OpenLDAP credentials issue

Thanks for reporting this bug and helping make Ubuntu better. Actually the ldapadd command should have a -b dc=example,dc=com (or the basedn of your directory). I must have set the BASE option in /etc/ldap/ldap.conf before using that command.

Using the -b should allow you to not have to sudo su openldap, can you give it a try to double check and comment?

Thanks again.

Actually I'm totally wrong about the -b option. ldapadd does not have a -b option since it will get the basedn from the LDIF file.

Just to double check, were you using the password created during the slapd install process?

Thanks,
Adam

Moving to ubuntu-docs package as per new bug policy.

I also got 'credentials (49)' errors while trying the ldapsearch commands suggested. The password I provided in install did not work.
 After many hours I discovered the the Hardy version does not come configured for use with cn=config.
After following http://www.zytrax.com/books/ldap/ch6/slapd-config.html instructions to convert from ldap.conf to cn=config all was well. Also had to change a setting in /etc/default/slapd, SLAPD_CONF=/etc/ldap/slapd.d

So if you get this error check that you have a /etc/ldap/slapd.d directory if you dont then you do not have support for cn=config and any ldap command using the base will fail with 'credentials (49)'.

I then repeated apt-get install slapd for four other hardy servers with the same outcome in all cases.

I am still having this bad credentials issue when following the documentation for 10.04
(as found here) http://doc.ubuntu.com/ubuntu/serverguide/C/samba-ldap.html

when you get to the setting up ACL part you all of a sudden need to use a cn=admin,cn=config, that doesn't exist

creating a config.ldif with
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: secret

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

and adding it with
ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif

makes this work.
but it seems 2 systems are being used in this documentation, one with the cn=config and one without...
since, as I can see in bug #416539 there used to be a problem that was the exact opposite of this one?

Thanks for catching that Jens. The ACL section needs to be updated to use the new:

   sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -b cn=config

format. I'll try to get that updated.

Committed a fix to the Maverick branch revision 511. Will work on getting the changes committed to Lucid and Karmic branches.

Committed fix to revision 509 to Lucid branch.

It looks like this is still an issue on the 10.04 documentation. following post #5 I am now able to search properly but it is still unclear on how to set the ACL so users can change their own LDAP password.

This bug was fixed in the package ubuntu-docs - 10.10.1

---------------
ubuntu-docs (10.10.1) maverick; urgency=low

  * First release for maverick
  * General:
    - Update copyright year, LP: #580396
    - Update version numbers for maverick, LP: #587119
    - Update pot files
  * Administrative:
    - Users and Groups app UI changed - adjusted directions,
      LP: #570429 (Connor Imes)
  * Basic-commands:
    - Removed incorrect comment about using ~ with sudo,
      LP: #570423 (Connor Imes)
  * Internet:
    - Add section on Ubuntu One, authored by Matt Griffin with
      some changes/review
    - Typos: Cicso -> Cisco. Alex Wardle, LP: #561084
  * Musicvideophotos:
    - Add material on using Ubuntu One Music Store and
      other Music Stores
      within Rhythmbox, content submitted by Matt Griffin
    - Update microphone troubleshooting, LP: #591164
  * Serverguide:
    - Removed erroneous text from vmbuilder command,
      LP: #559190
    - Typo in network-config section. Alex Wardle, LP: #550892
    - Fix typo in Kerberos section. David C. Curtis, LP: #561788
    - Replaced dkim-filter with opendkim, feedback from
      Scott Kitterman. LP: #561825
    - Changed ldapsearch command in ACL section for new authentication
      mechanism. LP: #333733
    - Adjusted certificate wording to be more concise about which
      lines to copy. LP: #575859
    - Changed samba restart command to use new upstart scripts.
      LP: #575540
    - New information about granting groups Admin rights for Samba.
      LP: #579851
    - Various typos and English fixes from Travis Nichol, Connor Imes,
      Vikram Dhillon, Dean Sas, Andrew Rowell. LP: #594913,
      LP: #572959, LP: #603947
    - New Amavisd-new and Spamassassin section which adds note about possible
      large amount of error messages sent to email. LP: #165184 (Adam Sommer)
    - Removed OpenNebula section (Adam Sommer)
    - Removed eBox section (Adam Sommer)
    - Reviewed and updated User Management and Console Security sections
      (Adam Sommer)
    - Fixed spelling typo of dyngroup.schema, fixed ldapscripts <ask> example
      explanation, and ldapscripts example template path. LP: #595001
      (Adam Sommer)
    - Updates to UEC sections (Adam Sommer)
    - New "First Boot" section covering clout-init functionality (Adam Sommer)
    - Fix broken links to installation-guide, add distro-rev-short
      entity, LP: #575961
  * Windows:
    - Change wording of windows/C/preparing.xml, LP: #483153
 -- Matthew East <email address hidden> Sat, 14 Aug 2010 22:35:52 +0100

The guide at https://help.ubuntu.com/12.04/serverguide/openldap-server.html still leaves you with a non-functional ldap server when following it.

I applied the step in comment #5 but importing the example ldif gives "ldap_bind: Invalid credentials (49)"

This issue still exists in Ubuntu 16.04 and I don't think it's just a documentation problem.

In order to add a new schema (dn: cn=myNewSchema,cn=schema,cn=config) through an ldif file, I had to follow this:
http://serverfault.com/questions/171965/ubuntu-10-04-lucid-openldap-invalid-credentials-issue

In fact, the LDAP admin user (Manager) is not allowed to add new schemas: the returned error is:

ldap_add: Insufficient access (50)

So, I think the Ubuntu configuration scripts are still missing some steps when configuring the OpenLDAP server package.

Should I open a new bug?

On 2017-04-03 18:14, Mauro wrote:
> Should I open a new bug?

Yes, please. You can file it against the server guide for now:

https://bugs.launchpad.net/serverguide/+filebug