Re: Fixed: Newbie: ldap_bind: Inappropriate authentication (48)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:06 PM 9/12/2004, Steve  Revilak wrote:
>Steve Revilak wrote:
>
>>> Working through the quick-start section of
>>> http://www.openldap.org/doc/admin22/quickstart.html, I can't get by
>>> step 2, "Add initial entries to your directory."
>
>>>  $ ldapadd -w secret -x  -D "cn=Manager,dc=s,dc=com" -f record.ldif
>>>  Enter LDAP Password: [type `secret' here]
>>>  ldap_bind: Inappropriate authentication (48)
>
>>> Running slapd with `-d 192' I can see it reading the rootdn and rootpw
>>> attributes from slapd.conf, but it still doesn't seem to accept the
>>> `rootpw' value.
>
>I found out what the problem was.
>
>The OpenLDAP that comes with Mac OS X doesn't permit the use of clear
>text passwords.

Packagers should not --disable-cleartext.  Ugh.

>After changing this:
>
>  rootpw secret
>
>to this
>
>  rootpw {SSHA}YvMamu2PMIqF4bEfGnT9USzdUbvVsqKm
>
>The `inappropriate authentication' errors went away.
>
>The _truly_ embarrassing thing about this is that the change was made
>as a result of a bug I reported in one of their account manipulation
>utilities.  I knew their change applied to `userPassword' attributes,
>but didn't realize it also applied to the `rootpw' configuration
>directive.

Hope they didn't assume that --disable-cleartext would
fix a bug in any LDAP client.  The option doesn't
change any client behavior, nor does it prevent
clear text passwords from being stored in the directory.

Kurt