1

I have kept my LDAP password in $HOME/.ldap_pw on my Mac. The file has permissions set to 600:

-rw-------  1 myself  mygroup  18 Mar 27 17:20 .ldap_pw

When I invoke ldapsearch with -y option like this, to list the members of the group mygroup

ldapsearch -y "$HOME/.ldap_pw" -H ldaps://ldap.mycompany.com -D myself@mycompany.com -W -b DC=mycompany,DC=com -x '(&(objectcategory=Group)(cn=mygroup))'

I get this error:

ldap_bind: Invalid credentials (49)
    additional info: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 52e, v3839

The password stored in the file is correct. Also, the above command works fine when run without the -y option with password being entered when prompted.

What is going wrong here?

I get the same error on my Linux box running RedHat 7.6.

codeforester
  • 39,467
  • 16
  • 112
  • 140

2 Answers2

4

Given the error, that means that the username is valid but password invalid (see ldapwiki.com) and the fact that -y use the complete contents of the file (see ldapsearch documentation), I suspect a wrong content in your password file. Maybe an "End of line" character at the end of your file.

SmartTom
  • 691
  • 7
  • 14
1

I think SmartTom's guess about an extra character in the file is a good one. Try running hd ~/.ldap_pw (hex dump) to see the exact contents of the file; if there's a trailing 0a (newline) character or other unexpected characters that would confirm the issue.

Editors like vim implicitly add a trailing newline to text files, which you can disable when opening the file, or you can remove trailing whitespace directly.

dimo414
  • 47,227
  • 18
  • 148
  • 244