Recently while setting up a new OpenLDAP server I can across an annoying problem:

ldap_bind: Invalid credentials (49)

Usually this is because of a typo when entering a password. After trying a couple of times, I knew my fingers were not failing me, so I performed some debugging steps.

  • Configurations, OK
  • Recreate the password and reload, OK
  • Run ldapsearch, Invalid credentials (49)

Next I ran ldapsearch by itself, no options to see what happens.  When I was prompted for a password, I just hit enter.  A listing from our central LDAP directory appeared. What?!
A bit of background.  My servers use a central OpenLDAP directory for users and groups. When ever a new server is provisioned, it is automatically configured to use the central directory.
So what was happening? Even though I was working on a local OpenLDAP installation, the commands I was running were by default looking at the central directory, not the local installation.
The solution turned out to be simple one.   Specify “ldap://localhost/”.  Now when I ran my ldap commands they ran against the local install and not the remote LDAP directory.
So remember:

  • Don’t use the same password everywhere. If I had, I would have ended up modifying the wrong LDAP database.
  • When possible test with a non-destructive command first. While ldapmodify would have given an error too, I know ldapsearch does not do any damage.
  • Don’t assume commands are using localhost.
  • If a host is configured to use a central LDAP directory, it becomes the default LDAP database unless you specify otherwise.