OpenLDAP credentials issue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Ubuntu Documentation |
Undecided
|
Adam Sommer | ||
| ubuntu-docs (Ubuntu) |
Undecided
|
Adam Sommer |
Bug Description
https:/
At the "Populating LDAP" stage I was getting 'credentials (49)' errors.
All previous activities seemed to work just fine, but not that.
I eventually found that it worked if I first did:
sudo su openldap
I'm not sure whether I just found a way around another problem, or whether this was an expected action before ldap administration.
It took me a while to find that because until then all seemed fine. It asked for passwords as expected, ans seemed to do actions as expected.
G.
Adam Sommer (asommer) wrote : | #1 |
Changed in ubuntu-doc: | |
assignee: | nobody → asommer |
status: | New → Incomplete |
Adam Sommer (asommer) wrote : | #2 |
Actually I'm totally wrong about the -b option. ldapadd does not have a -b option since it will get the basedn from the LDIF file.
Just to double check, were you using the password created during the slapd install process?
Thanks,
Adam
Matthew East (mdke) wrote : | #3 |
Moving to ubuntu-docs package as per new bug policy.
Changed in ubuntu-docs: | |
assignee: | nobody → asommer |
status: | New → Incomplete |
Changed in ubuntu-doc: | |
status: | Incomplete → Invalid |
Greg Coram (greg-nghenvironmental) wrote : | #4 |
I also got 'credentials (49)' errors while trying the ldapsearch commands suggested. The password I provided in install did not work.
After many hours I discovered the the Hardy version does not come configured for use with cn=config.
After following http://
So if you get this error check that you have a /etc/ldap/slapd.d directory if you dont then you do not have support for cn=config and any ldap command using the base will fail with 'credentials (49)'.
I then repeated apt-get install slapd for four other hardy servers with the same outcome in all cases.
tags: | added: serverguide |
Jens (jens.timmerman) wrote : | #5 |
I am still having this bad credentials issue when following the documentation for 10.04
(as found here) http://
when you get to the setting up ACL part you all of a sudden need to use a cn=admin,cn=config, that doesn't exist
creating a config.ldif with
dn: olcDatabase=
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase=
changetype: modify
add: olcRootPW
olcRootPW: secret
dn: olcDatabase=
changetype: modify
delete: olcAccess
and adding it with
ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif
makes this work.
but it seems 2 systems are being used in this documentation, one with the cn=config and one without...
since, as I can see in bug #416539 there used to be a problem that was the exact opposite of this one?
Adam Sommer (asommer) wrote : | #6 |
Thanks for catching that Jens. The ACL section needs to be updated to use the new:
sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -b cn=config
format. I'll try to get that updated.
Changed in ubuntu-docs (Ubuntu): | |
milestone: | none → lucid-updates |
Adam Sommer (asommer) wrote : | #7 |
Committed a fix to the Maverick branch revision 511. Will work on getting the changes committed to Lucid and Karmic branches.
Changed in ubuntu-docs (Ubuntu): | |
status: | Incomplete → Fix Committed |
milestone: | lucid-updates → karmic-updates |
milestone: | karmic-updates → lucid-updates |
Adam Sommer (asommer) wrote : | #8 |
Committed fix to revision 509 to Lucid branch.
Zaphod (vilppu777) wrote : | #9 |
It looks like this is still an issue on the 10.04 documentation. following post #5 I am now able to search properly but it is still unclear on how to set the ACL so users can change their own LDAP password.
Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package ubuntu-docs - 10.10.1
---------------
ubuntu-docs (10.10.1) maverick; urgency=low
* First release for maverick
* General:
- Update copyright year, LP: #580396
- Update version numbers for maverick, LP: #587119
- Update pot files
* Administrative:
- Users and Groups app UI changed - adjusted directions,
LP: #570429 (Connor Imes)
* Basic-commands:
- Removed incorrect comment about using ~ with sudo,
LP: #570423 (Connor Imes)
* Internet:
- Add section on Ubuntu One, authored by Matt Griffin with
some changes/review
- Typos: Cicso -> Cisco. Alex Wardle, LP: #561084
* Musicvideophotos:
- Add material on using Ubuntu One Music Store and
other Music Stores
within Rhythmbox, content submitted by Matt Griffin
- Update microphone troubleshooting, LP: #591164
* Serverguide:
- Removed erroneous text from vmbuilder command,
LP: #559190
- Typo in network-config section. Alex Wardle, LP: #550892
- Fix typo in Kerberos section. David C. Curtis, LP: #561788
- Replaced dkim-filter with opendkim, feedback from
Scott Kitterman. LP: #561825
- Changed ldapsearch command in ACL section for new authentication
mechanism. LP: #333733
- Adjusted certificate wording to be more concise about which
lines to copy. LP: #575859
- Changed samba restart command to use new upstart scripts.
LP: #575540
- New information about granting groups Admin rights for Samba.
LP: #579851
- Various typos and English fixes from Travis Nichol, Connor Imes,
Vikram Dhillon, Dean Sas, Andrew Rowell. LP: #594913,
LP: #572959, LP: #603947
- New Amavisd-new and Spamassassin section which adds note about possible
large amount of error messages sent to email. LP: #165184 (Adam Sommer)
- Removed OpenNebula section (Adam Sommer)
- Removed eBox section (Adam Sommer)
- Reviewed and updated User Management and Console Security sections
(Adam Sommer)
- Fixed spelling typo of dyngroup.schema, fixed ldapscripts <ask> example
explanation, and ldapscripts example template path. LP: #595001
(Adam Sommer)
- Updates to UEC sections (Adam Sommer)
- New "First Boot" section covering clout-init functionality (Adam Sommer)
- Fix broken links to installation-guide, add distro-rev-short
entity, LP: #575961
* Windows:
- Change wording of windows/
-- Matthew East <email address hidden> Sat, 14 Aug 2010 22:35:52 +0100
Changed in ubuntu-docs (Ubuntu): | |
status: | Fix Committed → Fix Released |
Thomas "Tanghus" Olsen (tanghus) wrote : | #11 |
The guide at https:/
I applied the step in comment #5 but importing the example ldif gives "ldap_bind: Invalid credentials (49)"
Mauro (mauromol) wrote : | #12 |
This issue still exists in Ubuntu 16.04 and I don't think it's just a documentation problem.
In order to add a new schema (dn: cn=myNewSchema,
http://
In fact, the LDAP admin user (Manager) is not allowed to add new schemas: the returned error is:
ldap_add: Insufficient access (50)
So, I think the Ubuntu configuration scripts are still missing some steps when configuring the OpenLDAP server package.
Should I open a new bug?
Gunnar Hjalmarsson (gunnarhj) wrote : | #13 |
On 2017-04-03 18:14, Mauro wrote:
> Should I open a new bug?
Yes, please. You can file it against the server guide for now:
Thanks for reporting this bug and helping make Ubuntu better. Actually the ldapadd command should have a -b dc=example,dc=com (or the basedn of your directory). I must have set the BASE option in /etc/ldap/ldap.conf before using that command.
Using the -b should allow you to not have to sudo su openldap, can you give it a try to double check and comment?
Thanks again.