ldapadd returning ldap_bind: Invalid credentials (49)

unixtech · 04-20-2007, 05:21 PM

OS: Centos 4.4 / openLDAP 2.2.13
Hostname: ldap_1.helios.local
Domain Name: helios.local

I have followed many howto's including

OpenLDAP QuickStart Guide
http://www.openldap.org/doc/admin23/quickstart.html

HowtoForge LDAP installation / configuration
http://www.howtoforge.com/linux_open..._server_client

The current issue I am having is when I want to import my user.ldif files into my LDAP tree using the ldapadd command it gives me the invalid credentials error. I have searched and found many people reporting the same issues however the threads are never answered as to what the solution would be. I have turned on debug and will post as much information as needed to get some help. I will quickly go through what I have done.

1. Installed openLDAP and needed dependencies via YUM
compat-openldap.i386 0:2.1.30-6.4E
openldap-clients.i386 0:2.2.13-6.4E
openldap-devel.i386 0:2.2.13-6.4E
openldap-servers.i386 0:2.2.13-6.4E
openldap-servers-sql.i386 0:2.2.13-6.4E

2. Created password for "manager" via slappasswd

3. Edited /etc/openldap/slapd.conf to input my correct settings
For space reasons I will condense my files and only show what settings are uncommented

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

database bdb
suffix "dc=helios,dc=local"
rootdn "cn=root,dc=helios,dc=local"
rootpw {SSHA}fNZomTKSYOlIp8q9PD8jKDevsCj5n96j

directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

4. Restarted ldap using
># service ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
Starting slapd: [ OK ]

5. Prepared test users to create test.ldif files
grep root /etc/passwd > /etc/openldap/passwd.root
grep ldaptest1 /etc/passwd > /etc/openldap/passwd.ldaptest1
grep ldaptest2 /etc/passwd > /etc/openldap/passwd.ldaptest2

6. Edited /usr/share/migration/openldap/migration/migrate_common.ph to reflect my domain settings

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "helios.local";
# Default base
$DEFAULT_BASE = "dc=helios,dc=local";

7. Converted my password files to ldif files using the migration tool
./migrate_passwd.pl /etc/openldap/passwd.root /tmp/root.ldif
./migrate_passwd.pl /etc/openldap/passwd.ldaptest1 /tmp/ldaptest1.ldif
./migrate_passwd.pl /etc/openldap/passwd.ldaptest2 /tmp/ldaptest2.ldif

8. Created domain ldif file
># touch /tmp/helios.local.ldif
dn: dc=helios,dc=local
dc: helios
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

dn: ou=People, dc=helios,dc=local
ou: People
description: Users of Helios.local
objectClass: organizationalUnit

9. Use ldapadd to insert domain ldif file
># ldapadd -x -D "cn=root,dc=helios,dc=local" -W -f /tmp/helios.local.ldif
Enter LDAP Password: <password>
ldap_bind: Invalid credentials (49)
>#

Now if I shutdown ldap and add using the slapadd command it imports correctly.
># slapadd -v -l /tmp/helios.local.ldif

I am also able to add the ldaptest1, ldaptest2, and root's ldif's using slapadd.

Running a ldapsearch -x -b 'dc=helios,dc=local' '(objectclass=*)' gives me
# extended LDIF
#
# LDAPv3
# base <dc=helios,dc=local> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# helios.local
dn: dc=helios,dc=local
dc: helios
description: LDAP Admin
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

# People, helios.local
dn: ou=People,dc=helios,dc=local
ou: People
description: Users of Helios.Local
objectClass: organizationalUnit

# ldaptest1, People, helios.local
dn: uid=ldaptest1,ou=People,dc=helios,dc=local
uid: ldaptest1
cn: ldaptest1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJERVRUxMYy9XJHI4R3VvbWlOR3B5UXY3cnZSQ3MxcS8=
shadowLastChange: 13623
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 503
homeDirectory: /home/ldaptest1

# ldaptest2, People, helios.local
dn: uid=ldaptest2,ou=People,dc=helios,dc=local
uid: ldaptest2
cn: ldaptest2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJE44M3J4TC5CJE81VVliVERZenk1Vzh5STJCanY1bDA=
shadowLastChange: 13623
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 504
homeDirectory: /home/ldaptest2

# root, People, helios.local
dn: uid=root,ou=People,dc=helios,dc=local
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJFNBOUxYeGN3JDl6Wm04anV6OGlsTXpoR0JRL1hzTS8=
shadowLastChange: 13606
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root

# operator, People, helios.local
dn: uid=operator,ou=People,dc=helios,dc=local
uid: operator
cn: operator
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 13450
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 11
gidNumber: 0
homeDirectory: /root
gecos: operator

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6
[root@buzz tmp]#

Now although slapadd works all the refrence material points to using ldapadd which is what I would like to use as well. I have run the ldapadd -d 255 however it does not present any errors that stand out. If you would like that output I can provide that as well. I am also curious as to why my credentials are not working as it may lead to other issues when trying to provide authentication. Thank you in advance for you help.

unixtech · 05-17-2007, 03:46 PM

So its been a couple weeks since I posted this and I finally got this working. I wiped the machine and only installed the openldap-server and openldap-client packages. I am going to remove the tree and install the remaining rpm's to see if they are the cause of the issue.

simplyA · 05-22-2007, 06:43 AM

Hello unixtech,

I'm having the same stupid little problem for days now and also followed several tuorials but still didn't manage to solve the "ldap_bind: Invalid credentials (49)" problem.

Have you finally found the problem?

The only difference between your and mine configuration is that I changed

$EXTENDED_SCHEMA = 0 ==> $EXTENDED_SCHEMA = 1
in /usr/share/migration/openldap/migration/migrate_common.ph

and also used to
/usr/share/openldap/migration/migrate_base.pl > /tmp/base.ldif instead of creating the domain ldif file myself.

I really would appreciate any help!!!!!!!

Thanks

simplyA

OS: Centos 5.0
Hostname: localhost
rpms:
openldap-clients-2.3.27-5
openldap-servers-2.3.27-5
nss_ldap-253-3
openldap-2.3.27-5

unixtech · 05-31-2007, 11:36 AM

SimplyA,

When going over my steps I found that installing the openldap-servers and openldap-clients packages at the same time caused it not to work. So first I installed just the openldap-servers package via yum and setup slapd.conf. You would also want to setup your ldif's and anything else. Once you can add your files via ldapadd you can install the client tools. Try it out and let me know.

unixtech · 05-31-2007, 01:13 PM

SimplyA,

I also found that you need to have your database, suffix, rootdn, rootpw left aligned like below.

Slapd.conf from original install:

68 database bdb
69 suffix "dc=my-example,dc=com"
70 rootdn "cn=Manager,dc=my-example,dc=com"
71 # Cleartext passwords, especially for the rootdn, should
72 # be avoided. See slappasswd(8) and slapd.conf(5) for details.
73 # Use of strong authentication encouraged.
74 # rootpw secret

Now when I set this up all I did was remove the pound sign(#) which would have left a whitespace between the left margin and the "r" in rootpw. The solution is to make sure that the "r" in rootpw is in line with the "d" in database, the "s" in suffix, and the "r" in rootdn. So it would look like this

68 database bdb
69 suffix "dc=my-example,dc=com"
70 rootdn "cn=Manager,dc=my-example,dc=com"
71 # Cleartext passwords, especially for the rootdn, should
72 # be avoided. See slappasswd(8) and slapd.conf(5) for details.
73 # Use of strong authentication encouraged.
74 rootpw secret

Hope this helps as I view this as an easy mistake to make. I also went back and tested installing the server and client packages together then setting up openldap and it works so disregard my last comment about the package order.

wendea · 05-31-2007, 01:19 PM

I had the same error Im doing what you are doing I fixed it by adding a o: opting in my ldif file my ldif file is as followed:

dn: dc=example,dc=com
dc: example
objectClass: dcObject
objectClass: organization
o: example company

unixtech · 05-31-2007, 02:31 PM

wendea,

Not sure I follow you on your post. The issue I was having was when trying to add my domain ldif file, after being prompted for the "root" or "manager" password I would receive ldap_bind: Invalid credentials (49). The issue ended up being the alignment of the "rootpw" field in the slapd.conf file. Once I got past this I could add my ldif file without any issues. I'm glad to hear that you got your issue resolved.

simplyA · 06-01-2007, 12:37 PM

Hi unixtech,

You were absolutely right!! I set up another linux server yesterday and had again the same error. After modifying the slapd.conf file and removing the whitespace between the left margin and the "r" in rootpw and it worked.

Don't know what to say, only thanks a lot!!!!!!!!!!!!!!!

Best Regards,

simplyA