Hi all!
We have this in place:
olcAccess: {1}to attrs=userpassword by anonymous auth by * none break
Using the RootDN to set a user password:
# ldappasswd -H ldaps://my.ldapserver1.com -D "cn=admin,o=ldap,c=com" -W
-S "uid=testuser,ou=Users,o=ldap,c=com" -v
New password: <newpassword>
Re-enter new password: <newpassword>
Enter LDAP Password: <very_secret_and_difficult>
ldap_initialize( ldaps://my.ldapserver1.com:636/??base )
Enter LDAP Password:
Result: Success (0)
We observe the password change replicate (master-master) to our other
server.
Then to test access:
# ldapsearch -H ldaps://my.ldapserver1.com -s base -b o=ldap,c=com -D
"uid=testuser,ou=Users,o=ldap,c=com" -w <newpassword> -v
ldap_initialize( ldaps://my.ldapserver1.com:636/??base )
ldap_bind: Invalid credentials (49)
More background: this is fresh a master-master setup, replication works
with the root DN, and all other user authentications fails with the same
Invalid credentials (49)
The server ldaps://my.ldapserver1.com is an actual single (master) server,
no load balancers, no firewalling. Configured an with actual (and valid)
certificate, ldapsearch uses the correct CA, and ldapsearch with the root
DN works fine. This is latest symas openldap 2.5 on RHEL9.
Anyone with an idea why we can only authenticate as the RootDN, and all
other authentications give Invalid credentials (49)?
We have double checked whatever we can think of, and are *really* unsure
what is going on....
Hoping for some clues from the experts here :-)
