I don't understand how to configure users and passwords on the OpenLDAP server. What I describe in this question is based on a clean install of OpenLDAP 2.4 on Centos 7 (via yum).
After starting slapd
I perform the command
[root@papp ~]# slapcat -n0 | grep olcRootDN
olcRootDN: cn=Manager,dc=my-domain,dc=com
This tells me that we already have a root user with the dn cn=Manager,dc=my-domain,dc=com
. That user has no password set.
[root@papp ~]# slapcat -n0 | grep olcRootPW
Next I try to set the password manually:
[root@papp ~]# ldappasswd -H ldap://localhost -x -D "dn=Manager,dc=my-
domain,dc=com" -W -A -S
Old password: (empty)
Re-enter old password: (empty)
New password: password
Re-enter new password: password
Enter LDAP Password: (what is that?? I use empty)
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Which gives me an invalid DN. Why is that ? I don't see an invalid DN. Does it mean that I cannot use the ldappasswd
command on a clean install of OpenLDAP?
Next I try to upload a schema file
# /tmp/pass.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: password
[root@papp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/pass.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
The password has now been set, as I can confirm via
[root@papp ~]# slapcat -n0 | grep olcRootPW
olcRootPW:: cGFzc3dvcmQ=
However a search does still not work
ldapsearch -D "cn=Manager,dc=my-domain,dc=com" -v -x -b '' -s base '(objectClass=*)' -w password
ldap_bind: Invalid credentials (49)
I also tried to use apache directory studio to browse my LDAP tree but I can only connect to ldap using 'no authentication'. As soon as I use simple authentication with dn = cn=Manager,dc=my-domain,dc=com
I get an authentication error (invalid credentials).
Best Answer
Well first thing is first: Don't set a clear text password, even though the configuration is hashing it in some way. Use
slappasswd
first. Second, you can't useldappasswd
for the directory manager. Third, I'm not sure, but something tells me something else is misconfigured, and you haven't made it clear how you changed your olcRootDN.I tried to repeat what you did, but could not reproduce the same errors or issues.
You may want to read a guide to help you walkthrough/understand the steps you need to take. http://www.angelsofclockwork.net/wiki/centos/openldap.html