Hi Dieter, thanks for the reply. Yeah, the folks @ #openladp were kind enough to help me to debug this issue. It turned out that it was a simple detail (as mostly always :)) -- When I created the ldif, I've put the password in clear text, however, I didn't do anything to tell openldap that it was actually cleartext nor I knew I had to. The whole time I though it had to do with ACLs (OpenLDAP denying read-access to userPassword), but the problem was that OpenLDAP was trying to authenticate using SHA-1, and the password was stored as clear text.
The solution? Store the password as a SHA-1 hash. Nobody would want to store password as clear-text anyway. So, issue solved! Cheers, Marcelo. On Wed, Apr 7, 2010 at 2:04 AM, Dieter Kluenter <die...@dkluenter.de> wrote: > Am Tue, 6 Apr 2010 13:28:27 -0500 > schrieb Marcelo de Moraes Serpa <celose...@gmail.com>: > > > Hello list, > > > > I have a local OpenLDAP server with a couple of users. I'm using it > > for development purposes, here's the ldif: > > > > #Top level - the organization > > dn: dc=site, dc=com > > dc: site > > description: OneLogin LLC > > objectClass: dcObject > > objectClass: organization > > o: OneLogin LLC > > > > #Top level - manager > > dn: cn=Manager, dc=site, dc=com > > objectClass: organizationalRole > > cn: Manager > > > > #Second level - organizational units > > dn: ou=people, dc=site, dc=com > > ou: people > > description: All people in the organization > > objectClass: organizationalunit > > > > dn: ou=groups, dc=site, dc=com > > ou: groups > > description: All groups in the organization > > objectClass: organizationalunit > > > > #Third level - people > > dn: uid=celoserpa, ou=people, dc=site, dc=com > > objectclass: pilotPerson > > objectclass: uidObject > > uid: celoserpa > > cn: Marcelo de Moraes Serpa > > sn: de Moraes Serpa > > userPassword: secret_12345 > > mail: marc...@site.com > > > > So far, so good. I can bind with "cn=Manager,dc=site,dc=com" and the > > 12345678 password (the local server password, setup on slapd.conf). > > > > However, I would like to bind with any user in under the people OU. > > In this case, I'd like to bind with: > > dn: uid=celoserpa, ou=people, dc=site, dc=com > > userPassword: secret_12345 > > > > But I'm getting a (49) - Invalid Credentials error everytime. I have > > tried through CLI tools (such as ldapadd, ldapwhoami, etc) and also > > ruby/ldap. The bind with these credentials fails with a invalid > > credentials error. > > > > I was suspecting that maybe OpenLDAP doesn't compare against > > userPassword? Or maybe some ACL configuration I am missing that is > > somehow affecting the read access to userPassword for the specific DN. > > > > I'm really lost here, any suggestion appreciated! > > You may run slapd in debugging mode, that is slapd(8) -dacl > > -Dieter > > -- > Dieter Klünter | Systemberatung > sip: +49.40.20932173 > http://www.dpunkt.de/buecher/2104.html > GPG Key ID:8EF7B6C6 > >
