[KLUG Members] Users stored in OpenLDAP accessing and changing their data

[Adam Tauno Williams]

> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> access to attrs=userPassword
>         by dn="cn=admin,dc=comat,dc=com" write
>         by anonymous auth
>         by self write
>         by * none

Self is not the same as "owner", but the above looks correct anyway.

> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
>         by dn="cn=admin,dc=foo,dc=com" write
>         by * read
> When I run ldapsearch as cn=admin,dc=foo,dc=com, the entries are
> printed just fine.
> jupiter:~# ldapsearch -x -D "cn=admin,dc=foo,dc=com" -W -h localhost
> "(objectclass=inetOrgPerson)" *|more
> Enter LDAP Password:
> ...
> # numResponses: 203
> # numEntries: 202

Ok.

> However, when I run this binding as some user in LDAP I get an
> "Invalid credentials" error message.
> jupiter:~# ldapsearch -x -D
> "cn=sudhakar.chandra,ou=people,dc=foo,dc=com" -W -h localhost
> "(objectclass=inetOrgPerson)" *Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> Any help appreciated.

49 pretty much means the bind dn is wrong or the password is incorrect.
How did you set the password?  Using ldappassword? Or manually?  If
manually did you include the cryptographic prefix?