Hi Rob, Thanks for all the observations and i will keep those things in mind. The issue was with the wrong password. Once I updated the password everything worked !
Regards

On Mon, Jul 20, 2020 at 7:28 PM Rob Crittenden <rcritten@redhat.com> wrote:
Dwija D via FreeIPA-users wrote:
> Hi I am trying to search ldap user using the following command but with
> invalid credentials error: # ldapsearch -x -h ldap://ipm.example.net
> <http://ldaps//idm.example.net>-p 389 -b "*dc=example,dc=net*" -D
> "*uid=ldapbind,cn=users,cn=account,dc=example,dc=net*" uid=ambariadmin1
> -W Enter LDAP Password: *ldap_bind: Invalid credentials (49)* I have
> double checked the password but the error still persists. Before that, i
> have added a ldap bind user with the following procedure *[root@example
> ~]# cat ldapbind.ldif* dn:
> uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net changetype: add
> objectclass: account objectclass: simplesecurityobject uid: ambaribind
> userPassword: secret123 passwordExpirationTime: 20380119031407Z
> nsIdleTimeout: 0

I would discourage you from adding bind-only users to cn=users. We
recommend putting into cn=sysaccounts. This isn't a posix user and the
IPA tools shouldn't be used to manage it.

*[root@example ~]# ldapmodify -h **example.net*
> <http://example.net/>*-p 389 -x -D "cn=Directory Manager" -w 'secret123'
> -f ldapbind.ldif* adding new entry
> "uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net" *[root@example ~]#
> ipa user-show ambaribind --raw --all* dn:
> uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net uid: ldapbind
> nsaccountlock: FALSE has_password: TRUE has_keytab: FALSE objectClass:
> account objectClass: simplesecurityobject objectClass: top Without bind
> user, i can search the user *[root@example ~]# ldapsearch -x -h
> **ipa.example.net* <http://idm.infodetics.net/>*-p 389 -b
> "cn=ambari,dc=example,dc=net" uid=ambariadmin1* Can any one plz guide me
> where is the issue ? Regards  

There are some inconsistencies in the naming, I assume related to an
attempt at obfuscation, which makes it difficult to spot real issues.

Otherwise the ldif looks fine. I don't see any reason why the bind would
fail. I'm not aware of any ACI that prevents bind in cn=users for
non-IPA users but as I mentioned, we recommend using cn=sysaccounts per
https://www.freeipa.org/page/HowTo/LDAP

rob