Ldap – 389 directory server error “Operation requires a secure connection”

389-dsdirectoryldap

I have installed a directory server but I can't change the password of user. I have used this command:

[root@xxxx]# ldappasswd -x -D
"cn=directory manager" -W
"uid=xxxxx,ou=xxxx,dc=xxx,dc=xx" -S

New password:

Re-enter new password:

Enter LDAP Password:

Result: Confidentiality required (13)

Additional info: Operation requires a
secure connection.

Important: This command works on OpenLDAP, I've already tested!
Where is the error?

Thanks in advance!

Best Answer

Read the documentation on the product. It appears that by default is does require security. That is a difference between 389 and OpenLDAP. If they were supposed to be exactly the same, then no one would have bothered forking 389 off into a different project, right?

Edit -

Despite your protestation below, "Read the documentation" is a great answer, and it's clear that you didn't. The end of this page explicitly tells you that you must use TLS with ldappasswd

This operation supports Start TLS encryption (-ZZ[Z]), and you must use a secure connection for the password change operation.

Related Solutions

Ldap – 389 Directory Server Administrative Limit Exceeded error

From what I understood, you are not able to get all entries. Looks like your are hitting admin limit exceeded.

If you want to search from a non-cn=Directory manager user. you need to add some attributes to user like below.

/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: uid=test2,ou=People,dc=example,dc=com
changetype: modify
add: nssizelimit
nssizelimit: -1
-
add: nslookthroughlimit
nslookthroughlimit: -1

Centos – How to add ACIs to OpenLDAP properly

Figured out that it's probably better to just do it the bdb.ldif way. What I did was like the above, but I made a few changes.

olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell by dn="cn=manager,dc=bromosapien,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=manager,dc=bromosapien,dc=net" write by group.exact="cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net" write by * read

What I did instead was, I labeled each line with braces and a number. I also added the ability for a user to change their login shell (because I allow Bash, ksh, and zsh, we default to bash). I then created a groupOfNames container inside of the Group OU. Like this.

dn: cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net
objectClass: groupOfNames
objectClass: top
cn: LDAPADMIN
member: uid=zera,ou=People,dc=angelsofclockwork,dc=net
member: uid=sithlord,ou=People,dc=angelsofclockwork,dc=net

Of course, this requires the memberOf overlay.

The memberOf overlay I used is below:

% vi modules.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof

% vi memberof.ldif

dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Best Answer

Related Solutions

Ldap – 389 Directory Server Administrative Limit Exceeded error

Centos – How to add ACIs to OpenLDAP properly

Related Topic