<div>Hi Rick,</div> <div> </div> <div>I have generated cert again and started slapd.</div> <div> </div> <div>Now I see following in logs:</div> <div>conn=0 fd=9 ACCEPT from IP=<a href="http://127.0.0.1:36272">127.0.0.1:36272</a> (IP=<a href="http://0.0.0.0:389">0.0.0.0:389</a>)<br>conn=0 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128<br></div> <div>It's same for below 2 commands: </div> <div>1. ldapsearch -x -b "ou=people,dc=test,dc=com" -D "cn=nilesh,ou=people,dc=test,dc=com" -w 'password' "uid=nilesh"</div> <div>2. ldapsearch -x -b "ou=people,dc=test,dc=com" -D "cn=nilesh,ou=people,dc=test,dc=com" -w password "uid=nilesh"</div> <div> </div> <div>I tried adding 'allow bind_v2 bind_anon_cred bind_anon_dn' and restarted openldap, the result is same.</div> <div> </div> <div>It looks like error 49 is gone.</div> <div> </div> <div>What else I need to do to fix this issue.</div> <div> </div> <div>Thanks and Regards,</div> <div>-Nilesh</div> <div> </div> <div class="gmail_quote">On Fri, Aug 14, 2009 at 10:04 AM, Rick Stevens <span dir="ltr"><<a href="mailto:ricks@nerd.com">ricks@nerd.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <div class="im">Nilesh Joshi wrote:<br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Thanks Rick.<br><br>I have checked using -w password. The exact command I tried was:<br><br>ldapsearch -x -b "ou=people,dc=test,dc=com" -D<br> "cn=nilesh,ou=people,dc=test,dc=com" -w password '(uid=nilesh)'<br></blockquote><br></div>Did you enclose the password in single quotes to mask its value? <div class="im"><br><br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Also added:<br> access to attrs=userPassword<br> by anonymous auth<br> by self write<br> by * none<br></blockquote><br></div>That may not be adequate. That simply allows a user to authenticate<br>against the LDAP database. It does NOT allow a regular user to search<br>the entire database. Let's get rid of the error 49 first, then we'll<br> worry about the rest. <div class="im"><br><br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">However the result was same. I have confirmed that password is password for<br>now.<br></blockquote><br></div> If you're using SASL, remember that all the passwords must be stored in cleartext. If the password you're going to use is in the LDAP database,<br>it must be stored in cleartext--NOT some excrypted format such as<br> <br> {MD5} cypherstring<br> {SSHA} cypherstring<br><br>If the password is in the Cyrus SASL database, it too has to be in<br>cleartext. This is one of the weaknesses of SASL.<br><br>If you're going to use encrypted passwords in the database, you'll need<br> to use SSL or KRB5 as the transport mechanism. <div class="im"><br><br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">I think, I am missing something in configuration. Can I use LDAP without<br>sasl and if yes, what I need to do?<br> </blockquote><br></div>You can, but it's not recommended. Try putting this line in slapd.conf:<br><br> allow bind_v2 bind_anon_cred bind_anon_dn<br><br>Oh, and by the way, we prefer bottom posting on the list.<br> <br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <div> <div></div> <div class="h5">On Thu, Aug 13, 2009 at 6:16 PM, Rick Stevens <<a href="mailto:ricks@nerd.com" target="_blank">ricks@nerd.com</a>> wrote:<br><br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> Nilesh Joshi wrote:<br><br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi,<br><br>I have installed openldap-2.0.27-23 on my server.<br><br>I have configured certificate and path is mentioned in slapd.conf file.<br> <br>I am able to create root DN and also able to add user to it.<br><br>When I search using cn=manager,dc=test,dc=com, it gives me correct<br>answers.<br>Howere, whenever I search using user id, I see error 49.<br><br>ldapsearch -x -b "ou=people,dc=test,dc=com" -D<br> "cn=nilesh,ou=people,dc=test,dc=com" -W '(uid=nilesh)'<br><br>In logs, I see:<br>conn=11 fd=10 ACCEPT from IP=<a href="http://192.168.1.2:53115/" target="_blank">192.168.1.2:53115</a> (IP=<a href="http://0.0.0.0:389/" target="_blank">0.0.0.0:389</a>)<br> conn=11 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128<br>conn=11 op=0 RESULT tag=97 err=49 text=<br>conn=11 fd=10 closed (connection lost)<br><br>I would like to have openldap running without sasl.<br> <br>How should I configure the same? How can I fix this issue?<br><br></blockquote>Error 49 is "invalid credentials," meaning that you didn't hand the<br>ldapsearch the right password for the user you're trying to bind as.<br> Try it again, but rather than using the "-W" (interactive) flag, try:<br><br> -w 'your-password-here'<br><br>If the password has shell metacharacters in it, they may be being<br>interpreted by the shell before being handed to the ldapsearch command.<br> Using the -w and the password enclosed in single quotes prevents that.<br><br>You also have to make sure that the user you're trying to bind as has<br>access to the userPassword attribute in the slapd.conf file:<br><br> access to attrs=userPassword<br> by anonymous auth<br> by self write<br> by * none<br><br>----------------------------------------------------------------------<br>- Rick Stevens, Systems Engineer <a href="mailto:ricks@nerd.com" target="_blank">ricks@nerd.com</a> -<br> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -<br>- -<br>- I never drink water because of the disgusting things that fish do -<br> - in it. -<br>- -- WC. Fields -<br>----------------------------------------------------------------------<br> <br>_______________________________________________<br>Redhat-install-list mailing list<br><a href="mailto:Redhat-install-list@redhat.com" target="_blank">Redhat-install-list@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/redhat-install-list" target="_blank">https://www.redhat.com/mailman/listinfo/redhat-install-list</a><br> To Unsubscribe Go To ABOVE URL or send a message to:<br><a href="mailto:redhat-install-list-request@redhat.com" target="_blank">redhat-install-list-request@redhat.com</a><br>Subject: unsubscribe<br><br></blockquote><br><br> </div></div>------------------------------------------------------------------------ <div class="im"><br><br>_______________________________________________<br>Redhat-install-list mailing list<br><a href="mailto:Redhat-install-list@redhat.com" target="_blank">Redhat-install-list@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/redhat-install-list" target="_blank">https://www.redhat.com/mailman/listinfo/redhat-install-list</a><br> To Unsubscribe Go To ABOVE URL or send a message to:<br><a href="mailto:redhat-install-list-request@redhat.com" target="_blank">redhat-install-list-request@redhat.com</a><br>Subject: unsubscribe<br></div></blockquote><br> <br>-- <br> <div class="im">----------------------------------------------------------------------<br>- Rick Stevens, Systems Engineer <a href="mailto:ricks@nerd.com" target="_blank">ricks@nerd.com</a> -<br>- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -<br> - -<br></div>- Never test for an error condition you don't know how to handle. - <div> <div></div> <div class="h5"><br>----------------------------------------------------------------------<br><br>_______________________________________________<br>Redhat-install-list mailing list<br><a href="mailto:Redhat-install-list@redhat.com" target="_blank">Redhat-install-list@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/redhat-install-list" target="_blank">https://www.redhat.com/mailman/listinfo/redhat-install-list</a><br>To Unsubscribe Go To ABOVE URL or send a message to:<br><a href="mailto:redhat-install-list-request@redhat.com" target="_blank">redhat-install-list-request@redhat.com</a><br> Subject: unsubscribe<br></div></div></blockquote></div><br>