Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I created a local ldap server with Apache Directory Studio. A user entry is created with the uid "djiao1" and password "123456" (SHA hashed password).

I was able to search the user with the following ldapsearch command:

ldapsearch -H ldap://localhost:10389 -x uid=djiao1
# extended LDIF
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=djiao1
# requesting: ALL
# djiao, Users, example.com
dn: cn=djiao,ou=Users,dc=example,dc=com
sn: jiao
cn: djiao
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
userPassword:: e3NoYX1mRXFOQ2NvM1lxOWg1WlVnbEQzQ1pKVDRsQnM9
uid: djiao1
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
However if I run with -W to prompt password and type in "123456" I get "invalid credentials" error:
ldapsearch -H ldap://localhost:10389 -W -x uid=djiao1
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
additional info: INVALID_CREDENTIALS: Bind failed: Invalid authentication
I tried the very long string shown as the userPassword e3NoYX1mRXFOQ2NvM1lxOWg1WlVnbEQzQ1pKVDRsQnM9 and still got the same error. 
The below screenshot the verification is successful with password 123456 for the user. Why doesn't the password work?
                Long string is the hash of your password, it is has no sense to input it as password, because of ldap compare hash_func(input_password) == hash_in_database and it is very low probability that hash_func(hash_in_database)==hash_in_database, looks like password not 123456 if you know password of admin it is possible to change, if you don't know password of admin, it is impossible to change without reinstall or root password if it is unix.
– fghj
                Apr 19, 2016 at 19:33
                @user1034749 I uploaded a screenshot for password verification within AD Studio and it shows clearly 123456 is the password.
– Nasreddin
                Apr 19, 2016 at 19:46
try something like this:

ldapsearch -x -LLL -H ldap://localhost:10389/  -b dc=example,dc=com  -D "cn=djiao,ou=Users,dc=example,dc=com" -w 123456 uid=djiao1
the key moment here full dn of user which password you use:
cn=djiao,ou=Users,dc=example,dc=com
                This works, and I can get away without -b dc=example,dc=com. Why is -D option necessary when uid is provided?
– Nasreddin
                Apr 19, 2016 at 20:13
                @Nasreddin 	 You not provide uid actually, ldapsearch perform search, so 'uid=XXX' is interpreted as search filter, not login.
– fghj
                Apr 19, 2016 at 20:23
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.