# Openldap Installation: Invalid credentials error

## Nadie

Hi there! I'm just following this howto:

http://gentoo-wiki.com/HOWTO_LDAPv3

And I'm stuck when testing the domain with user account authentification:

```
ldapsearch -d 128 -Hldap://darkness.occult.com.ar -b "" -s base -D "cn=admin,dc=darkness,dc=occult,dc=com,dc=ar" -W
```

gives this error:

```
Enter LDAP Password:

request done: ld 0x8058dc0 msgid 1

SASL/DIGEST-MD5 authentication started

request done: ld 0x8058dc0 msgid 2

request done: ld 0x8058dc0 msgid 3

ldap_sasl_interactive_bind_s: Invalid credentials (49)

        additional info: SASL(-13): user not found: no secret in database

```

Here goes my slapd.conf file:

```

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

# Include the needed data schemes

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/sudo.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/krb5-kdc.schema # google for this schema

# Use crypt to hash the passwords

password-hash   {crypt}

# Define SSL and TLS properties (optional)

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ldap-key.pem

#TLSCACertificateFile /etc/ssl/ldap.pem

# you should set the loglevel to 256 initially, this will give you

# some good hints when debugging problems. Read man slapd.conf what the loglevel

# directive will give you

loglevel 256

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

sasl-regexp

          uid=admin,cn=.*,cn=auth

          cn=admin,dc=ooccult,dc=com,dc=ar

# Load dynamic backend modules:

modulepath      /usr/lib/openldap/openldap

# moduleload    back_shell.so

# moduleload    back_relay.so

# moduleload    back_perl.so

# moduleload    back_passwd.so

# moduleload    back_null.so

# moduleload    back_monitor.so

# moduleload    back_meta.so

moduleload      back_hdb.so

# moduleload    back_dnssrv.so

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

# allow read access of root DSE

access to dn="" by * read

# deny all other access

access to * by * none

# Allow users to authenticate/update their password.

access to attrs=userPassword

        by anonymous auth

        by self write

#######################################################################

# BDB database definitions

#######################################################################

database        hdb

suffix          "dc=occult,dc=com,dc=ar"

checkpoint      32      30 # <kbyte> <min>

rootdn          "cn=admin,dc=occult,dc=com,dc=ar"

directory       /var/lib/openldap-data

# Indices to maintain

index   objectClass     eq

rootpw {MD5}encriptedpass

```

This is my ldap.conf:

 *Quote:*   

> 
> 
> #
> 
> # LDAP Defaults
> ...

 

This my /etc/conf.d/slapd:

 *Quote:*   

> 
> 
>         # conf.d file for openldap
> 
> #
> ...

 

And, finally, there is my database:

 *Quote:*   

> 
> 
> dn: dc=occult,dc=com,dc=ar
> 
> objectclass: organization
> ...

 

So...any ideas? Any help would be greatly appreciated..TIA!!!

----------

## smerf

Have you tried simple bind (without SASL, -x)?

----------

## Nadie

Thanks for your answer!   :Smile: 

This is the result:

 *Quote:*   

> ldapsearch -d 128 -Hldap://darkness.occult.com.ar -b "" -s base -x -D "cn=admin,dc=darkness,dc=occult,dc=com,dc=ar" -W
> 
> Enter LDAP Password:
> 
> request done: ld 0x8058de0 msgid 1
> ...

 

Any ideas...?

----------

## smerf

Inside your config: "cn=admin,dc=occult,dc=com,dc=ar"

What happened to 'darkness'?

----------

## Nadie

Darkness is the hostname running openldap...should be there also?

(thanks again =) )

----------

## smerf

Seems that you're trying to authenticate yourself as

cn=admin,dc=darkness,dc=occult,dc=com,dc=ar

However you don't have such DN in your database... but only

cn=admin,dc=occult,dc=com,dc=ar

It does not matter what in this context 'darkness' mean...

You don't have to use domain names at all...

cn=boss,o=CIA,c=USA is fine

(okay, it has some implications, but at least not for authentication)

----------

## Nadie

Oh, thanks a lot. When I added the dc=darkness to the slapd.conf, I got this:

```
ldapsearch -d 128 -Hldap://darkness.occult.com.ar -b "" -s base -x -D "cn=admin,dc=darkness,dc=occult,dc=com,dc=ar" -W

Enter LDAP Password:

request done: ld 0x8058de0 msgid 1

# extended LDIF

#

# LDAPv3

# base <> with scope baseObject

# filter: (objectclass=*)

# requesting: ALL

#

#

dn:

objectClass: top

objectClass: OpenLDAProotDSE

request done: ld 0x8058de0 msgid 2

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

```

But then, when I try whti sasl I get this one:

```
ldapsearch -d 128 -Hldap://darkness.occult.com.ar -b "" -s base -D "cn=admin,dc=darkness,dc=occult,dc=com,dc=ar" -W

Enter LDAP Password:

request done: ld 0x8058de0 msgid 1

SASL/DIGEST-MD5 authentication started

request done: ld 0x8058de0 msgid 2

request done: ld 0x8058de0 msgid 3

ldap_sasl_interactive_bind_s: Invalid credentials (49)

        additional info: SASL(-13): user not found: no secret in database

```

I will try removing darkness (the host) from the sasld.conf file tomorrow and I will see...but since in the howto (both gentoo and gentoo-wikihow) mentioned the host must be present I added them.

Thanks a lot again, I will update my configs and post my results =)

----------

## Nadie

```
ldap_sasl_interactive_bind_s: Invalid credentials (49)

        additional info: SASL(-13): user not found: no secret in database 
```

Same problem. Removing Dc=Darkness from the ldapsearch solves the issue with basic authentification, but not with SASL...any ideas?

----------

## rogerx

 *Nadie wrote:*   

> 
> 
> ```
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> 
> ...

 

I'm following the Gentoo howto/wiki also and am getting this same exact scenario with md5/gss auth too.  "-x" works as seen above. :-/

This seems like a bug with the howto/wiki.  Please update!

----------

