Hi I am trying to search ldap user using the following command but with invalid credentials error: # ldapsearch -x -h ldap://ipm.example.net http://ldaps//idm.example.net -p 389 -b "*dc=example,dc=net*" -D " *uid=ldapbind,cn=users,cn=account,dc=example,dc=net*" uid=ambariadmin1 -W Enter LDAP Password: *ldap_bind: Invalid credentials (49)* I have double checked the password but the error still persists. Before that, i have added a ldap bind user with the following procedure *[root@example ~]# cat ldapbind.ldif* dn: uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net changetype: add objectclass: account objectclass: simplesecurityobject uid: ambaribind userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 *[root@example ~]# ldapmodify -h **example.net* http://example.net/* -p 389 -x -D "cn=Directory Manager" -w 'secret123' -f ldapbind.ldif* adding new entry "uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net" *[root@example ~]# ipa user-show ambaribind --raw --all* dn: uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net uid: ldapbind nsaccountlock: FALSE has_password: TRUE has_keytab: FALSE objectClass: account objectClass: simplesecurityobject objectClass: top Without bind user, i can search the user *[root@example ~]# ldapsearch -x -h * *ipa.example.net* http://idm.infodetics.net/* -p 389 -b "cn=ambari,dc=example,dc=net" uid=ambariadmin1* Can any one plz guide me where is the issue ? Regards
Dwija D via FreeIPA-users wrote:
Hi I am trying to search ldap user using the following command but with invalid credentials error: # ldapsearch -x -h ldap://ipm.example.net http://ldaps//idm.example.net-p 389 -b "*dc=example,dc=net*" -D "*uid=ldapbind,cn=users,cn=account,dc=example,dc=net*" uid=ambariadmin1 -W Enter LDAP Password: *ldap_bind: Invalid credentials (49)* I have double checked the password but the error still persists. Before that, i have added a ldap bind user with the following procedure *[root@example ~]# cat ldapbind.ldif* dn: uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net changetype: add objectclass: account objectclass: simplesecurityobject uid: ambaribind userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0
I would discourage you from adding bind-only users to cn=users. We recommend putting into cn=sysaccounts. This isn't a posix user and the IPA tools shouldn't be used to manage it.
*[root@example ~]# ldapmodify -h **example.net*
http://example.net/*-p 389 -x -D "cn=Directory Manager" -w 'secret123' -f ldapbind.ldif* adding new entry "uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net" *[root@example ~]# ipa user-show ambaribind --raw --all* dn: uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net uid: ldapbind nsaccountlock: FALSE has_password: TRUE has_keytab: FALSE objectClass: account objectClass: simplesecurityobject objectClass: top Without bind user, i can search the user *[root@example ~]# ldapsearch -x -h **ipa.example.net* http://idm.infodetics.net/*-p 389 -b "cn=ambari,dc=example,dc=net" uid=ambariadmin1* Can any one plz guide me where is the issue ? Regards
There are some inconsistencies in the naming, I assume related to an attempt at obfuscation, which makes it difficult to spot real issues.
Otherwise the ldif looks fine. I don't see any reason why the bind would fail. I'm not aware of any ACI that prevents bind in cn=users for non-IPA users but as I mentioned, we recommend using cn=sysaccounts per https://www.freeipa.org/page/HowTo/LDAP
rob
Hi Rob, Thanks for all the observations and i will keep those things in mind. The issue was with the wrong password. Once I updated the password everything worked ! Regards
On Mon, Jul 20, 2020 at 7:28 PM Rob Crittenden rcritten@redhat.com wrote:
Dwija D via FreeIPA-users wrote:
Hi I am trying to search ldap user using the following command but with invalid credentials error: # ldapsearch -x -h ldap://ipm.example.net http://ldaps//idm.example.net-p 389 -b "*dc=example,dc=net*" -D "*uid=ldapbind,cn=users,cn=account,dc=example,dc=net*" uid=ambariadmin1 -W Enter LDAP Password: *ldap_bind: Invalid credentials (49)* I have double checked the password but the error still persists. Before that, i have added a ldap bind user with the following procedure *[root@example ~]# cat ldapbind.ldif* dn: uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net changetype: add objectclass: account objectclass: simplesecurityobject uid: ambaribind userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0
I would discourage you from adding bind-only users to cn=users. We recommend putting into cn=sysaccounts. This isn't a posix user and the IPA tools shouldn't be used to manage it.
*[root@example ~]# ldapmodify -h **example.net*
http://example.net/*-p 389 -x -D "cn=Directory Manager" -w 'secret123' -f ldapbind.ldif* adding new entry "uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net" *[root@example ~]# ipa user-show ambaribind --raw --all* dn: uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net uid: ldapbind nsaccountlock: FALSE has_password: TRUE has_keytab: FALSE objectClass: account objectClass: simplesecurityobject objectClass: top Without bind user, i can search the user *[root@example ~]# ldapsearch -x -h **ipa.example.net* http://idm.infodetics.net/*-p 389 -b "cn=ambari,dc=example,dc=net" uid=ambariadmin1* Can any one plz guide me where is the issue ? Regards
There are some inconsistencies in the naming, I assume related to an attempt at obfuscation, which makes it difficult to spot real issues.
Otherwise the ldif looks fine. I don't see any reason why the bind would fail. I'm not aware of any ACI that prevents bind in cn=users for non-IPA users but as I mentioned, we recommend using cn=sysaccounts per https://www.freeipa.org/page/HowTo/LDAP
rob
freeipa-users@lists.fedorahosted.org
-
Dwija D -
Rob Crittenden