OpenLDAP credentials issue

Reported by GordonS-CIL on 2009-02-24
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Ubuntu Documentation
Undecided
Adam Sommer
ubuntu-docs (Ubuntu)
Undecided
Adam Sommer

Bug Description

https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html

At the "Populating LDAP" stage I was getting 'credentials (49)' errors.

All previous activities seemed to work just fine, but not that.

I eventually found that it worked if I first did:
        sudo su openldap

I'm not sure whether I just found a way around another problem, or whether this was an expected action before ldap administration.

It took me a while to find that because until then all seemed fine. It asked for passwords as expected, ans seemed to do actions as expected.

G.

Adam Sommer (asommer) wrote :

Thanks for reporting this bug and helping make Ubuntu better. Actually the ldapadd command should have a -b dc=example,dc=com (or the basedn of your directory). I must have set the BASE option in /etc/ldap/ldap.conf before using that command.

Using the -b should allow you to not have to sudo su openldap, can you give it a try to double check and comment?

Thanks again.

Changed in ubuntu-doc:
assignee: nobody → asommer
status: New → Incomplete
Adam Sommer (asommer) wrote :

Actually I'm totally wrong about the -b option. ldapadd does not have a -b option since it will get the basedn from the LDIF file.

Just to double check, were you using the password created during the slapd install process?

Thanks,
Adam

Matthew East (mdke) wrote :

Moving to ubuntu-docs package as per new bug policy.

Changed in ubuntu-docs:
assignee: nobody → asommer
status: New → Incomplete
Changed in ubuntu-doc:
status: Incomplete → Invalid

I also got 'credentials (49)' errors while trying the ldapsearch commands suggested. The password I provided in install did not work.
 After many hours I discovered the the Hardy version does not come configured for use with cn=config.
After following http://www.zytrax.com/books/ldap/ch6/slapd-config.html instructions to convert from ldap.conf to cn=config all was well. Also had to change a setting in /etc/default/slapd, SLAPD_CONF=/etc/ldap/slapd.d

So if you get this error check that you have a /etc/ldap/slapd.d directory if you dont then you do not have support for cn=config and any ldap command using the base will fail with 'credentials (49)'.

I then repeated apt-get install slapd for four other hardy servers with the same outcome in all cases.

Jonathan Jesse (jjesse) on 2009-08-06
tags: added: serverguide
Jens (jens.timmerman) wrote :

I am still having this bad credentials issue when following the documentation for 10.04
(as found here) http://doc.ubuntu.com/ubuntu/serverguide/C/samba-ldap.html

when you get to the setting up ACL part you all of a sudden need to use a cn=admin,cn=config, that doesn't exist

creating a config.ldif with
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: secret

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

and adding it with
ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif

makes this work.
but it seems 2 systems are being used in this documentation, one with the cn=config and one without...
since, as I can see in bug #416539 there used to be a problem that was the exact opposite of this one?

Adam Sommer (asommer) wrote :

Thanks for catching that Jens. The ACL section needs to be updated to use the new:

   sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -b cn=config

format. I'll try to get that updated.

Changed in ubuntu-docs (Ubuntu):
milestone: none → lucid-updates
Adam Sommer (asommer) wrote :

Committed a fix to the Maverick branch revision 511. Will work on getting the changes committed to Lucid and Karmic branches.

Changed in ubuntu-docs (Ubuntu):
status: Incomplete → Fix Committed
milestone: lucid-updates → karmic-updates
milestone: karmic-updates → lucid-updates
Adam Sommer (asommer) wrote :

Committed fix to revision 509 to Lucid branch.

Zaphod (vilppu777) wrote :

It looks like this is still an issue on the 10.04 documentation. following post #5 I am now able to search properly but it is still unclear on how to set the ACL so users can change their own LDAP password.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-docs - 10.10.1

---------------
ubuntu-docs (10.10.1) maverick; urgency=low

  * First release for maverick
  * General:
    - Update copyright year, LP: #580396
    - Update version numbers for maverick, LP: #587119
    - Update pot files
  * Administrative:
    - Users and Groups app UI changed - adjusted directions,
      LP: #570429 (Connor Imes)
  * Basic-commands:
    - Removed incorrect comment about using ~ with sudo,
      LP: #570423 (Connor Imes)
  * Internet:
    - Add section on Ubuntu One, authored by Matt Griffin with
      some changes/review
    - Typos: Cicso -> Cisco. Alex Wardle, LP: #561084
  * Musicvideophotos:
    - Add material on using Ubuntu One Music Store and
      other Music Stores
      within Rhythmbox, content submitted by Matt Griffin
    - Update microphone troubleshooting, LP: #591164
  * Serverguide:
    - Removed erroneous text from vmbuilder command,
      LP: #559190
    - Typo in network-config section. Alex Wardle, LP: #550892
    - Fix typo in Kerberos section. David C. Curtis, LP: #561788
    - Replaced dkim-filter with opendkim, feedback from
      Scott Kitterman. LP: #561825
    - Changed ldapsearch command in ACL section for new authentication
      mechanism. LP: #333733
    - Adjusted certificate wording to be more concise about which
      lines to copy. LP: #575859
    - Changed samba restart command to use new upstart scripts.
      LP: #575540
    - New information about granting groups Admin rights for Samba.
      LP: #579851
    - Various typos and English fixes from Travis Nichol, Connor Imes,
      Vikram Dhillon, Dean Sas, Andrew Rowell. LP: #594913,
      LP: #572959, LP: #603947
    - New Amavisd-new and Spamassassin section which adds note about possible
      large amount of error messages sent to email. LP: #165184 (Adam Sommer)
    - Removed OpenNebula section (Adam Sommer)
    - Removed eBox section (Adam Sommer)
    - Reviewed and updated User Management and Console Security sections
      (Adam Sommer)
    - Fixed spelling typo of dyngroup.schema, fixed ldapscripts <ask> example
      explanation, and ldapscripts example template path. LP: #595001
      (Adam Sommer)
    - Updates to UEC sections (Adam Sommer)
    - New "First Boot" section covering clout-init functionality (Adam Sommer)
    - Fix broken links to installation-guide, add distro-rev-short
      entity, LP: #575961
  * Windows:
    - Change wording of windows/C/preparing.xml, LP: #483153
 -- Matthew East <email address hidden> Sat, 14 Aug 2010 22:35:52 +0100

Changed in ubuntu-docs (Ubuntu):
status: Fix Committed → Fix Released

The guide at https://help.ubuntu.com/12.04/serverguide/openldap-server.html still leaves you with a non-functional ldap server when following it.

I applied the step in comment #5 but importing the example ldif gives "ldap_bind: Invalid credentials (49)"

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers