Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1353916 - ldapsearch using '-y passwdfile' responds with Invalid credentials although the password in passwdfile is correct
Summary: ldapsearch using '-y passwdfile' responds with Invalid credentials although t...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openldap
Version: 7.2
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Matus Honek
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-08 12:06 UTC by Joerg K
Modified: 2016-12-02 10:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-02 10:39:29 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Joerg K 2016-07-08 12:06:22 UTC
Description of problem:
After Configuring LDAP User Stores from the Command Line (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-ldap.html#authconfig-ldap-cmd) I like to test the connection with ldapsearch.

When using ldapsearch with the parameter '-W' I was asked for the password, entered it on the command line and got the expected result of my search. Now I put the password into an passwdfile and restricted the file pemissions, so only root has read access. When I run the search with 'ldapsearch -v -h hostname -y passwdfile [...]' and the same parameters from my first search I got the following error:
ldap_initialize( ldap://ldapbackend )
ldap_bind: Invalid credentials (49)

Version-Release number of selected component (if applicable):
openldap-clients-2.4.40-9.el7_2.x86_64

How reproducible:
It happens all the time.

Steps to Reproduce:
1. Run `ldapsearch -v -h hostname -y /root/passwdfile -D "cn=stringA,ou=stringB,o=stringC,o=stringD,o=stringE" -b "o=stringC,o=stringD,o=stringE" "(uid=john)"

Actual results:
ldap_initialize( ldap://hostname )
ldap_bind: Invalid credentials (49)

Expected results:
filter: (uid=john)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <o=stringC,o=stringD,o=stringE> with scope subtree
# filter: (uid=john)
# requesting: ALL
#

# john, people, stringC, stringD, stringE
dn: uid=john,ou=people,o=StringC,o=stringD,o=stringE
uidNumber: 123456
loginShell: /usr/bin/bash
homeDirectory: /home/john
gecos:: IErDtnJnIEthc3RuaW5nLFVIUlosLDA=
gidNumber: 101
cn: john
sn: john
uid: john
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: person

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Additional info:
When run the following query instead I got to expected result:
ldapsearch -v -h hostname -W -D "cn=stringA,ou=stringB,o=stringC,o=stringD,o=stringE" -b "o=stringC,o=stringD,o=stringE" "(uid=john)

ldap_initialize( ldap://hostname )
Enter LDAP Password: <secred password>

I could reproduce this issue on a second system with the same OS and LDAP support libraries installed.

Comment 2 Joerg K 2016-07-09 08:52:52 UTC
Hello,

I just got a helpful hint in another [discussion](https://access.redhat.com/discussions/2433341).

James advised me to be sure that there must not be any kind of newline character at the end of the passwdfile.

To be sure whether there is a newline character or not you could run the following command:
>od -c proxytest 
0000000   S   e   c   r   e   t   P   a   s   s   w   o   r   d   1  \n
0000020

I was surprised to see the newline character there. The reason is explained by James in his post. VIM and VI auto-append a newline character when creating a single-word file.

James advised me to create the passwd file with "echo -n (string) > file". I did so an got a correct passwdfile:
root@rhel-t1>echo -n SecretPassword1 > proxytest
root@rhel-t1>od -c proxytest 
0000000   S   e   c   r   e   t   P   a   s   s   w   o   r   d   1
0000017

ldapsearch worked just fine using this passwdfile. It is save to say, that this is no bug. I just did not now that there must not be any newline character in passwd file. I did not find anything about that in the manpage to ldapsearch. Maybe it would be an enhancement if some information on how to create the passwdfile would be added to the manpage.

Kind regards,
Joerg

Comment 4 Matus Honek 2016-12-02 10:39:29 UTC
Thank you for posting the solution, too.

For `-y passwdfile` ldapsearch(1) manpage states:
"Use complete contents of passwdfile as the password for simple authentication."

The word "complete" is sufficient here. This issue has been discussed several times on upstream mailing lists, always with an explanation in sense of "entire contents, that is including whitespace characters".

Feel free to propose a manpage fix to the upstream. However, I am closing this as NOTABUG.


Note You need to log in before you can comment on or make changes to this bug.