[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
- To: "Dunne, Kenneth" <kenneth.dunne@siemens.com>, Quanah Gibson-Mount <quanah@symas.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
- From: "Dunne, Kenneth" <kenneth.dunne@siemens.com>
- Date: Mon, 23 Dec 2019 17:31:12 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RqSg2SNNRfxHt8bTg/jr9ChX2oPZ5xCPxwDpGXInYr0=; b=lCqQzlJGMB92Vl10vc1MEy0H10g4kUXIALPJzvbw47kerI8TaiDlX0zXHgXoug5suFWtLDI3HPmvmoQJzVaEDbx5QjAi3Bk5MJTVGzWTM0T52fboXj6zx3xWEj6c5J9p9EEY1qMzlB5YsnOh0X2P5UVjBy1u3490Zy9RkYa38bHXvRuQjPyq71/Y7awMI5DjwcDItPCpkjGF2/hnYxgGVA9F2vXhZeEDPwjkv4D1XNkjjh+LkODwrCRYEFL4mjsdZqVkEtFEqLTtKLBtmJoMQ0+L+iAsCAbUlm0K/Vj8By71My7wH0VL01OkNcz5mYvDcv0jmP/IOC0TAUuSvEj8tQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RK604QDuOJWCkZRZX1gojU9WzNWzGSQvoUmYKaKk0JdhtDoBEKc9/IPacrDI8rkzK+lrc+5pJXjYDZWVLcOMzXgJRQP+d7HBg/+PqUEBIEzOleP0rEKTNH0fMTZ9+ouubX+WlW9rAGtPwRxK5ONEF+0i+0/7GWl108mjOKkxAeLTRHrZGgzm4ekBhG/CyvsNOsesUdNG9BYh4t91WHhYx2saC8JWU157dmltH7We2DxwrpdxwI+z8nbflCkXK7TxV3ny6i4wlHXwYPJ+DZlXeXytYfJHxn8/vMEZEs6UcAJtPKNPBx/Q9WylhV8rhJzjfFKOFuSbtESRzAvH5tTVsw==
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=kenneth.dunne@siemens.com;
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RqSg2SNNRfxHt8bTg/jr9ChX2oPZ5xCPxwDpGXInYr0=; b=C6VfEfpAO1PZhsyFGb4/0z+k007PDzrdtvkcZ+fSemMSWmwH/rqNEwsavROa/s08+VNNgy9TsdG9CO+1fIJzfW/I9LIZy+wkNB9vFhzQN2Xvg7xQhEydBg9jqQI02c0maYYLfijuRkliKsLqXiuKSuykVfSRZHzZUfF5Eo7brW8=
- In-reply-to: <MN2PR07MB7199ADC4AFEBAE3667E092B7F22E0@MN2PR07MB7199.namprd07.prod.outlook.com>
- References: <MN2PR07MB7199A905857E6288C32A31F0F22E0@MN2PR07MB7199.namprd07.prod.outlook.com> <98F3D57087FB6E0F5051F647@[192.168.1.144]> <MN2PR07MB7199ADC4AFEBAE3667E092B7F22E0@MN2PR07MB7199.namprd07.prod.outlook.com>
- Thread-index: AdW5oObLkgr9NrYvSpGAgAFCF1Ik6wACRYMAAAGWm0AAAITXUAAAnS+AAAAPRsAAAGJFgA==
- Thread-topic: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
Quanah
The default slapd.ldif file is (fixing bad line-wrapping by outlook)
Ken
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
#
# Define global ACLs to disable default read access.
#
olcArgsFile: /usr/local/var/run/slapd.args
olcPidFile: /usr/local/var/run/slapd.pid
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/local/libexec/openldap
#olcModuleload: back_mdb.la
#olcModuleload: back_ldap.la
#olcModuleload: back_passwd.la
#olcModuleload: back_shell.la
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#######################################################################
# LMDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
olcDbDirectory: /usr/local/var/openldap-data
# Indices to maintain
olcDbIndex: objectClass eq
-----Original Message-----
From: openldap-technical <openldap-technical-bounces@openldap.org> On Behalf Of [ext] Dunne, Kenneth
Sent: Monday, December 23, 2019 11:25 AM
To: Quanah Gibson-Mount <quanah@symas.com>; openldap-technical@openldap.org
Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
Quanah
I believe the "identity of the rootdn" in my configuration LDIF is what was contained within the 'installed slapd.ldif'
olcRootDN: cn=Manager,dc=my-domain,dc=com
mentioned in the first email of this thread, and installed with this line:
sudo /usr/local/sbin/slapadd -n 0 -F /usr/local/etc/openldap/slapd.d -l /usr/local/etc/openldap/slapd.ldif
cat /usr/local/etc/openldap/slapd.ldif
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
#
# Define global ACLs to disable default read access.
#
olcArgsFile: /usr/local/var/run/slapd.args
olcPidFile: /usr/local/var/run/slapd.pid # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals.
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/local/libexec/openldap
#olcModuleload: back_mdb.la
#olcModuleload: back_ldap.la
#olcModuleload: back_passwd.la
#olcModuleload: back_shell.la
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
#
#######################################################################
# LMDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: secret
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
olcDbDirectory: /usr/local/var/openldap-data
# Indices to maintain
olcDbIndex: objectClass eq
-----Original Message-----
From: Quanah Gibson-Mount <quanah@symas.com>
Sent: Monday, December 23, 2019 11:18 AM
To: Dunne, Kenneth (SMO NAM RC-US RI PE PE-ENG OF) <kenneth.dunne@siemens.com>; openldap-technical@openldap.org
Subject: RE: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
--On Monday, December 23, 2019 5:01 PM +0000 "Dunne, Kenneth"
<kenneth.dunne@siemens.com> wrote:
> Ooops, I noticed that the 'dc' field in the new 'example.ldif' is
> perhaps wrong, modified to the following, but the ldapadd still fails
> similarly (
> ldap_bind: Invalid credentials (49)) Contents of example.ldif:
Hi Kenneth,
What is the identity of the rootdn in your configuration LDIF?
I.e., these lines:
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcRootPW: secret
Those are the initial credentials you are actually binding as, as there is nothing in the database yet.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.symas.com&data=02%7C01%7Ckenneth.dunne%40siemens.com%7C3707630fd5f14c04c96008d787cd56bc%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637127188301252989&sdata=Vatuw29lZrQ6Ne8PmIEy99z%2FajwSMcidDLO6nGlyeTk%3D&reserved=0>