ldapsearch with -y option throws 'Invalid credentials' error

Question

I have kept my LDAP password in $HOME/.ldap_pw on my Mac. The file has permissions set to 600:

-rw-------  1 myself  mygroup  18 Mar 27 17:20 .ldap_pw

When I invoke ldapsearch with -y option like this, to list the members of the group mygroup

ldapsearch -y "$HOME/.ldap_pw" -H ldaps://ldap.mycompany.com -D myself@mycompany.com -W -b DC=mycompany,DC=com -x '(&(objectcategory=Group)(cn=mygroup))'

I get this error:

ldap_bind: Invalid credentials (49)
    additional info: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 52e, v3839

The password stored in the file is correct. Also, the above command works fine when run without the -y option with password being entered when prompted.

What is going wrong here?

I get the same error on my Linux box running RedHat 7.6.

Do you get the same error using `-w ` in stead of using `-y ` ? — SmartTom, Apr 21 '20 at 08:43

score 3 · Answer 1 · answered Apr 21 '20 at 08:50

Given the error, that means that the username is valid but password invalid (see ldapwiki.com) and the fact that -y use the complete contents of the file (see ldapsearch documentation), I suspect a wrong content in your password file. Maybe an "End of line" character at the end of your file.

score 1 · Accepted Answer · answered Apr 23 '20 at 22:05

I think SmartTom's guess about an extra character in the file is a good one. Try running hd ~/.ldap_pw (hex dump) to see the exact contents of the file; if there's a trailing 0a (newline) character or other unexpected characters that would confirm the issue.

Editors like vim implicitly add a trailing newline to text files, which you can disable when opening the file, or you can remove trailing whitespace directly.

ldapsearch with -y option throws 'Invalid credentials' error

2 Answers2