Problem: After update or server-password-change Invalid credentials

Knowledge Base Community
#1

Problem:

After update or server-password-change

ldap.INVALID_CREDENTIALS: {‘desc’: ‘Invalid credentials’}

univention-check-join-status
Error: ldapsearch -x failed

Investigation:

Check for configured lock out:
You may find in `directory-logger

ID 253692: DN: cn=replica,cn=dc,cn=computers,dc=schein,dc=ig
ID 253692: ID: 253692
ID 253692: Modifier: cn=admin,dc=schein,dc=ig
ID 253692: Timestamp: 17.10.2021 16:40:51
ID 253692: Action: modify
ID 253692: 
ID 253692: Old values:
ID 253692: entryCSN: 20211014230749.833806Z#000000#000#000000
ID 253692: modifyTimestamp: 20211014230749Z
ID 253692: 
ID 253692: New values:
ID 253692: pwdFailureTime: 20211017164042.230897Z
ID 253692: pwdFailureTime: 20211017164045.018879Z
ID 253692: pwdFailureTime: 20211017164047.415223Z
ID 253692: pwdFailureTime: 20211017164049.614037Z
ID 253692: pwdFailureTime: 20211017164051.338081Z
ID 253692: entryCSN: 20211017164051.389362Z#000000#000#000000
ID 253692: modifyTimestamp: 20211017164051Z
ID 253692: pwdAccountLockedTime: 20211017164051Z
ID 253692: END

or in listener.log:

17.10.21 18:40:59.572  LISTENER    ( PROCESS ) : updating 'cn=replica,cn=dc,cn=computers,dc=schein,dc=ig' command m
17.10.21 18:40:59.600  LISTENER    ( PROCESS ) : updating 'cn=replica,cn=dc,cn=computers,dc=schein,dc=ig' command m
17.10.21 18:40:59.619  LISTENER    ( PROCESS ) : updating 'cn=replica,cn=dc,cn=computers,dc=schein,dc=ig' command m
17.10.21 18:40:59.650  LISTENER    ( PROCESS ) : updating 'cn=replica,cn=dc,cn=computers,dc=schein,dc=ig' command m
17.10.21 18:40:59.659  LISTENER    ( PROCESS ) : updating 'cn=replica,cn=dc,cn=computers,dc=schein,dc=ig' command m

Solution:

Delete the pwdAccountLockedTime and pwdFailureTime

:~# cat remove-lock.ldif 
dn: cn=replica,cn=dc,cn=computers,dc=schein,dc=ig
changetype: modify
delete: pwdFailureTime
pwdFailureTime: 20211017164042.230897Z
pwdFailureTime: 20211017164045.018879Z
pwdFailureTime: 20211017164047.415223Z
pwdFailureTime: 20211017164049.614037Z
pwdFailureTime: 20211017164051.338081Z

:~# ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret -f remove-lock.ldif -e relax
modifying entry "cn=replica,cn=dc,cn=computers,dc=schein,dc=ig"

~# ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret -e relax <<EOR
dn: cn=replica,cn=dc,cn=computers,dc=schein,dc=ig
delete: pwdAccountLockedTime
EOR
#2
Mastodon