Red Hat Bugzilla – Bug 1353916
ldapsearch using '-y passwdfile' responds with Invalid credentials although the password in passwdfile is correct
Last modified: 2016-12-02 05:39:29 EST
Description of problem: After Configuring LDAP User Stores from the Command Line (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-ldap.html#authconfig-ldap-cmd) I like to test the connection with ldapsearch. When using ldapsearch with the parameter '-W' I was asked for the password, entered it on the command line and got the expected result of my search. Now I put the password into an passwdfile and restricted the file pemissions, so only root has read access. When I run the search with 'ldapsearch -v -h hostname -y passwdfile [...]' and the same parameters from my first search I got the following error: ldap_initialize( ldap://ldapbackend ) ldap_bind: Invalid credentials (49) Version-Release number of selected component (if applicable): openldap-clients-2.4.40-9.el7_2.x86_64 How reproducible: It happens all the time. Steps to Reproduce: 1. Run `ldapsearch -v -h hostname -y /root/passwdfile -D "cn=stringA,ou=stringB,o=stringC,o=stringD,o=stringE" -b "o=stringC,o=stringD,o=stringE" "(uid=john)" Actual results: ldap_initialize( ldap://hostname ) ldap_bind: Invalid credentials (49) Expected results: filter: (uid=john) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <o=stringC,o=stringD,o=stringE> with scope subtree # filter: (uid=john) # requesting: ALL # # john, people, stringC, stringD, stringE dn: uid=john,ou=people,o=StringC,o=stringD,o=stringE uidNumber: 123456 loginShell: /usr/bin/bash homeDirectory: /home/john gecos:: IErDtnJnIEthc3RuaW5nLFVIUlosLDA= gidNumber: 101 cn: john sn: john uid: john objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: organizationalPerson objectClass: person # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Additional info: When run the following query instead I got to expected result: ldapsearch -v -h hostname -W -D "cn=stringA,ou=stringB,o=stringC,o=stringD,o=stringE" -b "o=stringC,o=stringD,o=stringE" "(uid=john) ldap_initialize( ldap://hostname ) Enter LDAP Password: <secred password> I could reproduce this issue on a second system with the same OS and LDAP support libraries installed.
Hello, I just got a helpful hint in another [discussion](https://access.redhat.com/discussions/2433341). James advised me to be sure that there must not be any kind of newline character at the end of the passwdfile. To be sure whether there is a newline character or not you could run the following command: >od -c proxytest 0000000 S e c r e t P a s s w o r d 1 \n 0000020 I was surprised to see the newline character there. The reason is explained by James in his post. VIM and VI auto-append a newline character when creating a single-word file. James advised me to create the passwd file with "echo -n (string) > file". I did so an got a correct passwdfile: root@rhel-t1>echo -n SecretPassword1 > proxytest root@rhel-t1>od -c proxytest 0000000 S e c r e t P a s s w o r d 1 0000017 ldapsearch worked just fine using this passwdfile. It is save to say, that this is no bug. I just did not now that there must not be any newline character in passwd file. I did not find anything about that in the manpage to ldapsearch. Maybe it would be an enhancement if some information on how to create the passwdfile would be added to the manpage. Kind regards, Joerg
Thank you for posting the solution, too. For `-y passwdfile` ldapsearch(1) manpage states: "Use complete contents of passwdfile as the password for simple authentication." The word "complete" is sufficient here. This issue has been discussed several times on upstream mailing lists, always with an explanation in sense of "entire contents, that is including whitespace characters". Feel free to propose a manpage fix to the upstream. However, I am closing this as NOTABUG.