Ldap on Ubuntu 16.04 – Invalid credentials (49)

ldapslapd

I'm trying to set up a local LDAP instance so I can debug some software that uses LDAP for authentication. I had this working correctly on Ubuntu 14.04 LTS, but trying to upgrade to Ubuntu 16.04 LTS nuked by box and I reinstalled for scratch Ubunut 16.04 LTS and cannot get LDAP working correctly after much frustration.

I installed slapd and used slapadd -l <file> to populate my database. I can see that my file has been loaded in with ldapsearch -x:

# extended LDIF
#
# LDAPv3
# base <dc=nodomain> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# nodomain
dn: dc=nodomain
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: nodomain

# admin, nodomain
dn: cn=admin,dc=nodomain
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# People, nodomain
dn: ou=People,dc=nodomain
objectClass: organizationalUnit
ou: People

# Groups, nodomain
dn: ou=Groups,dc=nodomain
objectClass: organizationalUnit
ou: Groups

# miners, Groups, nodomain
dn: cn=miners,ou=Groups,dc=nodomain
objectClass: posixGroup
cn: miners
gidNumber: 5000

# smm, People, nodomain
dn: uid=smm,ou=People,dc=nodomain
uid: smm
sn: McCants
givenName: Stephen
cn: Stephen McCants
displayName: Stephen McCants
uidNumber: 10000
gidNumber: 5000
gecos: Stephen McCants
loginShell: /bin/bash
homeDirectory: /home/smm
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

However, my code cannot authenticate against the user 'smm' and I cannot set a password on the user with ldappasswd -D "uid=smm,ou=People,dc=nodomain" -A -S -W. It prompts me for the passwords and then fails with the same error:

Old password: 
Re-enter old password: 
New password: 
Re-enter new password: 
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)

I also used dpkg-reconfigure slapd to set a LDAP root password. However, both before and after reconfiguring, I get the same error. Here is the original file that was used to populate the database:

n: ou=People,dc=nodomain
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
entryUUID: 03a28690-1834-1033-87f5-8b9136017cf0
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20140123043856Z
entryCSN: 20140123043856.559226Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20140123043856Z

dn: ou=Groups,dc=nodomain
objectClass: organizationalUnit
ou: Groups
structuralObjectClass: organizationalUnit
entryUUID: 03b017e2-1834-1033-87f6-8b9136017cf0
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20140123043856Z
entryCSN: 20140123043856.648148Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20140123043856Z

dn: cn=miners,ou=Groups,dc=nodomain
objectClass: posixGroup
cn: miners
gidNumber: 5000
structuralObjectClass: posixGroup
entryUUID: 03b537ae-1834-1033-87f7-8b9136017cf0
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20140123043856Z
entryCSN: 20140123043856.681730Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20140123043856Z

dn: uid=smm,ou=People,dc=nodomain
uid: smm
sn: <my name>
givenName: <my name>
cn: <my name>
displayName: <my name>
uidNumber: 10000
gidNumber: 5000
gecos: <my name>
loginShell: /bin/bash
homeDirectory: /home/smm
structuralObjectClass: inetOrgPerson
entryUUID: 983bd260-1835-1033-87fb-8b9136017cf0
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20140123045015Z
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
userPassword: <redacted>
entryCSN: 20140123054441.631096Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20140123054441Z

Of course, contains my real name and contains the SSHA string generated by slappasswd.

At this point, I'm at a loss as to why it doesn't work and what the problem is.

Best Answer

So, it seems the problem was that the passwords were loaded in such a way that I didn't know them or they were missing. I was able to effectively reset, first the LDAP admin password and then the user account password using the ldapmodify command. I'm listing what I did below in hopes that it helps someone else.

Reset LDAP Admin password

First, I generated the password hash with slappasswd.

root@laptop:/etc/ldap/slapd.d# slappasswd 
New password: 
Re-enter new password: 
{SSHA}<hash redacted>

Next, I needed to find where the admin password was set. I did that with:

root@laptop:/etc/ldap/slapd.d# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcRootDN=cn=admin,dc=nodomain dn olcRootDN olcRootPW
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
olcRootDN: cn=admin,dc=nodomain
olcRootPW: {SSHA}<hash redacted>

Your dc may be different in the command, depending on how you've set things up. Wish I could give a better answer than that as to what you're dc should be, but I don't completely understand LDAP. Bascially, everything I've done has been under dc=nodomain. You're configured is likely to be different.

Next, I used ldapmodify to reset the admin password to something I know. Please note, that I typed in both the command and the lines starting with "dc:", "replace:" and "olcRootPw:". You need to put a blank line after the last line to make ldapmodify apply the previous commands.

root@laptop:/etc/ldap/slapd.d# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

dn: olcDatabase={1}mdb,cn=config
replace: olcRootPW
olcRootPW: {SSHA}<new hash from slappasswd>

The oldcDatabase value is lifted from the ldapsearch command and yours maybe different than mine. If there wasn't a previous olcRootPw in the search results, you may need to use add instead of replace in the modify command above.

Ctrl-C ends our ldapmodify session.

Now I have a LDAP admin password I know and can proceed with resetting a user account.

Reset LDAP user password

I used slappasswd to generate a new password hash for the user's password. This command is the same for both password resets.

root@laptop:/etc/ldap/slapd.d# slappasswd 
New password: 
Re-enter new password: 
{SSHA}<hash redacted>

Next, I ran the ldapmodify command, but this time a little differently:

ldapmodify -H ldapi:/// -D "cn=admin,dc=nodomain" -W

The -D option tells LDAP that I'm running as the admin (or whoever is in the quotes after -D). Your dc value may be different, of course. The -W option tells LDAP to prompt me for the admin password.

After entering the LDAP admin password (that I reset above), I gave the command to set the user's password. Here is what I ran:

dn: uid=smm,ou=People,dc=nodomain
add: userPassword
userPassword: {SSHA}<new password hash>

The first line is the dn to specify which user needs a reset password. The second line is either an add command if the userPassword isn't set or a replace command if the userPassword is already set. The third line is the new password hash that LDAP should use. Enter a blank line after the third line to tell ldapmodify that you are done entering the command and it should run it. Hopefully you get a result like:

modifying entry "uid=smm,ou=People,dc=nodomain"

Now I have a new password for my user as well.

Related Topic