ldap_bind: Invalid credentials (49) persistent even with correct credentials and -x #1062

frateralexander · 2024-12-13T19:30:10Z

frateralexander
Dec 13, 2024

Hi,

I am encountering a persistent "ldap_bind: Invalid credentials (49)" error when trying to add a user with ldapadd, even after following the documentation and various troubleshooting tips. I believe there might be a configuration issue or a bug.

Environment:

Operating System: Ubuntu 22.04 (Jammy)
lldap Version: 0.6.2-alpha (compiled from source)

Steps to Reproduce:

Cloned the repository: git clone https://github.com/lldap/lldap.git
Checked out the version: git checkout v0.6.2-alpha
Compiled lldap: cargo build --release
Created the configuration directory: sudo mkdir /etc/lldap
Copied the executable: sudo cp target/release/lldap /usr/local/bin/
Created the configuration file /etc/lldap/lldap.toml (content below).
Created the data directory: sudo mkdir -p /var/lib/lldap
Created the systemd service file /etc/systemd/system/lldap.service (content below).
Reloaded systemd: sudo systemctl daemon-reload
Started the lldap service: sudo systemctl enable lldap && sudo systemctl start lldap
Tried to add a user with the following command: ldapadd -H ldap://localhost -v -x -D "cn=admin,dc=example,dc=org" -w "adminPass" -f user.ldif (the user.ldif file contains basic user information, example below).

Expected Behavior:

The user should be added successfully.

Current Behavior:

I receive the error:

ldap_initialize( ldap://localhost:389/??base )
ldap_bind: Invalid credentials (49)

Configurations:

my /etc/lldap/lldap.toml:

    bind_address = "0.0.0.0:389"
    base_dn = "dc=example,dc=org"
    data_dir = "/var/lib/lldap"
    tls_enabled = false
    [admin]
    dn = "cn=admin,dc=example,dc=org"
    password = "adminPass" # EXACT PASSWORD USED IN LDAPADD COMMAND

my /etc/systemd/system/lldap.service:

    [Unit]
    Description=lldap Server
    After=network.target

    [Service]
    Type=simple
    User=root
    ExecStart=/usr/local/bin/lldap run -c /etc/lldap/lldap.toml
    Restart=on-failure

    [Install]
    WantedBy=multi-user.target

user.ldif (Example):

    dn: uid=testuser,ou=people,dc=example,dc=org
    objectClass: inetOrgPerson
    objectClass: posixAccount
    uid: testuser
    cn: Test User
    sn: User
    givenName: Test
    uidNumber: 1001
    gidNumber: 1001
    homeDirectory: /home/testuser
    loginShell: /bin/bash
    userPassword: {SSHA}encrypted_password

Additional Information:

I have already verified connectivity with telnet localhost 389, and the port is open.
I have restarted the lldap service several times after changes to lldap.toml.
I have used ss -tulnp | grep 389, and lldap is listening on port 389 (LISTEN state).
I have run journalctl -u lldap, and I do not find relevant errors other than the authentication failure itself.
I have tried with a minimal lldap.toml with a simple password ("test"), but the error persists.
I used the command nmap localhost -p 389 and the port is open showing ldap service.

Question:

I would like to know if there is any additional configuration I am missing, or if t

Thanks

nitnelave · 2024-12-13T20:56:26Z

nitnelave
Dec 13, 2024
Maintainer

I am very confused by your lldap.toml.
None of the keys in that file are understood by LLDAP (bind_address is ldap_host and ldap_port, base_dn is ldap_base_dn, data_dir probably matches database_url, tls_enabled would be the [ldaps_options] section, and there's just no [admin] section).

You can start LLDAP with --verbose and it'll print in the logs the actual, resolved configuration that it used, after parsing. With the information that you have in this discussion, I expect LLDAP to start on port 3890, not 389. The best guess I have is that you have another LDAP server running on port 389. But even if it is hitting LLDAP, it definitely didn't take the password into account (wrong config key).

For the configuration, my recommendation is to use the lldap_config.docker_template.toml from the root of the repository, copy it, and then modify the values you want.

Now, for the ldapadd. LLDAP is meant to work without much knowledge of LDAP itself, and especially ldif and the various LDAP tools. As such, it's usually not guaranteed to work well with most LDAP directory viewers, schema explorers, management tools and other "powerful" generic LDAP tools. In particular, the modification operations are by and large not supported through LDAP. (Basic user creation and setting passwords are supported). The recommended interface is the web UI that ships with it, the GraphQL interface for scripting, or the community CLI tool lldap-cli.

Finally, some more notes: some of the attributes you are trying to set for the user don't exist by default (uidNumber, homeDirectory, ...) You have to create them as custom attributes before you can give them values.
And passwords are not handled through salted hashes, but through a zero-knowledge proof; without going into details, it means that you cannot import into or export passwords from LLDAP. You have to use either the web UI, the provided binary lldap_set_password, or an LDAP extended query for setting passwords (not recommended for security).

I hope that helps! I feel like the project is not exactly what you expected; if you have experience with other LDAP servers, it's quite different (on purpose). Feel free to join the Discord channel if you want to chat about it!

2 replies

frateralexander Dec 27, 2024
Author

Sorry, I was really confused trying to set up lldap.
Part of the confusion comes from not being used to using standard LDAP, so I'm trying to learn both in parallel.
I think I managed to get part of the lldap configuration right, which now looks like this:

verbose = true
ldap_host = "127.0.0.1"
ldap_port = 3890
http_host = "0.0.0.0"
http_port = 17170
http_url = "http://xx.xxx.xx.xxx:17170"
ldap_base_dn = "dc=test,dc=local"
ldap_user_dn = "admin"
ldap_user_email = "admin@test.local"
ldap_user_pass = "admin1234"
database_url = "sqlite:////var/lib/lldap/users.db?mode=rwc"
key_seed = "teste123456"
[ldaps_options]
enabled = false

With this configuration, I was at least able to start the service and I can now begin testing.

Some questions remain after the explanation:

I will initially try to create my test users with lldap-cli, but is there any documentation that explains how to deal with PAM and nsswitch to authenticate on Linux?
Regarding the POSIX authentication standard, can I ensure the same username and group name?
Having a customer database with passwords defined with MD5 hash, can I import these passwords with lldap_set_password?

Thanks

nitnelave Dec 27, 2024
Maintainer

Hey! Glad to have you back :)

I would recommend creating your test users through the web UI, that's the most comfortable. Or you can define them in json and use bootstrap.sh to synchronize them.

As for PAM, we have a guide for it. I don't have the link right now, I'm on my phone, but it's in the readme, in the integrations section, about Linux.

As for importing password hashes, you can't. Just send a password reset email, that's the best you can do.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

ldap_bind: Invalid credentials (49) persistent even with correct credentials and -x #1062

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

ldap_bind: Invalid credentials (49) persistent even with correct credentials and -x #1062

Uh oh!

frateralexander Dec 13, 2024

Replies: 1 comment · 2 replies

Uh oh!

nitnelave Dec 13, 2024 Maintainer

Uh oh!

frateralexander Dec 27, 2024 Author

Uh oh!

Uh oh!

nitnelave Dec 27, 2024 Maintainer

frateralexander
Dec 13, 2024

Replies: 1 comment 2 replies

nitnelave
Dec 13, 2024
Maintainer

frateralexander Dec 27, 2024
Author

nitnelave Dec 27, 2024
Maintainer