Service Desk Practitioners Forum
cancel

ldap_simple_bind: Invalid DN syntax

Highlighted
James Michael L
New Member.

ldap_simple_bind: Invalid DN syntax

Hi,

I am attemptig to configure LDAP-UX using the "Hewlett-Packard Company LDAP-UX Client Services Setup Program" on an Itanium server running HP-UX 11.23. The LDAP server is already setup and working with clients of other O/Ss, for example, linux. The LDAP server is running the Sun version of LDAP.

I took some of the information from the ldap.conf file on the linux client and tried to use it to setup this HP-UX client. Even though the syntax is exactly the same in my information, as it is in the example given by the setup program, I still get the error message:

"ldap_simple_bind: Invalid DN syntax"

Is this really a syntactical error or is it simply that I am not using the correct information? See the screen output for details:

Hewlett-Packard Company
LDAP-UX Client Services Setup Program
--------------------------------------------------------------------------------


Enter the distinguished name (DN) of an existing LDAP-UX profile entry
you want to use or the DN where you want to store a new LDAP-UX profile
entry. For a new entry, all parent entries of the DN must already exist in
the directory or this step will fail,
(for example: cn=ldapuxprofile, ou=ldapuxprofile, dc=hp, dc=com)


Profile Entry DN: [cn=xxxadmin, ou=Groups, dc=xxhq, dc=xx, dc=org]:

2 REPLIES
Ryan Gro
Contributor.

Re: ldap_simple_bind: Invalid DN syntax

I got that error as well anytime I tried to include an "organizational unit" in the dn (ie ou=Groups in your case).
The problem was solved when I just saved the profile somewhere else (I did cn=ldapuxprofile,cn=users,dc=my,dc=domain,dc=com).
James Michael L
New Member.

Re: ldap_simple_bind: Invalid DN syntax

Hi,

I discovered that I was incorrectly using the username e.g. bob instead of the 'User DN', the DN stands for distinguished name and an example of the syntax to use in response to the 'User DN []: ' prompt in the setup is:

uid=bob,ou=users,ou=apps,dc=mydom,dc=net

Sorry about that. I should have read the prompt. Thanks for the suggestions, although I did not use the idea of dropping the group yet, since the setup continued once I used the above syntax to respond to the 'User DN []: ' prompt.

I do however, have another question. I continued on with the setup by entering the password. Then I got an error message. The install completed despite this error finishing with me affirming that I would like to restart the LDAP-UX daemon.

Following the install /etc/pam.conf was replaced with /etc/pam.ldap and /etc/nsswitch.conf was configured. Since the sample pam.ldap file comes from HP and this is their O/S their LDAP client, then I assume that it is OK to just copy it to ldap.conf without having to make any changes. I checked and if $ISA is resolved correctly, for an Itanium server, as hpux64 then the PATH in the pam.conf /usr/lib/security/ and $ISA map correctly to the ldap library modules that are described in the new pam.conf.

The problem is that the LDAP-UX client still does not see the directory server! See below the error during setup and also the test of the command that setup suggested I try. Furthermore, see the response from an nsquery which shows that the name service is reported as 'currently unavailable' by HP-UX.

------------------------------------------------------------------------------------------------------------------------------------------

PFMERR 5: Downloading profile entry failed!

PFMERR 41: Can't download Profile Entry from Directory Server!
retcode: 0
Try to run /opt/ldapux/config/get_profile_entry -s nss

------------------------------------------------------------------------------------------------------------------------------------------

root@sybdev1:/etc# /opt/ldapux/config/get_profile_entry -s nss

PFMERR 5: Downloading profile entry failed!

------------------------------------------------------------------------------------------------------------------------------------------

root@sybdev1:/root# nsquery passwd test.user

Using "files [NOTFOUND=continue UNAVAIL=continue] ldap " for the passwd policy.

Searching /etc/passwd for test.user
test.user was NOTFOUND

Switch configuration: Allows fallback

Searching ldap for test.user
This Name Service is currently unavailable

Switch configuration: Allows fallback

All name services have been searched
root@sybdev1:/root#

------------------------------------------------------------------------------------------------------------------------------------------

The response to the nsquery above, demonstrates that the nsswitch.conf file is correctly configured. Despite this, LDAP-UX does not see the directory server.

I am sure that the directory server is up because I can access it from my PC, using the same parameters that I used for the LDAP-UX install, but with the public domain software called 'ldap browser\editor v2.8.2'. Obviously I have substituted 'x' for any personally/organizationally identifiable information in the screen dump, or at least I should have. :)

Questions: Why doesn't it just work, like Windows? OK, just kidding :) , but seriously why is this not working; any ideas anyone?