Recently while setting up a new OpenLDAP server I can across an annoying problem:
ldap_bind: Invalid credentials (49)
Usually this is because of a typo when entering a password. After trying a couple of times, I knew my fingers were not failing me, so I performed some debugging steps.
- Configurations, OK
- Recreate the password and reload, OK
- Run ldapsearch, Invalid credentials (49)
Next I ran ldapsearch by itself, no options to see what happens. When I was prompted for a password, I just hit enter. A listing from our central LDAP directory appeared. What?!
A bit of background. My servers use a central OpenLDAP directory for users and groups. When ever a new server is provisioned, it is automatically configured to use the central directory.
So what was happening? Even though I was working on a local OpenLDAP installation, the commands I was running were by default looking at the central directory, not the local installation.
The solution turned out to be simple one. Specify “ldap://localhost/”. Now when I ran my ldap commands they ran against the local install and not the remote LDAP directory.
- Don’t use the same password everywhere. If I had, I would have ended up modifying the wrong LDAP database.
- When possible test with a non-destructive command first. While ldapmodify would have given an error too, I know ldapsearch does not do any damage.
- Don’t assume commands are using localhost.
- If a host is configured to use a central LDAP directory, it becomes the default LDAP database unless you specify otherwise.