# [SOLVED - incorrect default config] Can't log into LDAP

## stdPikachu

After struggling manfully with Kerberos and NFS4 in an effort to get myself a nice single-sign-on system runniong on my LAN I have hit a brick wall with LDAP.

I seem to have successfully configured slapd to start with error now, but I cannot log in in order to start populating my database (I have no idea what to populate it with but I'll burn that bridge when I come to it).

When I try and connect to it initially the following happens:

```
prospero ~ # ldapsearch -x -D "cn=Manager,dc=snafu,dc=local" -h prospero.snafu.local -W

Enter LDAP Password:

ldap_bind: Invalid credentials (49)
```

The rootdn password was created by passing "secret" through slappasswd. /etc/openldap and /var/lib/openldap are fully readable/writable by ldap:ldap. Here's my slapd.conf:

```
#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

# Custom includes

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/krb5-kdc.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/samba.schema

password-hash   {Md5}

# Define global ACLs to disable default read access.

#access to * by self wrote by * read

#defaultaccess  none

#access to attr=userPassword

#       by dn="cn=Manager,dc=snafu,dc=local" write

#       by self write

#       by * auth

#access to *

#       by dn="cn=Manager,dc=snafu,dc=local" write

#       by users write

#       by self write

#       by * auth

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

logfile         /var/log/ldap/slapd.log

loglevel        256

# Define SASL stuff

#sasl-realm     SNAFU.LOCAL

#sasl-host      prospero.snafu.local

TLSCertificateFile      /etc/openldap/ssl/prospero_crt.pem

TLSCertificateKeyFile   /etc/openldap/ssl/prospero_key.pem

TLSCACertificateFile    /etc/openldap/ssl/cacert.pem

# Set idle timeout

idletimeout 3600

# Load dynamic backend modules:

# modulepath    /usr/lib/openldap/openldap

# moduleload    back_bdb.la

# moduleload    back_ldap.la

# moduleload    back_ldbm.la

# moduleload    back_passwd.la

# moduleload    back_shell.la

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

#database       ldbm

database        bdb

checkpoint      32      30 # <kbyte> <min>

suffix          "dc=snafu,dc=local"

rootdn          "cn=Manager,dc=snafu,dc=local"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

#rootpw         {SSHA}Sl/TUKDwwjABQ1xzOFBmCJDzHX8ayisH

#rootpw         {SSHA}TxeX3LAa1bY508bUdkmX6tZ4xGNN2CF7

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/openldap-data

# Indices to maintain

index   objectClass     eq

rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

#rootpw secret

#rootpw {SSHA}s+SIiqENSMua21HkyQcouc2JJjMAI5TP
```

I have changed the rootdn password several times and have never been able to log in with it. Turning up the debug level gives no indication to me of what's going wrong, but maybe you need to be able to reference memory in your head in order to set up an LDAP server:

```
prospero ~ # ldapsearch -x -D "cn=Manager,dc=snafu,dc=local" -h prospero.snafu.local -W -d 255

ldap_create

ldap_url_parse_ext(ldap://prospero.snafu.local)

Enter LDAP Password:

ldap_bind

ldap_simple_bind

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP prospero.snafu.local:389

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 192.168.1.30:389

ldap_connect_timeout: fd: 3 tm: -1 async: 0

ldap_open_defconn: successful

ldap_send_server_request

ber_scanf fmt ({it) ber:

ber_dump: buf=0x0805f3b8 ptr=0x0805f3b8 end=0x0805f3e8 len=48

  0000:  30 2e 02 01 01 60 29 02  01 03 04 1c 63 6e 3d 4d   0....`).....cn=M

  0010:  61 6e 61 67 65 72 2c 64  63 3d 73 6e 61 66 75 2c   anager,dc=snafu,

  0020:  64 63 3d 6c 6f 63 61 6c  80 06 73 65 63 72 65 74   dc=local..secret

ber_scanf fmt ({i) ber:

ber_dump: buf=0x0805f3b8 ptr=0x0805f3bd end=0x0805f3e8 len=43

  0000:  60 29 02 01 03 04 1c 63  6e 3d 4d 61 6e 61 67 65   `).....cn=Manage

  0010:  72 2c 64 63 3d 73 6e 61  66 75 2c 64 63 3d 6c 6f   r,dc=snafu,dc=lo

  0020:  63 61 6c 80 06 73 65 63  72 65 74                  cal..secret

ber_flush: 48 bytes to sd 3

  0000:  30 2e 02 01 01 60 29 02  01 03 04 1c 63 6e 3d 4d   0....`).....cn=M

  0010:  61 6e 61 67 65 72 2c 64  63 3d 73 6e 61 66 75 2c   anager,dc=snafu,

  0020:  64 63 3d 6c 6f 63 61 6c  80 06 73 65 63 72 65 74   dc=local..secret

ldap_write: want=48, written=48

  0000:  30 2e 02 01 01 60 29 02  01 03 04 1c 63 6e 3d 4d   0....`).....cn=M

  0010:  61 6e 61 67 65 72 2c 64  63 3d 73 6e 61 66 75 2c   anager,dc=snafu,

  0020:  64 63 3d 6c 6f 63 61 6c  80 06 73 65 63 72 65 74   dc=local..secret

ldap_result ld 0x8056ed8 msgid 1

ldap_chkResponseList ld 0x8056ed8 msgid 1 all 1

ldap_chkResponseList returns ld 0x8056ed8 NULL

wait4msg ld 0x8056ed8 msgid 1 (infinite timeout)

wait4msg continue ld 0x8056ed8 msgid 1 all 1

** ld 0x8056ed8 Connections:

* host: prospero.snafu.local  port: 389  (default)

  refcnt: 2  status: Connected

  last used: Tue Apr 24 12:09:45 2007

** ld 0x8056ed8 Outstanding Requests:

 * msgid 1,  origid 1, status InProgress

   outstanding referrals 0, parent count 0

** ld 0x8056ed8 Response Queue:

   Empty

ldap_chkResponseList ld 0x8056ed8 msgid 1 all 1

ldap_chkResponseList returns ld 0x8056ed8 NULL

ldap_int_select

read1msg: ld 0x8056ed8 msgid 1 all 1

ber_get_next

ldap_read: want=8, got=8

  0000:  30 0c 02 01 01 61 07 0a                            0....a..

ldap_read: want=6, got=6

  0000:  01 31 04 00 04 00                                  .1....

ber_get_next: tag 0x30 len 12 contents:

ber_dump: buf=0x0805f2d0 ptr=0x0805f2d0 end=0x0805f2dc len=12

  0000:  02 01 01 61 07 0a 01 31  04 00 04 00               ...a...1....

read1msg: ld 0x8056ed8 msgid 1 message type bind

ber_scanf fmt ({eaa) ber:

ber_dump: buf=0x0805f2d0 ptr=0x0805f2d3 end=0x0805f2dc len=9

  0000:  61 07 0a 01 31 04 00 04  00                        a...1....

read1msg: ld 0x8056ed8 0 new referrals

read1msg:  mark request completed, ld 0x8056ed8 msgid 1

request done: ld 0x8056ed8 msgid 1

res_errno: 0, res_error: <>, res_matched: <>

ldap_free_request (origid 1, msgid 1)

ldap_free_connection 0 1

ldap_free_connection: refcnt 1

ldap_parse_result

ber_scanf fmt ({iaa) ber:

ber_dump: buf=0x0805f2d0 ptr=0x0805f2d3 end=0x0805f2dc len=9

  0000:  61 07 0a 01 31 04 00 04  00                        a...1....

ber_scanf fmt (}) ber:

ber_dump: buf=0x0805f2d0 ptr=0x0805f2dc end=0x0805f2dc len=0

ldap_msgfree

ldap_err2string

ldap_bind: Invalid credentials (49)
```

If anyone has a clue where I'm going wrong I'd be much obliged. I'm not even trying to tie this altogether with replication, Kerberos or SSL yet as this seems like a fairly major stumbling block. Helpfully, slapd.log has remained resolutely empty during this entire process.

As an aside, is it just me who finds most LDAP documentation absolutely appalling? It all seems to presume you know exactly what you're doing, and more importantly exactly what OpenLDAP is doing, like pretty much every "advanced" application in UNIX... to be brutally honest I can see why ActiveDirectory is so popular...Last edited by stdPikachu on Thu Apr 26, 2007 3:37 pm; edited 2 times in total

----------

## stdPikachu

Any takers on this?

As far as I can tell from the LDAP documentation (most specifically man slapd.conf) if a rootdn and a rootpw are supplied in slapd.conf I should be able to log into LDAP without any other form of authentication needed. As slapd produces absolutely no log output whatsoever I am completely in the dark here (and according to man slapd.conf there's no such config directive as logfile which is entered into the Gentoo default slapd.conf). Is the Gentoo version of OpenLDAP broken in some non-obvious way?

Turning on any form of debug seems to generate nothing but a cryptic map of nonsense... surely LDAP setup can't be this impossible?!

----------

## stdPikachu

OK, some progress of sorts.

After reconfiguring syslog-ng.conf to properly log LDAP stuff:

```
destination ldap { file("/var/log/ldap/slapd.log"); };

filter f_ldap { program("slapd"); };

log { source(src); filter(f_ldap); destination(ldap); };
```

I was able to make more sense of the errors. What piqued my interest were these snippets:

```
Apr 26 14:20:40 prospero slapd[9303]: @(#) $OpenLDAP: slapd 2.3.30 (Apr 25 2007 18:50:27) $     root@prospero.snafu.local:/var/tmp/portage/net-nds/openldap-2.3.30-r2/work/openldap-2.3.30/servers/slapd

Apr 26 14:20:40 prospero slapd[9303]: auxpropfunc error invalid parameter supplied

Apr 26 14:20:40 prospero slapd[9303]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb

Apr 26 14:20:40 prospero slapd[9303]: SQL engine 'mysql' not supported

Apr 26 14:20:40 prospero slapd[9303]: auxpropfunc error no mechanism available

Apr 26 14:20:40 prospero slapd[9303]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

Apr 26 14:20:40 prospero slapd[9304]: ldbm: ==> unrecognized name-value pair: directory

Apr 26 14:20:40 prospero slapd[9304]: ldbm_initialize_env(): FATAL error in dbEnv->open() : Invalid argument (22)

Apr 26 14:20:40 prospero slapd[9304]: slapd starting

Apr 26 14:24:27 prospero slapd[9304]: daemon: shutdown requested and initiated.

Apr 26 14:24:27 prospero slapd[9304]: slapd shutdown: waiting for 0 threads to terminate

Apr 26 14:24:27 prospero slapd[9304]: slapd stopped.
```

It appeared that slapd was trying to use the deprecated LDBM as a DB rather than the BDB I'd configured in my slapd.conf. So I reasonsed that slapd was sourcing the wrong config file at startup, leading me to specify the correct one:

```
prospero ~ # cat /etc/conf.d/slapd

#export KRB5_KTNAME=/etc/openldap/ldap.keytab

OPTS="-f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
```

Now when I try and start slapd, it defintely tries to use BDB:

```
Apr 26 14:27:12 prospero slapd[9639]: @(#) $OpenLDAP: slapd 2.3.30 (Apr 25 2007 18:50:27) $     root@prospero.snafu.local:/var/tmp/portage/net-nds/openldap-2.3.30-r2/work/openldap-2.3.30/servers/slapd

Apr 26 14:27:12 prospero slapd[9639]: auxpropfunc error invalid parameter supplied

Apr 26 14:27:12 prospero slapd[9639]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb

Apr 26 14:27:12 prospero slapd[9639]: SQL engine 'mysql' not supported

Apr 26 14:27:12 prospero slapd[9639]: auxpropfunc error no mechanism available

Apr 26 14:27:12 prospero slapd[9639]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

Apr 26 14:27:12 prospero slapd[9640]: bdb(dc=snafu,dc=local): unrecognized name-value pair: directory

Apr 26 14:27:12 prospero slapd[9640]: bdb_db_open: Database cannot be opened, err 22. Restore from backup!

Apr 26 14:27:12 prospero slapd[9640]: bdb(dc=snafu,dc=local): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem

Apr 26 14:27:12 prospero slapd[9640]: bdb(dc=snafu,dc=local): txn_checkpoint interface requires an environment configured for the transaction subsystem

Apr 26 14:27:12 prospero slapd[9640]: bdb_db_close: txn_checkpoint failed: Invalid argument (22)

Apr 26 14:27:12 prospero slapd[9640]: backend_startup_one: bi_db_open failed! (22)

Apr 26 14:27:12 prospero slapd[9640]: bdb_db_close: alock_close failed

Apr 26 14:27:12 prospero slapd[9640]: slapd stopped.

Apr 26 14:27:12 prospero slapd[9640]: connections_destroy: nothing to destroy.
```

Does anyone have a clue about these errors? Alternatively, does anyone know why the deault Gentoo OpenLDAP setup seems to be b0rken?

Off to go and see what I can find about these BDB errors for now, victory is so close I can almost taste it!

----------

## stdPikachu

Success!

The database opening error was due to a typo (commenting out the wrong line) in /var/lib/openldap-data/DB_CONFIG.

LDAP was starting with the wrong options because the Gentoo default install sources /etc/openldap/slapd.d/ as the config, NOT /etc/openldap/slapd.conf. This needs to be changed a la my /etc/conf.d/slapd:

```
# conf.d file for openldap

#

# To enable both the standard unciphered server and the ssl encrypted

# one uncomment this line or set any other server starting options

# you may desire.

#

# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

# Uncomment the below to use the new slapd configuration for openldap 2.3

#export KRB5_KTNAME=/etc/openldap/ldap.keytab

#OPTS="-f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -h 'ldap:// ldapi://

%2fvar%2frun%2fopenldap%2fslapd.sock'"

OPTS="-f /etc/openldap/slapd.conf -h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2f

slapd.sock'"
```

Seems to me that the gentoo package and assorted docs could do with some updating...

Anyway, I can now successfully log into my LDAP server, time to start adding some data!

```
prospero ~ # ldapsearch -x -D "cn=root, dc=snafu, dc=local" -W

Enter LDAP Password:

# extended LDIF

#

# LDAPv3

# base <> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# search result

search: 2

result: 32 No such object

# numResponses: 1
```

----------

## bajaguy

 :Cool:  Thank you for pointing this out. It fixed my error.

----------

## PeGa!

You've just saved me. Thanks a lot!

----------

