OpenLDAP credentials issue

Bug #333733 reported by GordonS-CIL on 2009-02-24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Ubuntu Documentation
Adam Sommer
ubuntu-docs (Ubuntu)
Adam Sommer

Bug Description

At the "Populating LDAP" stage I was getting 'credentials (49)' errors.

All previous activities seemed to work just fine, but not that.

I eventually found that it worked if I first did:
        sudo su openldap

I'm not sure whether I just found a way around another problem, or whether this was an expected action before ldap administration.

It took me a while to find that because until then all seemed fine. It asked for passwords as expected, ans seemed to do actions as expected.


Adam Sommer (asommer) wrote :

Thanks for reporting this bug and helping make Ubuntu better. Actually the ldapadd command should have a -b dc=example,dc=com (or the basedn of your directory). I must have set the BASE option in /etc/ldap/ldap.conf before using that command.

Using the -b should allow you to not have to sudo su openldap, can you give it a try to double check and comment?

Thanks again.

Changed in ubuntu-doc:
assignee: nobody → asommer
status: New → Incomplete
Adam Sommer (asommer) wrote :

Actually I'm totally wrong about the -b option. ldapadd does not have a -b option since it will get the basedn from the LDIF file.

Just to double check, were you using the password created during the slapd install process?


Matthew East (mdke) wrote :

Moving to ubuntu-docs package as per new bug policy.

Changed in ubuntu-docs:
assignee: nobody → asommer
status: New → Incomplete
Changed in ubuntu-doc:
status: Incomplete → Invalid

I also got 'credentials (49)' errors while trying the ldapsearch commands suggested. The password I provided in install did not work.
 After many hours I discovered the the Hardy version does not come configured for use with cn=config.
After following instructions to convert from ldap.conf to cn=config all was well. Also had to change a setting in /etc/default/slapd, SLAPD_CONF=/etc/ldap/slapd.d

So if you get this error check that you have a /etc/ldap/slapd.d directory if you dont then you do not have support for cn=config and any ldap command using the base will fail with 'credentials (49)'.

I then repeated apt-get install slapd for four other hardy servers with the same outcome in all cases.

Jonathan Jesse (jjesse) on 2009-08-06
tags: added: serverguide
Jens (jens.timmerman) wrote :

I am still having this bad credentials issue when following the documentation for 10.04
(as found here)

when you get to the setting up ACL part you all of a sudden need to use a cn=admin,cn=config, that doesn't exist

creating a config.ldif with
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: secret

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

and adding it with
ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif

makes this work.
but it seems 2 systems are being used in this documentation, one with the cn=config and one without...
since, as I can see in bug #416539 there used to be a problem that was the exact opposite of this one?

Adam Sommer (asommer) wrote :

Thanks for catching that Jens. The ACL section needs to be updated to use the new:

   sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -b cn=config

format. I'll try to get that updated.

Changed in ubuntu-docs (Ubuntu):
milestone: none → lucid-updates
Adam Sommer (asommer) wrote :

Committed a fix to the Maverick branch revision 511. Will work on getting the changes committed to Lucid and Karmic branches.

Changed in ubuntu-docs (Ubuntu):
status: Incomplete → Fix Committed
milestone: lucid-updates → karmic-updates
milestone: karmic-updates → lucid-updates
Adam Sommer (asommer) wrote :

Committed fix to revision 509 to Lucid branch.

Zaphod (vilppu777) wrote :

It looks like this is still an issue on the 10.04 documentation. following post #5 I am now able to search properly but it is still unclear on how to set the ACL so users can change their own LDAP password.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-docs - 10.10.1

ubuntu-docs (10.10.1) maverick; urgency=low

  * First release for maverick
  * General:
    - Update copyright year, LP: #580396
    - Update version numbers for maverick, LP: #587119
    - Update pot files
  * Administrative:
    - Users and Groups app UI changed - adjusted directions,
      LP: #570429 (Connor Imes)
  * Basic-commands:
    - Removed incorrect comment about using ~ with sudo,
      LP: #570423 (Connor Imes)
  * Internet:
    - Add section on Ubuntu One, authored by Matt Griffin with
      some changes/review
    - Typos: Cicso -> Cisco. Alex Wardle, LP: #561084
  * Musicvideophotos:
    - Add material on using Ubuntu One Music Store and
      other Music Stores
      within Rhythmbox, content submitted by Matt Griffin
    - Update microphone troubleshooting, LP: #591164
  * Serverguide:
    - Removed erroneous text from vmbuilder command,
      LP: #559190
    - Typo in network-config section. Alex Wardle, LP: #550892
    - Fix typo in Kerberos section. David C. Curtis, LP: #561788
    - Replaced dkim-filter with opendkim, feedback from
      Scott Kitterman. LP: #561825
    - Changed ldapsearch command in ACL section for new authentication
      mechanism. LP: #333733
    - Adjusted certificate wording to be more concise about which
      lines to copy. LP: #575859
    - Changed samba restart command to use new upstart scripts.
      LP: #575540
    - New information about granting groups Admin rights for Samba.
      LP: #579851
    - Various typos and English fixes from Travis Nichol, Connor Imes,
      Vikram Dhillon, Dean Sas, Andrew Rowell. LP: #594913,
      LP: #572959, LP: #603947
    - New Amavisd-new and Spamassassin section which adds note about possible
      large amount of error messages sent to email. LP: #165184 (Adam Sommer)
    - Removed OpenNebula section (Adam Sommer)
    - Removed eBox section (Adam Sommer)
    - Reviewed and updated User Management and Console Security sections
      (Adam Sommer)
    - Fixed spelling typo of dyngroup.schema, fixed ldapscripts <ask> example
      explanation, and ldapscripts example template path. LP: #595001
      (Adam Sommer)
    - Updates to UEC sections (Adam Sommer)
    - New "First Boot" section covering clout-init functionality (Adam Sommer)
    - Fix broken links to installation-guide, add distro-rev-short
      entity, LP: #575961
  * Windows:
    - Change wording of windows/C/preparing.xml, LP: #483153
 -- Matthew East <email address hidden> Sat, 14 Aug 2010 22:35:52 +0100

Changed in ubuntu-docs (Ubuntu):
status: Fix Committed → Fix Released
Thomas Tanghus (tanghus) wrote :

The guide at still leaves you with a non-functional ldap server when following it.

I applied the step in comment #5 but importing the example ldif gives "ldap_bind: Invalid credentials (49)"

Mauro (mauromol) wrote :

This issue still exists in Ubuntu 16.04 and I don't think it's just a documentation problem.

In order to add a new schema (dn: cn=myNewSchema,cn=schema,cn=config) through an ldif file, I had to follow this:

In fact, the LDAP admin user (Manager) is not allowed to add new schemas: the returned error is:

ldap_add: Insufficient access (50)

So, I think the Ubuntu configuration scripts are still missing some steps when configuring the OpenLDAP server package.

Should I open a new bug?

Gunnar Hjalmarsson (gunnarhj) wrote :

On 2017-04-03 18:14, Mauro wrote:
> Should I open a new bug?

Yes, please. You can file it against the server guide for now:

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers