Problem Description
A configured server node with ldap external server is getting the following error:
WARNING (security): (ldap_ee.c:650) error binding to ldap for user CN=aerospike,OU=People: 49 (Invalid credentials) WARNING (security): (ldap_ee.c:605) couldn't authenticate trusted aerospike user
Explanation
If the configuration in aerospike.conf for the privileged user with permission to query ldap is incorrect, you will see errors like the ones described above in the Aerospike logs.Solution
1) Confirm the correct values for the parameters noted below with your LDAP admin and then test the authentication with ldapsearch. The necessary parameters from the Aerospike config file can be mapped to an ldapsearch query as follows:
query-base-dn:-b(ex: dc=field,dc=aerospike,dc=com)query-user-dn:-D(ex: cn=admin,dc=field,dc=aerospike,dc=com)query-user-password-file:-y(ex: /etc/aerospike/passwordldap.txt)server:-H(ex: ldap://127.0.0.1:389)
ldapsearch query
ldapsearch -y /etc/aerospike/passwordldap.txt -D "cn=admin,dc=field,dc=aerospike,dc=com" -b "dc=field,dc=aerospike,dc=com" -H ldap://127.0.0.1:389
Notes
Note that the values for query-user-dn and query-base-dn should be put inside quotes
in the ldapsearch query (the -D and -b parameters, respectively) but not in aerospike.conf.Also note that ldapsearch will allow spaces inside these values, but spaces must be escaped in aerospike.conf, for example:
query-user-dn uid=aerospike,ou=Trusted/20User,dc=field,dc=aerospike,dc=com
Once you have verified the correct values with ldapsearch and confirmed they are formatted correctly for the corresponding parameters in your Aerospike config file, retest with aql.