Linux – ldapsearch password file format

ldaplinux

How am I supposed to pass a password to ldapsearch using the -y <password file> option?
If I write the password in the password file in plain text, I get this error:

ldap_bind: Invalid credentials (49)
    additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772

The same happens if I use the -w <password> option.

EDIT:
The command I'm running is

ldapsearch -x -D <my dn> -y .pass.txt -h server.x.x -b "dc=x,dc=y" "cn=*"

Where the file .pass.txt contains my password, in plain text. Both the DN and the password are correct. If I run the command with the -W option and type the password on the prompt the command runs successfully, but I would like to store the password somehow to make a script.

Best Answer

Keep in mind that ldapsearch will use the entire contents of the file for the password--which means it WILL include a terminating newline character if one exists. To verify if this is in fact your problem, try creating a file without one:

echo -n ThisIsaBadPassword > .pass.txt

(UPDATE: Included '-n')

Related Solutions

Ssh – LdapErr: DSID-0C0903AA, data 52e: authenticating against AD ’08 with pam_ldap

Tail between my legs I'll have to answer this one because I have the embarrassing inside information.

I did not realize that you had to create a regular Unix user on the system to be able to login. As soon as I created a user matching ivasta I was able to login with that users AD password.

Only thing I can't do is change the password, even with pam_password ad but that doesn't matter because this is only for username logging purposes.

Windows – Setting up LDAP connection between CentOS and Windows server 2008

The error message is fairly straightforward:

text: 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this 
operation a successful bind must be completed on the connection., data 0

That means you need to authenticate before you can query the directory. A typical command line will look something like this:

ldapsearch -x -H ldaps://dc.example.com/ -D lars@example.com -W cn=lars

This connect using simple authentication (-x) to dc.example.com using LDAP over SSL (ldaps://). I am authenticating as lars@example.com and the command will prompt me for a password (-W). I am searching for records matching cn=lars.

You can also authenticate against AD using Kerberos. Assuming everything is set up correctly, that looks like:

$ kinit lars@example.com
Password for lars@EXAMPLE>COM: 
$ ldapsearch -H ldap://dc.example.com cn=lars

In either case, you generally want to create accounts specifically to act as bind credentials, rather than using an administrative or a user account.

It is possible to configure Active Directory to allow anonymous binds. It is also possible to set up something else -- e.g., OpenLDAP -- as an anonymous bind proxy for AD.

Best Answer

Related Solutions

Ssh – LdapErr: DSID-0C0903AA, data 52e: authenticating against AD ’08 with pam_ldap

Windows – Setting up LDAP connection between CentOS and Windows server 2008

Related Topic