Hello list,

I have a local OpenLDAP server with a couple of users. I'm using it for development purposes, here's the ldif:

#Top level - the organization
dn: dc=site, dc=com
dc: site
description: My Organization
objectClass: dcObject
objectClass: organization
o: Organization

#Top level - manager
dn: cn=Manager, dc=site, dc=com
objectClass: organizationalRole
cn: Manager

#Second level - organizational units
dn: ou=people, dc=site, dc=com
ou: people
description: All people in the organization
objectClass: organizationalunit

dn: ou=groups, dc=site, dc=com
ou: groups
description: All groups in the organization
objectClass: organizationalunit

#Third level - people
dn: uid=celoserpa, ou=people, dc=site, dc=com
objectclass: pilotPerson
objectclass: uidObject
uid: celoserpa
cn: Marcelo de Moraes Serpa
sn: de Moraes Serpa
userPassword: secret_12345
mail: [email protected]

So far, so good. I can bind with "cn=Manager,dc=site,dc=com" and the 12345678 password (the local server password, setup on slapd.conf).

However, I would like to bind with any user in under the people OU. In this case, I'd like to bind with: dn: uid=celoserpa, ou=people, dc=site, dc=com userPassword: secret_12345

But I'm getting a "(49) - Invalid Credentials" error everytime. I have tried through CLI tools (such as ldapadd, ldapwhoami, etc) and also ruby/ldap. The bind with these credentials fails with a invalid credentials error.

I thought that it could be an ACL issue, however, the ACLs on slapd.conf seem to be right:

access to attrs=userPassword
    by self write
    by dn.sub="ou=people,dc=site,dc=com" read
    by anonymous auth

access to * by * read

I was suspecting that maybe OpenLDAP doesn't compare against userPassword? Or maybe some ACL configuration I am missing that is somehow affecting the read access to userPassword for the specific DN.

I'm really lost here, any suggestion appreciated!

Cheers,

Marcelo.