[Samba] Re: Need help with IDMAP storage in LDAP using Winbind

paul kölle paul at subsignal.org
Tue Sep 27 13:02:38 GMT 2005

Kristof Bruyninckx wrote:
> # Use the OpenLDAP password change
> # extended operation to update the password.
> pam_password md5
If you want it to do what the comment suggest this should read:
pam_password exop

> dn: cn=Manager,dc=thales,dc=be
> objectClass: organizationalRole
> cn: Manager
> description: Directory Manager
I think that may be your problem. The DN is the same as your rootdn in
slapd.conf but does not have a userPassword attribute. It might "shadow"
your rootdn making binds with that DN fail (see below). You don't have
to add the "rootdn" from slapd.conf to your directory but it is
generally discouraged to use it in daily operations as ACLs do not apply
to "rootdn".

> Sep 27 13:31:47 linux14 slapd: => access_allowed: auth access to
> "cn=Manager,dc=thales,dc=be" "userPassword" requested
> Sep 27 13:31:47 linux14 slapd: => access_allowed: backend default auth
> access granted to "(anonymous)"
> Sep 27 13:31:47 linux14 slapd: send_ldap_result: err=49 matched=""
err=49 means "invalid credentials" most likely due to the missing
"userPassword" attribute of cn=manager,dc=thales,dc=be.

Try removing cn=Manager,dc=thales,dc=be from your ldif and see if you
can bind with rootdn and rootpw from your slapd.conf. If that works
create another entry in your DIT with a userPassword attribute, give it
appropriate permissions in slapd.conf and use that for your "ldap admin
dn" in smb.conf


More information about the samba mailing list