[CentOS] OpenLDAP Problem

Mon Jan 9 06:40:46 UTC 2006
Craig White <craigwhite at azapple.com>

On Mon, 2006-01-09 at 17:15 +1100, Peter Kitchener wrote:
> Everyone,
> 
> We currently are running a Centos3 directory server, I am currently 
> testing centos4 as an upgrade of this machine in the future. There is a 
> special user we have called cn=samba,ou=special in our directory, this 
> user is for samba to use when binding to the directory. On the 
> production replica server, i have taken an offline slapcat ldif of the 
> entire tree. I then copied this file to the test centos4 machine running 
> ldap with the same configuration as the centos3 production server. I did 
> a slapadd of this ldif file, then fixed some minor import errors as a 
> result. The problem occurs now when we try to bind to the test machine, 
> with ldapsearch or smbd, as this special samba user, ldap comes back and 
> tells me the credentials are incorrect. From what i understand about the 
> userPassword attribute is that it is outputted by slapcat as a base64 
> encoded MD5 hash.  I have compared the hashes between the production 
> server and the test server, and they are both identical. I can however 
> do all this successfully with the admin user. I am lost as to the cause 
> of this error.
----
simplify this to make it easier...

# ldapsearch -x -h localhost -D 'uid=test2,ou=People,dc=azapple,dc=com'
-W '(uid=test2)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=test2)
# requesting: ALL
#

# test2, People, azapple.com
dn: uid=test2,ou=People,dc=azapple,dc=com
sambaNTPassword: 7C273E51DE2020E0BBC2C2B70CAB7B45
sambaLMPassword: AA9C761F0E1E2E7FAAD3B435B51404EE
givenName: Test2
sn: User
sambaProfilePath: \\srv1\profiles\test2
sambaLogonScript: logon.bat
etc...

bind from the command line using ldapsearch

In theory, your understanding is correct. In practice, it may not be
entirely correct since it may not be MD5 encryption - it depends on your
slapd.conf and the mechanics of how that password was put there for the
user.

The easiest thing to do is to set the password from the command line but
it would have to be a real posix user...

# passwd test2
Changing password for user test2.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
LDAP password information changed for test2
passwd: all authentication tokens updated successfully.

then I ***know*** that openldap is happy with the password.

Craig