Category Archives: LDAP

ldappasswd and "ldap_sasl_interactive_bind_s: Invalid credentials (49)" error message

Some context might be useful. We have an openldap instance to manage users. We also have phpLDAPadmin, but that's not the point. The point is that I want to add/edit an user from command line. Adding a user it not a problem.

[codesyntax lang="bash"]

ldapadduser john.doe users
Warning : using command-line passwords, ldapscripts may not be safe
Successfully added user john.doe to LDAP
Successfully set password for user john.doe

[/codesyntax]

However, changing the password was a little bit more problematic.

[codesyntax lang="bash"]

ldappasswd briana.bennett
SASL/DIGEST-MD5 authentication started
Please enter your password: 
ldap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): user not found: no secret in database

[/codesyntax]

I also tried with:

[codesyntax lang="bash"]

ldappasswd -D "cn=admin,dc=domain,dc=net" -W -x john.doe
Enter LDAP Password:
Result: Invalid syntax (21)
Additional info: Invalid DN

[/codesyntax]

Hmm... have no fear, I solved the problem. For future reference if anyone happens across this post with the same issue, the user you are trying to change must also be a full DN:

[codesyntax lang="bash"]

ldappasswd -D 'cn=admin,dc=domain,dc=net' -W -S -x 'uid=john.doe,ou=users,dc=domain,dc=net' -s KZ1URpsdEhP1HOJG

[/codesyntax]

Note: instead of using -s (which is used to specify the password on the command line)  -S to instruct ldappasswd to prompt for new password.

Enable LDAP authentication in Apache

Assuming you have a LDAP server somewhere and you don't want to authenticate users via htpasswd file anymore... I mean, having all your users in one place is a good thing - it's debatable, but in general is a good thing, right?

Now, the technical part...

My LDAP structure is like this:
- groups: cn=group,ou=groups,dc=example,dc=com
- users: uid=firstname.lastname,ou=users,dc=example,dc=com

Next... apache2...

[codesyntax lang="bash"]

a2enmod authnz_ldap

[/codesyntax]

Add this inside your virtualhost.

<Location />
        Order allow,deny
        Allow from all
        Deny from all
        AuthName "Boo..."
        AuthType Basic
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on

        # Search user
        AuthLDAPURL ldap://IP-DOMAIN-CONTROLLER:389/ou=users,dc=example,dc=com?uid

        # Use this user to bind to LDAP
        AuthLDAPBindDN "uid=ldapauthuser,ou=users,dc=example,dc=com"
        AuthLDAPBindPassword "password"
        Require valid-user
        Satisfy any

        # More restrictions!
        # specific user
        #   Require ldap-user john.doe john1.doe john2.doe
        # specific user by DN
        #   Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=net
        # member of group
        #   Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=net
</Location>

Restart apache server

[codesyntax lang="bash"]

/etc/init.d/apache2 restart

[/codesyntax]

That's it!