I am learning LDAP using Ubuntu 24.04 and am stumped by the following:
sudo dpkg-reconfigure slapd
base.ldif
:dn: ou=people,dc=vmvm,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=vmvm,dc=com
objectClass: organizationalUnit
ou: groups
$ ldapadd -x -D cn=admin,dc=vmvm,dc=com -W -f base.ldif
Enter LDAP Password:
adding new entry "ou=people,dc=vmvm,dc=com"
adding new entry "ou=groups,dc=vmvm,dc=com"
ldapsearch
:$ ldapsearch -xLLL -H ldap:// -b "dc=vmvm,dc=com"
dn: dc=vmvm,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: vm
dc: vmvm
dn: ou=people,dc=vmvm,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=vmvm,dc=com
objectClass: organizationalUnit
ou: groups
$ ldapsearch -xLLL -b "ou=groups,dc=vmvm,dc=com"
dn: ou=groups,dc=vmvm,dc=com
objectClass: organizationalUnit
ou: groups
ou=groups,dc=vmvm,dc=com
, it fails because suddenly my LDAP password is wrong!$ ldapdelete -D ou=groups,dc=vmvm,dc=com -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
$ ldapdelete "ou=groups,dc=vmvm,dc=com" -W
Enter LDAP Password:
SASL/SCRAM-SHA-512 authentication started
ldap_sasl_interactive_bind: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
Any advice on what am I doing wrong here?
NB: when I set LDAP password during installation, there was no mention of admin account name -- it only asks me for password. Is this password tied to a default root
/admin
LDAP entity?
Is this password tied to a default root/admin LDAP entity?
Yes, the "LDAP password" that you have is specifically for the cn=admin,dc=vmvm,dc=com
entity, so that's what you need to specify for the -D
(bind DN) parameter.
$ ldapdelete -x -D cn=admin,dc=vmvm,dc=com -W ou=groups,dc=vmvm,dc=com └┤ └─┬──────────────────────┘ ├┘ └──┬───────────────────┘ │ └─ bind DN (username) │ └─ what to delete │ │ │ ask for password ─┘ │ └─ use "simple bind" (log in as LDAP entity)
As you can see, in the first ldapdelete command, you were actually specifying the "to be deleted" entry DN as your username (the 'bind' DN).
In the second ldapdelete command, you're not specifying any username (bind DN) at all, so it attempts SASL authentication and you probably don't have it set up. (Most SASL mechanisms involve some setup outside of the slapd service.)
Any entry can have a userPassword attribute and can be logged-in to; there is no separate user account database. Only the initial "root" account is virtual, because it has to exist before you initialize the database (and this is an OpenLDAP-specific thing); its name and password are usually defined via service configuration (the olcRootDN and olcRootPW parameters). Your Debian package's "debconf" scripts automatically decided on the rootDN (cn=admin
+ your base DN) when it generated the initial slapd config.