[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid credentials



At 05:35 AM 12/21/2005, Alain Williams wrote:
>Old machine: openldap2-2.0.23   SUSE: Sles8
>New machine: openldap2-2.2.6    SUSE: Sles9

2.2.6 is quite old.  Since 2.2 will soon be declared historic,
you should consider upgrading to the latest 2.3 release.

You might check the FAQ for differences between 2.0&2.1,
2.1&2.2, and 2.2&2.3.

>I notice that /etc/openldap/schema/core.schema now (2.2) has commented out:
>        attributetype ( 2.5.4.35 NAME 'userPassword'
>but if I comment it back in openldap complains of duplicate attributeType.
>I think that that is a red herring.

Yes. userPassword, like a number of other schema elements used
by the server, are built into the server.

>If I try and authenticate with that user (this works on the old machine):
>        ldapsearch -LLL -b dc=example,dc=uk -D uid=testuser,dc=example,dc=uk -x -w password
>it fails on the new system with:
>        ldap_bind: Invalid credentials (49)
>
>If (on the new system) I set the password on my testuser to (using slapadd):
>        userPassword:: cGFzc3dvcmQ=
>(also for 'password') authentication works properly.
>I can't remember how I generated the above string, it is set for the cyrus user.
>
>/etc/ldap.conf is the same on both machines.

Note that OpenLDAP Software's ldap.conf(5) is normally located
in $PREFIX/etc/openldap/ldap.conf (where $PREFIX is the install
prefix, possibly "").

>/etc/slapd.conf contains (on both machines)
>        password-hash   {smd5}
>
>
>I set 'loglevel -1' and I get in syslog messages (date, etc removed):
>
>        >>> dnPrettyNormal: <uid=testuser,dc=example,dc=uk>
>        <<< dnPrettyNormal: <uid=testuser,dc=example,dc=uk>, <uid=testuser,dc=example,dc=uk>
>        do_bind: version=3 dn="uid=testuser,dc=example,dc=uk" method=128
>        conn=7 op=0 BIND dn="uid=testuser,dc=example,dc=uk" method=128
>        ==> ldbm_back_bind: dn: uid=testuser,dc=example,dc=uk
>        dn2entry_r: dn: "uid=testuser,dc=example,dc=uk"
>        => dn2id( "uid=testuser,dc=example,dc=uk" )
>        ====> cache_find_entry_ndn2id("uid=testuser,dc=example,dc=uk"): 19 (1 tries)
>        <= dn2id 19 (in cache)
>        => id2entry_r( 19 )
>        ====> cache_find_entry_id( 19 ) "uid=testuser,dc=example,dc=uk" (found) (1 tries)
>        <= id2entry_r( 19 ) 0x817a160 (cache)
>        => access_allowed: auth access to "uid=testuser,dc=example,dc=uk" "userPassword" requested
>        => acl_get: [1] check attr userPassword
>        <= acl_get: [1] acl uid=testuser,dc=example,dc=uk attr: userPassword
>        => acl_mask: access to entry "uid=testuser,dc=example,dc=uk", attr "userPassword" requested
>        => acl_mask: to all values by "", (=n)
>        <= check a_dn_pat: anonymous
>        <= acl_mask: [1] applying auth(=x) (stop)
>        <= acl_mask: [1] mask: auth(=x)
>        => access_allowed: auth access granted by auth(=x)
>***
>        send_ldap_result: conn=7 op=0 p=3
>        send_ldap_result: err=49 matched="" text=""
>        send_ldap_response: msgid=1 tag=97 err=49
>        conn=7 op=0 RESULT tag=97 err=49 text=
>        ====> cache_return_entry_r( 19 ): returned (0)
>        daemon: select: listen=6 active_threads=0 tvp=NULL
>        daemon: select: listen=7 active_threads=0 tvp=NULL
>        daemon: activity on 1 descriptors
>        daemon: activity on:
>        9r
>
>>From what I understand from the above (near '***') it decides that testuser is allowed to try to auth,
>but 2 lines later goes 49 (== invalid credentials), unfortunately it gives me no clue as to what it is about
>the credentials that is wrong.
>I find that puzzling since the credentals work on the old system.

Assuming the user data is the same on both systems, I would
guess that the new system might not be configured to support
{smd5} password hashes.

But, if so, the new systems should have complained when you
specified "password-hash {smd5}" in its slapd.conf(5) file.

So, I suspect either the user actually isn't providing the
correct password (which you can check by examining its
Bind request as presented in the logs) or that the
value of userPassword is incorrect (which you can
write a little program to check).


>I am at a loss .... has anyone got pointers please.
>
>TIA
>
>-- 
>Alain Williams
>Parliament Hill Computers Ltd.
>Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
>+44 (0) 787 668 0256  http://www.phcomp.co.uk/
>
>#include <std_disclaimer.h>