I'm trying to set up a local LDAP instance so I can debug some software that uses LDAP for authentication. I had this working correctly on Ubuntu 14.04 LTS, but trying to upgrade to Ubuntu 16.04 LTS nuked by box and I reinstalled for scratch Ubunut 16.04 LTS and cannot get LDAP working correctly after much frustration.
I installed slapd and used slapadd -l <file>
to populate my database. I can see that my file has been loaded in with ldapsearch -x
:
# extended LDIF
#
# LDAPv3
# base <dc=nodomain> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# nodomain
dn: dc=nodomain
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: nodomain
# admin, nodomain
dn: cn=admin,dc=nodomain
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# People, nodomain
dn: ou=People,dc=nodomain
objectClass: organizationalUnit
ou: People
# Groups, nodomain
dn: ou=Groups,dc=nodomain
objectClass: organizationalUnit
ou: Groups
# miners, Groups, nodomain
dn: cn=miners,ou=Groups,dc=nodomain
objectClass: posixGroup
cn: miners
gidNumber: 5000
# smm, People, nodomain
dn: uid=smm,ou=People,dc=nodomain
uid: smm
sn: McCants
givenName: Stephen
cn: Stephen McCants
displayName: Stephen McCants
uidNumber: 10000
gidNumber: 5000
gecos: Stephen McCants
loginShell: /bin/bash
homeDirectory: /home/smm
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6
However, my code cannot authenticate against the user 'smm' and I cannot set a password on the user with ldappasswd -D "uid=smm,ou=People,dc=nodomain" -A -S -W
. It prompts me for the passwords and then fails with the same error:
Old password:
Re-enter old password:
New password:
Re-enter new password:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
I also used dpkg-reconfigure slapd
to set a LDAP root password. However, both before and after reconfiguring, I get the same error. Here is the original file that was used to populate the database:
n: ou=People,dc=nodomain
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
entryUUID: 03a28690-1834-1033-87f5-8b9136017cf0
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20140123043856Z
entryCSN: 20140123043856.559226Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20140123043856Z
dn: ou=Groups,dc=nodomain
objectClass: organizationalUnit
ou: Groups
structuralObjectClass: organizationalUnit
entryUUID: 03b017e2-1834-1033-87f6-8b9136017cf0
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20140123043856Z
entryCSN: 20140123043856.648148Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20140123043856Z
dn: cn=miners,ou=Groups,dc=nodomain
objectClass: posixGroup
cn: miners
gidNumber: 5000
structuralObjectClass: posixGroup
entryUUID: 03b537ae-1834-1033-87f7-8b9136017cf0
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20140123043856Z
entryCSN: 20140123043856.681730Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20140123043856Z
dn: uid=smm,ou=People,dc=nodomain
uid: smm
sn: <my name>
givenName: <my name>
cn: <my name>
displayName: <my name>
uidNumber: 10000
gidNumber: 5000
gecos: <my name>
loginShell: /bin/bash
homeDirectory: /home/smm
structuralObjectClass: inetOrgPerson
entryUUID: 983bd260-1835-1033-87fb-8b9136017cf0
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20140123045015Z
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
userPassword: <redacted>
entryCSN: 20140123054441.631096Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20140123054441Z
Of course, contains my real name and contains the SSHA string generated by slappasswd
.
At this point, I'm at a loss as to why it doesn't work and what the problem is.
Best Answer
So, it seems the problem was that the passwords were loaded in such a way that I didn't know them or they were missing. I was able to effectively reset, first the LDAP admin password and then the user account password using the ldapmodify command. I'm listing what I did below in hopes that it helps someone else.
Reset LDAP Admin password
First, I generated the password hash with slappasswd.
Next, I needed to find where the admin password was set. I did that with:
Your dc may be different in the command, depending on how you've set things up. Wish I could give a better answer than that as to what you're dc should be, but I don't completely understand LDAP. Bascially, everything I've done has been under dc=nodomain. You're configured is likely to be different.
Next, I used ldapmodify to reset the admin password to something I know. Please note, that I typed in both the command and the lines starting with "dc:", "replace:" and "olcRootPw:". You need to put a blank line after the last line to make ldapmodify apply the previous commands.
The
oldcDatabase
value is lifted from theldapsearch
command and yours maybe different than mine. If there wasn't a previous olcRootPw in the search results, you may need to useadd
instead ofreplace
in the modify command above.Ctrl-C ends our ldapmodify session.
Now I have a LDAP admin password I know and can proceed with resetting a user account.
Reset LDAP user password
I used slappasswd to generate a new password hash for the user's password. This command is the same for both password resets.
Next, I ran the ldapmodify command, but this time a little differently:
The
-D
option tells LDAP that I'm running as the admin (or whoever is in the quotes after -D). Yourdc
value may be different, of course. The-W
option tells LDAP to prompt me for the admin password.After entering the LDAP admin password (that I reset above), I gave the command to set the user's password. Here is what I ran:
The first line is the dn to specify which user needs a reset password. The second line is either an
add
command if the userPassword isn't set or areplace
command if the userPassword is already set. The third line is the new password hash that LDAP should use. Enter a blank line after the third line to tell ldapmodify that you are done entering the command and it should run it. Hopefully you get a result like:Now I have a new password for my user as well.