Problem: ldap bind invalid credentials - because ldap.secret


You run a univention-ldapsearch and get the following message

ldap_bind: Invalid credentials (49)

Normally this article will help in most cases
Change password machine.secret

But in our case a udm command like udm users/users list also not work and get the same message

ldap_bind: Invalid credentials (49)

Because the password for the ldap.secret is wrong or missing, but this is necessary for the cn=admin Account to make the ldap useable.
Bug 47455


Log into a terminal on your DC-Master as root and use the following steps:

# Setup temporary password

. /usr/share/univention-lib/ 
create_machine_password >"$tmp"

# Configure temporary password
printf 'dn: olcDatabase={1}mdb,cn=config\nchangetype: modify\nadd: olcRootPW\nolcRootPW: %s\n\n' "$(slappasswd -T "$tmp")" | ldapmodify -QY EXTERNAL -H ldapi:///

# Create and change to new password

create_machine_password >/etc/ldap.secret ldappasswd -H ldapi:/// -D "cn=admin,$(ucr get ldap/base)" -y "$tmp" -T /etc/ldap.secret

# Undo temporary password

printf 'dn: olcDatabase={1}mdb,cn=config\nchangetype: modify\ndelete: olcRootPW\n\n' | ldapmodify -QY EXTERNAL -H ldapi:///

# Remove the temporary password

rm -f "$tmp"

# You can get the crypted password showable if you want with

slapcat -a '(cn=admin)' -o ldif-wrap=no | sed -ne 's/^userPassword:: //p;T;q' | base64 -d

# Test if it works now

udm users/user list | grep Administrator


univention-ldapsearch uid=Administrator

So if the udm command works, the ldap.secret password are correctly created.

Just if the univentiona-ldapsearch fails, it will be possible you have to use this article as next