ldap_bind: Invalid credentials (49) with sqlite plugin

[jay-va]

I've been pounding my head in the wall trying to run the latest version of glauth (2.3) with a sqlite3 backend using the latest glauth-sqlite plugin "sqlite-darwin-arm64.so". Not sure what I'm doing wrong. I am having a problem trying to run the sample ldapsearch:

ldapsearch -LLL -H ldap://localhost:3893 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -bdc=glauth,dc=com cn=hackers

This returns the error: ldap_bind: Invalid credentials (49)

The log in the glauth server window returns the following:

INF  Bind request basedn=dc=glauth,dc=com binddn=cn=serviceuser,ou=svcaccts,dc=glauth,dc=com src=[::1]:49764
INF  User not found username=serviceuser

I am running on a MacBook Pro (Ventura 13.6.3) with the following setup:

config.cfg file:

        debug = true
        [ldap]
          enabled = true
          listen = "0.0.0.0:3893"
        [ldaps]
          enabled = false
          listen = "0.0.0.0:3894"
          cert = "/app/config/certs/cert"
          key = "/app/config/certs/cert.key"
        [backend]
          datastore = "plugin"
          plugin = "sqlite-darwin-arm64.so"
          pluginhandler = "NewSQLiteHandler"
          database = "./SQLITEldap.db"
          baseDN = "dc=glauth,dc=com"
          nameformat = "cn"
          groupformat = "ou"
        [behaviors]
          IgnoreCapabilities = false
          LimitFailedBinds = true
          NumberOfFailedBinds = 3
          PeriodOfFailedBinds = 10
          BlockFailedBindsFor = 60
          PruneSourceTableEvery = 600
          PruneSourcesOlderThan = 600
        [api]
          enabled = false

My sqlite DB has been populated with the example entries from glauth as follows:

INSERT INTO groups(name, gidnumber) VALUES
  ('superheros', 5501),
  ('svcaccts', 5502),
  ('civilians', 5503),
  ('caped', 5504),
  ('lovesailing', 5505),
  ('smoker', 5506);

INSERT INTO includegroups(parentgroupid, includegroupid) VALUES
  (5503, 5501),
  (5504, 5502),
  (5504, 5501);

INSERT INTO users(name, uidnumber, primarygroup, passsha256) VALUES
  ('hackers', 5001, 5501,'6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a'),
  ('johndoe', 5002, 5502,'6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a'),
  ('serviceuser', 5003, 5502, '652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0');

INSERT INTO users(name, uidnumber, primarygroup, passsha256, othergroups) VALUES
  ('user4', 5004, 5504,'652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0','5505,5506');

INSERT INTO capabilities(userid, action, object) VALUES
  (5001, 'search', 'ou=superheros,dc=glauth,dc=com'),
  (5003, 'search', '*');

Just for giggles, I changed one line in my config to use the file instead of the DB as such (WITHOUT the arrow obviously):
FROM:

        [backend]
          datastore = "plugin"      <-------
          plugin = "sqlite-darwin-arm64.so"
          pluginhandler = "NewSQLiteHandler"
          database = "./SQLITEldap.db"
          baseDN = "dc=glauth,dc=com"
          nameformat = "cn"
          groupformat = "ou"

TO:

        [backend]
          datastore = "config"     <-------                                       
          plugin = "sqlite-darwin-arm64.so"
          pluginhandler = "NewSQLiteHandler"
          database = "./SQLITEldap.db"
          baseDN = "dc=glauth,dc=com"
          nameformat = "cn"

As expected, I received all the correct user info ldap query and the following log entry in the glauth server window:

INF  Bind request basedn=dc=glauth,dc=com binddn=cn=serviceuser,ou=svcaccts,dc=glauth,dc=com src=[::1]:50647
INF  Bind success binddn=cn=serviceuser,ou=svcaccts,dc=glauth,dc=com src=[::1]:50647
INF  Search request basedn=dc=glauth,dc=com binddn=cn=serviceuser,ou=svcaccts,dc=glauth,dc=com filter=(cn=hackers) scope=2 searchbasedn=dc=glauth,dc=com src=[::1]:50647
INF  Search request special case="top-level browse"
INF  AP: Top-Level Browse OK filter=(cn=hackers)

I then commented out the serviceuser users entry in the config file like so:

#[[users]]
#  name = "serviceuser"
#  mail = "serviceuser@example.com"
#  uidnumber = 5003
#  primarygroup = 5502
#  passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret
#   [[users.capabilities]]
#    action = "search"
#    object = "*"

and received the identical response I posted at the top of this issue, ldap_bind: Invalid credentials (49). While I'm not sure what's going on, it is behaving as if the serviceuser entry is not even in the database when I do the search with the sqlite plugin module. I'm not sure what I may be missing or have possibly mis-configured.

Any help would be appreciated. Thank you in advance!

[Fusion]

I'm looking into this...

[Fusion]

OK "work for me" but with enormous caveats:
I believe that you may have been misled (most likely by ourselves!) and that's why you were getting in trouble.

For instance, recently we made a change renaming 'groups' to 'ldapgroups' -- I included a table name migration in there but did not have the time to update the documentation accordingly so it's likely that your insert statements partially failed.

Here is whhat the latest (trunk) version works with:

INSERT INTO ldapgroups(name, gidnumber)
  VALUES('superheros', 5501);
INSERT INTO ldapgroups(name, gidnumber)
  VALUES('svcaccts', 5502);
INSERT INTO ldapgroups(name, gidnumber)
  VALUES('civilians', 5503);
INSERT INTO ldapgroups(name, gidnumber)
  VALUES('caped', 5504);
INSERT INTO ldapgroups(name, gidnumber)
  VALUES('lovesailing', 5505);
INSERT INTO ldapgroups(name, gidnumber)
  VALUES('smoker', 5506);
INSERT INTO includegroups(parentgroupid, includegroupid)
  VALUES(5503, 5501);
INSERT INTO includegroups(parentgroupid, includegroupid)
  VALUES(5504, 5502);
INSERT INTO includegroups(parentgroupid, includegroupid)
  VALUES(5504, 5501);
INSERT INTO users(name, uidnumber, primarygroup, passsha256)
  VALUES('hackers', 5001, 5501,
    '6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a');
INSERT INTO users(name, uidnumber, primarygroup, passsha256)
  VALUES('johndoe', 5002, 5502,
    '6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a');
INSERT INTO users(name, mail, uidnumber, primarygroup, passsha256)
  VALUES('serviceuser', "serviceuser@example.com", 5003, 5502,
    '652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0');
INSERT INTO users(name, uidnumber, primarygroup, passsha256, othergroups)
  VALUES('user4', 5004, 5504,
    '652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0',
    '5505,5506');
INSERT INTO capabilities(userid, action, object)
  VALUES(5001, "search", "ou=superheros,dc=glauth,dc=com");
INSERT INTO capabilities(userid, action, object)
  VALUES(5003, "search", "*");

[jay-va]

I had already discovered this before I submitted my post. I grep'd for insert statements in the golang executable release and found that the "groups" table gets renamed to "ldapgroups". So I had the correct database tables and columns in by sql DB. Just to make sure I blew everything away and re-created the database, and used the insert statements you listed above. Unfortunately, I still get the "user not found username=serviceuser" error along with "ldap_bind: Invalid credentials (49)". It must be something else on my end, since you were able to get it to work with the same database setup.