Problem OX-Connector - ldap.INVALID_CREDENTIALS

Knowledge Base Community
, ,
#1

Problem:

If you have failures with your ox-connector and found the similar traceback in the following log file.

/var/log/univention/listener_modules/ox-connector.log

2024-01-14 00:00:32 INFO    Started up with ox-connector=2.2.7
2024-01-14 00:00:32 INFO    Using App account connection
2024-01-14 00:00:32 ERROR   Fatal error:
Traceback (most recent call last):   
  File "/usr/share/univention-appcenter-listener-converter", line 211, in main
    find_and_convert_files(app)
  File "/usr/share/univention-appcenter-listener-converter", line 160, in find_and_convert_files
    lo, pos = get_app_connection(app)
  File "/usr/share/univention-appcenter-listener-converter", line 72, in get_app_connection
    return get_read_connection(machine_account, machine_password)
  File "/usr/lib/python3/dist-packages/univention/appcenter/udm.py", line 165, in get_read_connection
    lo = base_access(host=host, port=port, base=base, binddn=userdn, bindpw=password)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 292, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 371, in __open
    self.bind(self.binddn, self.bindpw)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 212, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 306, in bind
    self.lo.simple_bind_s(self.binddn, self.bindpw)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1215, in simple_bind_s
    res = self._apply_method_s(SimpleLDAPObject.simple_bind_s,*args,**kwargs)
:
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 212, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 306, in bind
    self.lo.simple_bind_s(self.binddn, self.bindpw)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1215, in simple_bind_s
    res = self._apply_method_s(SimpleLDAPObject.simple_bind_s,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 444, in simple_bind_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}

Hint:

The univention-appcenter-listener-converter connects to LDAP using the credentials of the memberserver account of the App. The username is in UCR,
ucr get appcenter/apps/ox-connector/hostdn

Output looks like:

cn=ox-co-85276525,cn=memberserver,cn=computers,dc=univention,dc=intranet

The password for the memberserver-account you will find in:

less /var/lib/univention-appcenter/apps/ox-connector/machine.secret
c9a49715f35b44f0dfa6199f1b6f47b1fad7d3a534996677de30d5975521dfeb

In our case it seems like the password was changed at first, which shouldn’t happen. UCS does not do this on its own!

or

The memberserver-account was missing/deleted.

Investigation:

Try to make an univention-ldapsearch with the memberserver-account to test the credentials:

univention-ldapsearch -D cn=ox-co-85276525,cn=memberserver,cn=computers,dc=univention,dc=intranet -W -s base

Enter LDAP Password: c9a49715f35b44f0dfa6199f1b6f47b1fad7d3a534996677de30d5975521dfeb

ldap_bind: Invalid credentials (49)

Solution:

Check if the memberserver-account for the app exist with:

udm computers/memberserver list | grep DN

If the memberserver is not listed you should recreate it :

udm computers/memberserver create --position cn=memberserver,cn=computers,dc=univention,dc=intranet --set name=ox-co-85276525 --set password=c9a49715f35b44f0dfa6199f1b6f47b1fad7d3a534996677de30d5975521dfeb

Now the object was created and you could list with:

udm computers/memberserver list | grep DN

DN: cn=ox-co-85276525,cn=memberserver,cn=computers,dc=univention,dc=intranet
1 Like
#2
Mastodon