:49 eddie slapd[24499]: <= acl_mask: [4] mask: auth (=x) May 29 14:36:49 eddie slapd[24499]: => access_allowed: auth access granted by auth (=x) May 29 14:36:49 eddie slapd[24499]: conn=24 op=0 RESULT tag=97 err=49 text= May 29 14:36:49 eddie slapd[24492]: conn=-1 fd=25 closed

And here's the output of the ldapsearch command:
ldap_bind: Invalid credentials

It's odd: it seems that auth access is granted, but I get an error all the same... Anything obvious leap out at anyone?

Currently all server-based authentication (samba, pam/nss, postfix) that uses ldap does so by binding as rootdn and everything lives on the one server 'eddie'. However, my users are starting to clamor for stuff like address books outside the firewall, and I don't want to allow that unless I can use ssl-wrapped crypt() passwords.

TIA!
- Matt

Follow-Ups:
- Re: Invalid credentials
  - From: Dan Lowe <dan@tangledhelix.com>

Prev by Date: Re: SINGLE-VALUE keyword not honored
Next by Date: SupportedSaslMechanism won't display
Index(es):
- Chronological
- Thread