How to configure proper credentials in OpenLDAP

openldap

I don't understand how to configure users and passwords on the OpenLDAP server. What I describe in this question is based on a clean install of OpenLDAP 2.4 on Centos 7 (via yum).

After starting slapd I perform the command

[root@papp ~]# slapcat -n0 | grep olcRootDN
olcRootDN: cn=Manager,dc=my-domain,dc=com

This tells me that we already have a root user with the dn cn=Manager,dc=my-domain,dc=com. That user has no password set.

[root@papp ~]# slapcat -n0 | grep olcRootPW

Next I try to set the password manually:

[root@papp ~]# ldappasswd -H ldap://localhost -x -D "dn=Manager,dc=my-           
domain,dc=com" -W -A -S  
Old password: (empty)
Re-enter old password: (empty)
New password: password
Re-enter new password: password
Enter LDAP Password: (what is that?? I use empty)
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN

Which gives me an invalid DN. Why is that ? I don't see an invalid DN. Does it mean that I cannot use the ldappasswd command on a clean install of OpenLDAP?

Next I try to upload a schema file

# /tmp/pass.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: password

[root@papp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/pass.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

The password has now been set, as I can confirm via

[root@papp ~]# slapcat -n0 | grep olcRootPW
olcRootPW:: cGFzc3dvcmQ=

However a search does still not work

ldapsearch -D "cn=Manager,dc=my-domain,dc=com" -v -x -b '' -s base  '(objectClass=*)' -w password
ldap_bind: Invalid credentials (49)

I also tried to use apache directory studio to browse my LDAP tree but I can only connect to ldap using 'no authentication'. As soon as I use simple authentication with dn = cn=Manager,dc=my-domain,dc=com I get an authentication error (invalid credentials).

Best Answer

Well first thing is first: Don't set a clear text password, even though the configuration is hashing it in some way. Use slappasswd first. Second, you can't use ldappasswd for the directory manager. Third, I'm not sure, but something tells me something else is misconfigured, and you haven't made it clear how you changed your olcRootDN.

I tried to repeat what you did, but could not reproduce the same errors or issues. 

# yum install openldap-servers -y
# systemctl start slapd
# slappasswd
New password:
Re-enter new password: 
{SSHA}piJmuKxgnMh7DVBOQtCgz3/httcjc4kP

# /tmp/manager.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=manager,dc=angelsofclockwork,dc=net
-
replace: olcRootPW
olcRootPW: {SSHA}piJmuKxgnMh7DVBOQtCgz3/httcjc4kP

# ldapmodify -QY EXTERNAL -H ldapi:/// -f /tmp/manager.ldif

# ldapsearch -D "cn=Manager,dc=bromosapien,dc=net" -v -x -b '' -s base  '(objectClass=*)' -W -h localhost
ldap_initialize( ldap://localhost )
Enter LDAP Password:
filter: (objectClass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

You may want to read a guide to help you walkthrough/understand the steps you need to take. http://www.angelsofclockwork.net/wiki/centos/openldap.html

Related Topic