We have a IPA environment that has an existing trust with Active Directory.
I'm trying to troubleshoot some things, and am trying to run a `ldapsearch` against our IPA environment. It keeps asking for an LDAP Bind password.
1. I know the Directory Admin password 2. I know the local 'admin' password to get into the UI as the "admin" user 3. I know my own Active Directory password.
None of these passwords are working.
[root@cha-cop-lab-mgt-ath-001 whitedm]# ldapsearch -ZZ -H ldap://ipa-hostname-001.lab.example.net -b 'cn=compat,dc=fiberlab,dc=example,dc=net' -D 'cn=whitedm' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
I recall setting up the LDAP password on the initial install of the IPA software when these servers were first launched. How can I reset this LDAP password?
White, David via FreeIPA-users wrote:
We have a IPA environment that has an existing trust with Active Directory.
I'm trying to troubleshoot some things, and am trying to run a `ldapsearch` against our IPA environment. It keeps asking for an LDAP Bind password.
- I know the Directory Admin password
- I know the local 'admin' password to get into the UI as the "admin" user
- I know my own Active Directory password.
None of these passwords are working.
[root@cha-cop-lab-mgt-ath-001 whitedm]# ldapsearch -ZZ -H ldap://ipa-hostname-001.lab.example.net -b 'cn=compat,dc=fiberlab,dc=example,dc=net' -D 'cn=whitedm' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
I recall setting up the LDAP password on the initial install of the IPA software when these servers were first launched. How can I reset this LDAP password?
The format of the bind DN is incorrect. It is neither DM, admin or Administrator for one.
I assume you are trying to bind as yourself? It would be something like -D 'uid=whitedm,cn=users,cn=accounts,dc=example,dc=net'
For admin replace whitedm with admin.
For DM use -D 'cn=Directory Manager'
I'm not sure about binding as the AD Administrator, whether that would be useful at all.
rob
On ti, 04 elo 2020, White, David via FreeIPA-users wrote:
We have a IPA environment that has an existing trust with Active Directory.
I'm trying to troubleshoot some things, and am trying to run a `ldapsearch` against our IPA environment. It keeps asking for an LDAP Bind password.
- I know the Directory Admin password
- I know the local 'admin' password to get into the UI as the "admin" userÂ
- I know my own Active Directory password.
None of these passwords are working.
[root@cha-cop-lab-mgt-ath-001 whitedm]# ldapsearch -ZZ -H ldap://ipa-hostname-001.lab.example.net -b 'cn=compat,dc=fiberlab,dc=example,dc=net' -D 'cn=whitedm' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
I recall setting up the LDAP password on the initial install of the IPA software when these servers were first launched. How can I reset this LDAP password?
What are you trying to achieve here? You are using compat tree which is a read-only dynamic view on some content provided elsewhere.
You are using your own account RDN but ldapsearch wants your DN for bind, not RDN. Your DN depends on what you want to authenticate with --
if this is your AD user, then you need to use a compat tree DN for uid=whitedm@ad.domain,cn=users,cn=compat,dc=....
if this is your IPA user, then you need to use your IPA user DN, e.g. uid=admin,cn=users,cn=accounts,dc=...
if this is Directory Manager, then DN is 'cn=Directory Manager'. It looks like RDN but that's a virtual object which don't exist anywhere and is treated by 389-ds in a special way.
Thank you. Without getting too much into the weeds, I've had an ongoing conversation for quite some time with some support folks who are trying to help me troubleshoot why we've been unable to get authentication working - as of yet - on RHEL 6 clients, when RHEL 7 works perfectly fine.
The support team asked me to run that query and provide stdout, but as of yet, I've been unable to get it to work, due to the failed credentials. Your explanation makes a lot of sense.
Due to the limitations of sssd in RHEL 6 and how sssd integrates with an IPA installation that has a trust back to AD, I'm aware that there's some differences in how the client gets configured. I think some of the limitations we're running into are also related to our firewall flows and that we're using KdcProxy features on the IdM servers to proxy all Kerberos requests to AD through the IPA servers.
I've sent this email thread over to our (new) technical account manager, and we'll continue to work together towards a resolution.
On 8/4/20, 10:42 AM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ti, 04 elo 2020, White, David via FreeIPA-users wrote: >We have a IPA environment that has an existing trust with Active Directory. > >I'm trying to troubleshoot some things, and am trying to run a `ldapsearch` against our IPA environment. >It keeps asking for an LDAP Bind password. > >1. I know the Directory Admin password >2. I know the local 'admin' password to get into the UI as the "admin" user >3. I know my own Active Directory password. > >None of these passwords are working. > >[root@cha-cop-lab-mgt-ath-001 whitedm]# ldapsearch -ZZ -H ldap://ipa-hostname-001.lab.example.net -b 'cn=compat,dc=fiberlab,dc=example,dc=net' -D 'cn=whitedm' -W >Enter LDAP Password: >ldap_bind: Invalid credentials (49) > >I recall setting up the LDAP password on the initial install of the IPA software when these servers were first launched. >How can I reset this LDAP password?
What are you trying to achieve here? You are using compat tree which is a read-only dynamic view on some content provided elsewhere.
You are using your own account RDN but ldapsearch wants your DN for bind, not RDN. Your DN depends on what you want to authenticate with --
if this is your AD user, then you need to use a compat tree DN for uid=whitedm@ad.domain,cn=users,cn=compat,dc=....
if this is your IPA user, then you need to use your IPA user DN, e.g. uid=admin,cn=users,cn=accounts,dc=...
if this is Directory Manager, then DN is 'cn=Directory Manager'. It looks like RDN but that's a virtual object which don't exist anywhere and is treated by 389-ds in a special way.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org