[CentOS] openldap fails to authenticate

Craig White

craigwhite at azapple.com
Tue Nov 2 15:32:23 UTC 2010


On Tue, 2010-11-02 at 16:28 -0400, Tim Dunphy wrote:
> I am attempting to setup an LDAP server under CentOS 5.4.
> 
> 
> However I  am unable to search my ldap directory even tho I am
> supplying the proper credentials for the Manager account:
> 
> 
> [root at ldap openldap]# ldapsearch -x -h ldap -D
> 'cn=Manager,dc=example,dc=net' -W -b 'dc=example,dc=net'
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> 
> Anonymous searches do work however:
> 
> ldapsearch -x -h ldap -b "dc=example,dc=net" -s sub "objectclass=*"
> 
> [root at ldap openldap]# ldapsearch -x -h ldap -b "dc=example,dc=net" -s
> sub "objectclass=*"
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=net> with scope subtree
> # filter: objectclass=*
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 32 No such object
> 
> 
> I am currently attempting to use the actual word 'secret' to
> authenticate the Manager account:
> 
> database        bdb
> suffix          "dc=example,dc=net"
> rootdn          "cn=Manager,dc=example,dc=net"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
>  rootpw                secret
> # rootpw                 {CRYPT}secret
> 
> 
> And I am getting error 49's in my openldap logs with loglevel set to 296
> 
> /var/log/openldap.log
> 
> Nov  2 15:45:58 ldap slapd[3522]: slapd starting
> Nov  2 15:46:14 ldap slapd[3522]: conn=0 fd=11 ACCEPT from
> IP=127.0.0.1:44552 (IP=0.0.0.0:389)
> Nov  2 15:46:14 ldap slapd[3522]: conn=0 op=0 BIND
> dn="cn=Manager,dc=example,dc=net" method=128
> Nov  2 15:46:14 ldap slapd[3522]: conn=0 op=0 RESULT tag=97 err=49 text=
> Nov  2 15:46:14 ldap slapd[3522]: conn=0 fd=11 closed (connection lost)
> 
> 
> this is how I have configured my ldap.conf
> 
> BASE    dc=example,dc=net
> HOST    localhost
> URI     ldap://ldap.example.net
> 
> and for some reason slapd is listening on port 3774 even tho I haven't
> told it to:
> 
> [root at ldap network-scripts]# netstat -tulnp | grep 389
> tcp        0      0 0.0.0.0:389                 0.0.0.0:*
>      LISTEN      3774/slapd
> [root at ldap network-scripts]# netstat -tulnp | grep slapd
> tcp        0      0 0.0.0.0:389                 0.0.0.0:*
>      LISTEN      3774/slapd
> 
> I haven't specified port 3774 _anywhere_ in my ldap config:
> 
> 
> [root at ldap network-scripts]# grep 3774 /etc/ldap
> 
> 
> thanks in advance for your help
----
that is process id 3774 and not a port - the port is clearly 389

I would suggest that you not have both HOST and URI, choose one or the
other.

In the above configuration, it would appear that 'secret' is the
password for rootbinddn of "cn=Manager,dc=example,dc=net"

the error 49 does indeed mean what it says, invalid credentials meaning
the user/password combination isn't working.

try ldapsearch -x -h localhost -b "dc=example,dc=net" \ 
-s sub "objectclass=*" -W -D 'cn=Manager,dc=example,dc=net'

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the CentOS mailing list