Discussion:
ldap_bind: Invalid credentials (49)
John Espiro
2011-02-02 21:49:55 UTC
Permalink
System:
Ubuntu 10.10 server 64bit
@(#) $OpenLDAP: slapd 2.4.23 (Nov 19 2010 17:41:28) $
***@allspice:/build/buildd/openldap-2.4.23/debian/build/servers/slapd

Problem:
I am following the guide here:
http://blog.suretecsystems.com/archives/163-OpenLDAP-Quick-Tips-Change-loglevels-on-the-fly!.html

Entering:
ldapmodify -x -D 'cn=config' -W -f log.ldif

Gives me:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

I enter the password (that is also stored in ldap.secret), but the error
persists.

I've got to be missing something obvious, but it's not clear what that is...

John
John Espiro
2011-02-02 22:15:16 UTC
Permalink
Seems that this might be the solution...
http://stackoverflow.com/questions/3057257/ubuntu-10-04-lucid-openldap-invalid-credentials-issue
Post by John Espiro
Ubuntu 10.10 server 64bit
@(#) $OpenLDAP: slapd 2.4.23 (Nov 19 2010 17:41:28) $
http://blog.suretecsystems.com/archives/163-OpenLDAP-Quick-Tips-Change-loglevels-on-the-fly!.html
ldapmodify -x -D 'cn=config' -W -f log.ldif
ldap_bind: Invalid credentials (49)
I enter the password (that is also stored in ldap.secret), but the error
persists.
I've got to be missing something obvious, but it's not clear what that is...
John
John Espiro
2011-02-02 22:39:57 UTC
Permalink
Post by John Espiro
Seems that this might be the solution...
http://stackoverflow.com/questions/3057257/ubuntu-10-04-lucid-openldap-invalid-credentials-issue
Actually, it seems that that wasn't the solution...

So when I run:

ldapsearch -x -H ldap://127.0.0.1 -b 'cn=config' -D 'cn=config' -s
base -LLL -W olcLoglevel

I get:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

Funny thing is, I never had any problems configuring ldap until I
switched to Ubuntu.
Razvan Deaconescu
2011-02-03 07:35:07 UTC
Permalink
Post by John Espiro
Post by John Espiro
Seems that this might be the solution...
http://stackoverflow.com/questions/3057257/ubuntu-10-04-lucid-openldap-invalid-credentials-issue
Actually, it seems that that wasn't the solution...
ldapsearch -x -H ldap://127.0.0.1 -b 'cn=config' -D 'cn=config' -s
base -LLL -W olcLoglevel
ldap_bind: Invalid credentials (49)
Funny thing is, I never had any problems configuring ldap until I
switched to Ubuntu.
Hi, John!

I described a similar issue a few days ago[1] (reported for Debian). I
found the only solution was manually editing the
olcDatabase={0}config.ldif file (adding an olcRootPW line).

I've posted a message on the debian-user mailing list[2] but found not
solution until now.

Răzvan

[1] http://www.openldap.org/lists/openldap-technical/201101/msg00307.html
[2] http://lists.debian.org/debian-user/2011/02/msg00115.html
Ondrej Kuznik
2011-02-03 09:02:03 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Razvan Deaconescu
Post by John Espiro
Post by John Espiro
Seems that this might be the solution...
http://stackoverflow.com/questions/3057257/ubuntu-10-04-lucid-openldap-invalid-credentials-issue
Actually, it seems that that wasn't the solution...
ldapsearch -x -H ldap://127.0.0.1 -b 'cn=config' -D 'cn=config' -s
base -LLL -W olcLoglevel
ldap_bind: Invalid credentials (49)
Funny thing is, I never had any problems configuring ldap until I
switched to Ubuntu.
Hi, John!
I described a similar issue a few days ago[1] (reported for Debian). I
found the only solution was manually editing the
olcDatabase={0}config.ldif file (adding an olcRootPW line).
I've posted a message on the debian-user mailing list[2] but found not
solution until now.
Răzvan
[1] http://www.openldap.org/lists/openldap-technical/201101/msg00307.html
[2] http://lists.debian.org/debian-user/2011/02/msg00115.html
If you are running Ubuntu or Debian, they both AFAIK set up the server
so that the root user has (if connecting properly) manage privileges. So
there is no need to edit the ldif by hand.

To check, try connecting as root to the UNIX socket OpenLDAP should be
listening on:

ldapwhoami -H ldapi:// -Y EXTERNAL

should return:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

This identity should be allowed to do pretty much as it pleases at least
within the cn=config db.

Ondra
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1KbwsACgkQ9GWxeeH+cXsy5wCcCSL4lU/zawDqvsR7JoUmvX/E
FnEAoK3BLUYP/Y8FnzW0AayTS7Eb7MY4
=/7vx
-----END PGP SIGNATURE-----

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Buchan Milne
2011-02-03 10:26:07 UTC
Permalink
On Wednesday, 2 February 2011 23:49:55 John Espiro wrote:

[...]
Post by John Espiro
I've got to be missing something obvious, but it's not clear what that is...
You didn't read my reply to your previous thread, which was sent 20 minutes
before your mail above, all the info you needed was there.

Regards,
Buchan
Brian Candler
2011-02-03 13:46:39 UTC
Permalink
Post by John Espiro
Ubuntu 10.10 server 64bit
...
Post by John Espiro
ldapmodify -x -D 'cn=config' -W -f log.ldif
ldap_bind: Invalid credentials (49)
Run ldapmodify on the same box as the server, as root. Point to the
ldapi:/// URL, and use the EXTERNAL SASL mechanism. Drop the other
authentication args (-x, -D, -W)

$ sudo bash
# ldapmodify -Y EXTERNAL -H ldapi:/// ...rest of args...

Regards,

Brian.

Loading...