ubuntuldap

LDAP: `ldapadd` Works but `ldapdelete` Does Not


I am learning LDAP using Ubuntu 24.04 and am stumped by the following:

  1. LDAP password has been set during sudo dpkg-reconfigure slapd
  2. Created base.ldif:
dn: ou=people,dc=vmvm,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=vmvm,dc=com
objectClass: organizationalUnit
ou: groups
  1. Added successfully, i.e. LDAP password is correct
$ ldapadd -x -D cn=admin,dc=vmvm,dc=com -W -f base.ldif
Enter LDAP Password:
adding new entry "ou=people,dc=vmvm,dc=com"

adding new entry "ou=groups,dc=vmvm,dc=com"
  1. Verified using ldapsearch:
$ ldapsearch -xLLL -H ldap:// -b "dc=vmvm,dc=com"
dn: dc=vmvm,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: vm
dc: vmvm

dn: ou=people,dc=vmvm,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=vmvm,dc=com
objectClass: organizationalUnit
ou: groups

$ ldapsearch -xLLL -b "ou=groups,dc=vmvm,dc=com"
dn: ou=groups,dc=vmvm,dc=com
objectClass: organizationalUnit
ou: groups
  1. Now when I try to delete ou=groups,dc=vmvm,dc=com, it fails because suddenly my LDAP password is wrong!
$ ldapdelete -D ou=groups,dc=vmvm,dc=com -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

$ ldapdelete "ou=groups,dc=vmvm,dc=com" -W
Enter LDAP Password:
SASL/SCRAM-SHA-512 authentication started
ldap_sasl_interactive_bind: Invalid credentials (49)
    additional info: SASL(-13): user not found: no secret in database

Any advice on what am I doing wrong here?

NB: when I set LDAP password during installation, there was no mention of admin account name -- it only asks me for password. Is this password tied to a default root/admin LDAP entity?


Solution

  • Is this password tied to a default root/admin LDAP entity?

    Yes, the "LDAP password" that you have is specifically for the cn=admin,dc=vmvm,dc=com entity, so that's what you need to specify for the -D (bind DN) parameter.

    $ ldapdelete -x -D cn=admin,dc=vmvm,dc=com -W ou=groups,dc=vmvm,dc=com
                 └┤ └─┬──────────────────────┘ ├┘ └──┬───────────────────┘
                  │   └─ bind DN (username)    │     └─ what to delete
                  │                            │
                  │          ask for password ─┘
                  │
                  └─ use "simple bind" (log in as LDAP entity)
    

    As you can see, in the first ldapdelete command, you were actually specifying the "to be deleted" entry DN as your username (the 'bind' DN).

    In the second ldapdelete command, you're not specifying any username (bind DN) at all, so it attempts SASL authentication and you probably don't have it set up. (Most SASL mechanisms involve some setup outside of the slapd service.)


    Any entry can have a userPassword attribute and can be logged-in to; there is no separate user account database. Only the initial "root" account is virtual, because it has to exist before you initialize the database (and this is an OpenLDAP-specific thing); its name and password are usually defined via service configuration (the olcRootDN and olcRootPW parameters). Your Debian package's "debconf" scripts automatically decided on the rootDN (cn=admin + your base DN) when it generated the initial slapd config.