# ldap_bind: Invalid credentials (49)

## Wizumwalt

I've been following this wiki in order to get LDAP working across a small cluster of nodes.

https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP

I have ldap running, used slappasswd to make a hash which is added to slapd.conf (below), but when I try to add a user, I get the following:

```

/etc/openldap$ sudo ldapadd -x -W -D "cn=Manager,dc=mylan,dc=local" -f james.ldif      

Enter LDAP Password: 

ldap_bind: Invalid credentials (49)

```

Here is my ldif for the user.

```

dn: uid=james,ou=users,dc=mylan,dc=local

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

cn: james

uid: james

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/james

loginShell: /bin/bash

gecos: james

userPassword: {crypt}x

shadowLastChange: 0

shadowMax: 0

shadowWarning: 0

```

I believe there is something wrong here in that, the domain is still my-domain and com.

```

/etc/openldap$ sudo slaptest -v -d 1 -F /etc/openldap/slapd.d/

... (snip) ...

561efc7d     2.5.13.0 (objectIdentifierMatch): 561efc7d matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )

561efc7d slaptest startup: initiated.

561efc7d backend_startup_one: starting "cn=config"

561efc7d config_back_db_open

561efc7d backend_startup_one: starting "dc=my-domain,dc=com"

561efc7d hdb_db_open: database "dc=my-domain,dc=com": dbenv_open(/var/lib/openldap-data).

config file testing succeeded

561efc7d slaptest shutdown: initiated

561efc7d ====> bdb_cache_release_all

561efc7d slaptest destroy: freeing system resources.

```

```

/etc/openldap$ sudo slaptest -f /etc/openldap/slapd.conf -F slapd.d

config file testing succeeded

```

Here is my slapd.conf.

```

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/misc.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

serverID 0

loglevel 256

## Certificate/SSL Section

TLSCipherSuite normal

TLSCACertificateFile /etc/openldap/ssl/ldap.crt

TLSCertificateFile /etc/openldap/ssl/ldap/pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.key

TLSVerifyClient never

# Load dynamic backend modules:

# modulepath    /usr/lib64/openldap/openldap

# moduleload    back_sock.so

# moduleload    back_shell.so

# moduleload    back_relay.so

# moduleload    back_perl.so

# moduleload    back_passwd.so

# moduleload    back_null.so

# moduleload    back_monitor.so

# moduleload    back_meta.so

# moduleload    back_ldap.so

# moduleload    back_dnssrv.so

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

access to dn.base="" by * read

access to dn.base="cn=Subschema" by * read

access to *

        by self write

        by users read

        by anonymous read

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database        hdb

suffix          "dc=mylan,dc=local"

#         <kbyte> <min>

checkpoint      32      30

rootdn          "cn=Manager,dc=mylan,dc=local"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw         "{SSHA}aMXsx9o/AadbMQddaFL1ddLnsxdfCqbrc"

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/openldap-data

# Indices to maintain

index   objectClass     eq

database        config

access to *

        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

        by * none

```

Any help much appreciated.Last edited by Wizumwalt on Thu Oct 29, 2015 1:47 am; edited 1 time in total

----------

## kikko

Hi Wizumwalt

I've spotted a possible typo in your config: LDAP suffix and RootDN differ:

suffix          "dc=myplace,dc=local"

rootdn          "cn=Manager,dc=mylan,dc=local"

I'm not an OpenLDAP guru, but... is that correct?  :Confused: 

Regards

----------

## Wizumwalt

 *kikko wrote:*   

>  but... is that correct? :?Regards

 

Apologies, it was a typo in the post. I did edit it so that dc=mylan for both suffix and rootdn. But one thing I've noticed is that what's in the database is not mylan. It's my-domain. I think that may be the problem, but not sure how to reset it.

```

561efc7d backend_startup_one: starting "dc=my-domain,dc=com" 

```

----------

## kikko

Hi Wizumwalt

"dc=my-domain,dc=com" is the default BaseDN (source: I've installed OpenLDAP  :Smile:  )

Renaming it seems to be tricky: https://stackoverflow.com/questions/19537319/change-basedn-in-openldap (Debianish)

Regards

----------

## Wizumwalt

I now have the basedn correct and what I believe is a valid configuration. I can do an ldapsearch and see the results of my configuration from the running server.

I then create an ldif file for a normal user, enter the passwd I used when using slappasswd, and try ldapadd.

```
$ ldapadd -x -W -D "cn=james,dc=mylan,dc=local" -f james.ldif 

Enter LDAP Password: 

ldap_bind: Invalid credentials (49)

```

In the slapd.conf, I have the line:

```
rootdn    "cn=admin,dc=mylan,dc=local"

```

Could this possbily be due to the need for an admin user, or something along those lines?

----------

## nativemad

Hi Wizumwalt, 

have you tried it without the quotation marks around the rootpw?

```
rootpw         {SSHA}aMXsx9o/AadbMQddaFL1ddLnsxdfCqbrc
```

That's at least what I have...

HTH, cheers

----------

## Wizumwalt

I removed the quotes in the slapd.conf file, then did ...

```

slaptest -f /etc/openldap/slapd.conf -F slapd.d

```

Than ran ldapadd again and still get ...

```

ldap_bind: Invalid credentials (49)

```

----------

## nativemad

 *Wizumwalt wrote:*   

> 
> 
> ```
> $ ldapadd -x -W -D "cn=james,dc=mylan,dc=local" -f james.ldif 
> 
> ...

 

After a second read, I guess i understand your problem...

You need the admin user to add other users! And you can't authenticate with a user that is not yet present!

You need to add at least one user with -D "cn=admin,dc=mylan,dc=local" (-D is the user to do the bind). Only after that you could set ACLs to allow that user to add others.....

You could also use slapadd to load ldifs "offline", so you won't need an authentication.

I'm not sure if you don't need to create the root node anymore through ldif!? http://etutorials.org/Server+Administration/ldap+system+administration/Part+I+LDAP+Basics/Chapter+4.+OpenLDAP+Building+a+Company+White+Pages/4.5+Adding+the+Initial+Directory+Entries/

----------

## Syl20

 *nativemad wrote:*   

> And you can't authenticate with a user that is not yet present!

 

Sure you can't.

 *Quote:*   

> You could also use slapadd to load ldifs "offline", so you won't need an authentication.

 

That's the usual way to populate a new directory at the first time. Much faster.

 *Quote:*   

> I'm not sure if you don't need to create the root node anymore through ldif!?

 

You don't need. OpenLDAP does the job. You can, if you want, but you may encounter problems, like two valid passords (one in slapd.conf, and one in the DIT)...

----------

