[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: simple bind ldapsearch invalid credentials

On Monday 07 August 2006 23:51, Cornelius Koelbel wrote:
> Hello,
> i set up openldap 2.2.29 on FC4.
> I guess everything is right, I can access and modify everyting with the
> manager.
> I setup an object
> 	cn=corny,ou=users,dc=az,dc=local
> as follows:
> 	dn: cn=corny,ou=users,dc=az,dc=local
> 	objectClass: top
> 	objectClass: person
> 	cn: corny
> 	sn: corny
> I want to have this person access to a subtree of the ldap.
> 	access to dn="ou=cornelius,ou=adressen,dc=az,dc=local"
> 		by dn="cn=corny,ou=users,dc=az,dc=local" write
> But for now, I configured everything:
> 	access to *
> 		by dn="cn=corny,ou=users,dc=az,dc=local" write

Is this your complete ACL set, or a subset ? If it is complete, you are 
definitely missing an ACL giving anonymous auth access to userPassword 
(required for simple bind to work).

> Now I set a password and try to connect:
> corny@schnuck:[/data/down]> ldappasswd  -x -D
> "cn=Manager,dc=az,dc=local" -W -S  "cn=corny,ou=users,dc=az,dc=local"
> New password:
> Re-enter new password:
> Enter LDAP Password:
> Result: Success (0)
> everything seems fine, but now:
> corny@schnuck:[/data/down]> ldapsearch   -D
> 'cn=corny,ou=users,dc=az,dc=local' -W  -x -b 'dc=az,dc=local'
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)

1)Test just the authentication bit with ldapwhoami
2)Bump the log level up to include ACL processing (384 might be a reasonable 

> Whats wrong, where can I start to search?

Most likely you don't have an ACL allowing anonymous auth access to the 
userPassword attribute. Logs of the ACL processing will most likely indicate 
this. If it is not the case, they will help track it down.


Buchan Milne
ISP Systems Specialist

Attachment: pgpaeRKVfbTGi.pgp
Description: PGP signature