OpenLDAP credentials issue
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Ubuntu Documentation |
Undecided
|
Adam Sommer | ||
| | ubuntu-docs (Ubuntu) |
Undecided
|
Adam Sommer | ||
Bug Description
https:/
At the "Populating LDAP" stage I was getting 'credentials (49)' errors.
All previous activities seemed to work just fine, but not that.
I eventually found that it worked if I first did:
sudo su openldap
I'm not sure whether I just found a way around another problem, or whether this was an expected action before ldap administration.
It took me a while to find that because until then all seemed fine. It asked for passwords as expected, ans seemed to do actions as expected.
G.
| Adam Sommer (asommer) wrote : | #1 |
| Changed in ubuntu-doc: | |
| assignee: | nobody → asommer |
| status: | New → Incomplete |
| Adam Sommer (asommer) wrote : | #2 |
Actually I'm totally wrong about the -b option. ldapadd does not have a -b option since it will get the basedn from the LDIF file.
Just to double check, were you using the password created during the slapd install process?
Thanks,
Adam
| Matthew East (mdke) wrote : | #3 |
Moving to ubuntu-docs package as per new bug policy.
| Changed in ubuntu-docs: | |
| assignee: | nobody → asommer |
| status: | New → Incomplete |
| Changed in ubuntu-doc: | |
| status: | Incomplete → Invalid |
| Greg Coram (greg-nghenvironmental) wrote : | #4 |
I also got 'credentials (49)' errors while trying the ldapsearch commands suggested. The password I provided in install did not work.
After many hours I discovered the the Hardy version does not come configured for use with cn=config.
After following http://
So if you get this error check that you have a /etc/ldap/slapd.d directory if you dont then you do not have support for cn=config and any ldap command using the base will fail with 'credentials (49)'.
I then repeated apt-get install slapd for four other hardy servers with the same outcome in all cases.
| tags: | added: serverguide |
| Jens (jens.timmerman) wrote : | #5 |
I am still having this bad credentials issue when following the documentation for 10.04
(as found here) http://
when you get to the setting up ACL part you all of a sudden need to use a cn=admin,cn=config, that doesn't exist
creating a config.ldif with
dn: olcDatabase=
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase=
changetype: modify
add: olcRootPW
olcRootPW: secret
dn: olcDatabase=
changetype: modify
delete: olcAccess
and adding it with
ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif
makes this work.
but it seems 2 systems are being used in this documentation, one with the cn=config and one without...
since, as I can see in bug #416539 there used to be a problem that was the exact opposite of this one?
| Adam Sommer (asommer) wrote : | #6 |
Thanks for catching that Jens. The ACL section needs to be updated to use the new:
sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -b cn=config
format. I'll try to get that updated.
| Changed in ubuntu-docs (Ubuntu): | |
| milestone: | none → lucid-updates |
| Adam Sommer (asommer) wrote : | #7 |
Committed a fix to the Maverick branch revision 511. Will work on getting the changes committed to Lucid and Karmic branches.
| Changed in ubuntu-docs (Ubuntu): | |
| status: | Incomplete → Fix Committed |
| milestone: | lucid-updates → karmic-updates |
| milestone: | karmic-updates → lucid-updates |
| Adam Sommer (asommer) wrote : | #8 |
Committed fix to revision 509 to Lucid branch.
| Zaphod (vilppu777) wrote : | #9 |
It looks like this is still an issue on the 10.04 documentation. following post #5 I am now able to search properly but it is still unclear on how to set the ACL so users can change their own LDAP password.
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package ubuntu-docs - 10.10.1
---------------
ubuntu-docs (10.10.1) maverick; urgency=low
* First release for maverick
* General:
- Update copyright year, LP: #580396
- Update version numbers for maverick, LP: #587119
- Update pot files
* Administrative:
- Users and Groups app UI changed - adjusted directions,
LP: #570429 (Connor Imes)
* Basic-commands:
- Removed incorrect comment about using ~ with sudo,
LP: #570423 (Connor Imes)
* Internet:
- Add section on Ubuntu One, authored by Matt Griffin with
some changes/review
- Typos: Cicso -> Cisco. Alex Wardle, LP: #561084
* Musicvideophotos:
- Add material on using Ubuntu One Music Store and
other Music Stores
within Rhythmbox, content submitted by Matt Griffin
- Update microphone troubleshooting, LP: #591164
* Serverguide:
- Removed erroneous text from vmbuilder command,
LP: #559190
- Typo in network-config section. Alex Wardle, LP: #550892
- Fix typo in Kerberos section. David C. Curtis, LP: #561788
- Replaced dkim-filter with opendkim, feedback from
Scott Kitterman. LP: #561825
- Changed ldapsearch command in ACL section for new authentication
mechanism. LP: #333733
- Adjusted certificate wording to be more concise about which
lines to copy. LP: #575859
- Changed samba restart command to use new upstart scripts.
LP: #575540
- New information about granting groups Admin rights for Samba.
LP: #579851
- Various typos and English fixes from Travis Nichol, Connor Imes,
Vikram Dhillon, Dean Sas, Andrew Rowell. LP: #594913,
LP: #572959, LP: #603947
- New Amavisd-new and Spamassassin section which adds note about possible
large amount of error messages sent to email. LP: #165184 (Adam Sommer)
- Removed OpenNebula section (Adam Sommer)
- Removed eBox section (Adam Sommer)
- Reviewed and updated User Management and Console Security sections
(Adam Sommer)
- Fixed spelling typo of dyngroup.schema, fixed ldapscripts <ask> example
explanation, and ldapscripts example template path. LP: #595001
(Adam Sommer)
- Updates to UEC sections (Adam Sommer)
- New "First Boot" section covering clout-init functionality (Adam Sommer)
- Fix broken links to installation-guide, add distro-rev-short
entity, LP: #575961
* Windows:
- Change wording of windows/
-- Matthew East <email address hidden> Sat, 14 Aug 2010 22:35:52 +0100
| Changed in ubuntu-docs (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Thomas "Tanghus" Olsen (tanghus) wrote : | #11 |
The guide at https:/
I applied the step in comment #5 but importing the example ldif gives "ldap_bind: Invalid credentials (49)"
| Mauro (mauromol) wrote : | #12 |
This issue still exists in Ubuntu 16.04 and I don't think it's just a documentation problem.
In order to add a new schema (dn: cn=myNewSchema,
http://
In fact, the LDAP admin user (Manager) is not allowed to add new schemas: the returned error is:
ldap_add: Insufficient access (50)
So, I think the Ubuntu configuration scripts are still missing some steps when configuring the OpenLDAP server package.
Should I open a new bug?
| Gunnar Hjalmarsson (gunnarhj) wrote : | #13 |
On 2017-04-03 18:14, Mauro wrote:
> Should I open a new bug?
Yes, please. You can file it against the server guide for now:
Thanks for reporting this bug and helping make Ubuntu better. Actually the ldapadd command should have a -b dc=example,dc=com (or the basedn of your directory). I must have set the BASE option in /etc/ldap/ldap.conf before using that command.
Using the -b should allow you to not have to sudo su openldap, can you give it a try to double check and comment?
Thanks again.