OpenLDAP on osx – can’t authenticate with username/password

I set up a local OpenLDAP server on my osx machine using the instructions here – http://eells.consulting/2014/06/20/mac-os-x-10-9-openldap-install-search-and-authentication/

The following is my slapd.conf

# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include     /private/etc/openldap/schema/core.schema include         /private/etc/openldap/schema/cosine.schema include         /private/etc/openldap/schema/nis.schema include         /private/etc/openldap/schema/inetorgperson.schema   # Define global ACLs to disable default read access.  # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral   ldap://root.openldap.org  pidfile     /private/var/db/openldap/run/slapd.pid argsfile    /private/var/db/openldap/run/slapd.args  # Load dynamic backend modules: modulepath  /usr/libexec/openldap moduleload  back_bdb.la # moduleload    back_hdb.la # moduleload    back_ldap.la  # Sample security restrictions #   Require integrity protection (prevent hijacking) #   Require 112-bit (3DES or better) encryption for updates #   Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64  # Sample access control policy: #   Root DSE: allow anyone to read it #   Subschema (sub)entry DSE: allow anyone to read it #   Other DSEs: #       Allow self write access #       Allow authenticated users read access #       Allow anonymous users to authenticate #   Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * #   by self write #   by users read #   by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn.  (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!   ####################################################################### # BDB database definitions #######################################################################  database    ldif suffix      "dc=my-domain,dc=com" rootdn      "cn=manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid.  See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw      {SSHA}aZbwXocmOa45L6piscGmb6nKG+VeQbpA # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory   /private/var/db/openldap/openldap-data # Indices to maintain index   objectClass eq 

I am then running the server with sudo /usr/libexec/slapd -d3 and everything seems to be working fine.

I have followed the instructions here (https://www.thegeekstuff.com/2015/02/openldap-add-users-groups/), and am able to create users, which I have confirmed here in Ldap Admin Tool:

ldap admin screenshot

I have also confirmed the user exists by running ldapsearch

$   ldapsearch -H ldap://localhost:389 -x -D cn=Manager,dc=my-domain,dc=com -w yourpassword -b dc=my-domain,dc=com "(uid=shoma)" 

returns

# extended LDIF # # LDAPv3 # base <dc=my-domain,dc=com> with scope subtree # filter: (uid=shoma) # requesting: ALL #  # shoma, my-domain.com dn: uid=shoma,dc=my-domain,dc=com uid: shoma cn: shoma sn: shoma objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword:: ZGFsdG9u  # search result search: 2 result: 0 Success  # numResponses: 2 # numEntries: 1 

Though everything seems to be working fine up to that point, I am completely unable to actually authenticate with a username and password, which I am attempting to do with the npm package passport-ldapauth.

I’m attempting to test the credentials with this command:

ldapwhoami -vvv -h localhost -p 389 -D uid=shoma,dc=my-domain,dc=com -x -W 

but am simply met with the following error:

ldap_bind: Invalid credentials (49) 

I am 100% sure I am entering the right password. Any advice is appreciated!