Setting / Reset database password

From Nix-Pro
Jump to: navigation, search
  • Assumptions:
  1. We have root access to LDAP server
  2. We need to setup password for dc=example,dc=com database (DIT)
  • List all DITs and find you database (database index):
root@ldap:~# sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase=*)" dn olcSuffix
dn: olcDatabase={-1}frontend,cn=config
 
dn: olcDatabase={0}config,cn=config
 
dn: olcDatabase={1}hdb,cn=config
olcSuffix: dc=nodomain
 
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=example,dc=com
 
root@ldap:~#

In this example we have 2 DITs except system ones:

  1. dc=nodomain
  2. dc=example,dc=com
  • Check if root password is set for dc=example,dc=com:
root@ldap:~# sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config "(olcSuffix=dc=example,dc=com)" 
dn: olcDatabase={2}hdb,cn=config
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/example.com
olcSuffix: dc=example,dc=com

From the example above it's seen that there is no root account and password setup for dc=example,dc=com'.

  • Generate password hash using the following syntax:
slappasswd -h <the hashing scheme we want to use - for example {SHA}

usage example:

root@ldap:~# slappasswd -h {SHA}
New password: 
Re-enter new password: 
{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
root@ldap:~#

Create root account

  • Create root account (in our example it will be cn=admin,dc=example,dc=com):
root@ldap:~# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# First, we enter the entry we want to modify:
dn: olcDatabase={2}hdb,cn=config
# Second, we type in the parameter we want to add
add: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com

Hit Enter another time to commit the modification and the following line will appear

modifying entry "olcDatabase={2}hdb,cn=config"
  • Create password record for root account:
root@ldap:~# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={2}hdb,cn=config
add: olcRootPW
olcRootPW: {SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
  • Verify added records:
root@ldap:~# sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config "(olcSuffix=dc=example,dc=com)"
dn: olcDatabase={2}hdb,cn=config
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/example.com
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
 
root@ldap:~#
  • Try to bind using the created root account:

interactive mode

root@ldap:~# ldapsearch -LLL -D "cn=admin,dc=example,dc=com" -W -b dc=example,dc=com
Enter LDAP Password: 
dn: dc=example,dc=com
dc: example
description: My company
objectClass: dcObject
objectClass: organization
o: Example Inc.
 
dn: ou=people,dc=example,dc=com
ou: people
description: All people in organisation
objectClass: organizationalUnit
 
dn: cn=Robert Smith,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob  smith
sn: smith
uid: rjsmith
userPassword:: ckpzbWl0SA==
carLicense: HISCAR 123
homePhone: 555-111-2222
mail: r.smith@example.com
mail: rsmith@example.com
mail: bob.smith@example.com
description: swell guy
ou: Human Resources

noninteractive mode:

root@ldap:~# ldapsearch -LLL -D "cn=admin,dc=example,dc=com" -w test -b dc=example,dc=com
dn: dc=example,dc=com
dc: example
description: My company
objectClass: dcObject
objectClass: organization
o: Example Inc.
 
dn: ou=people,dc=example,dc=com
ou: people
description: All people in organisation
objectClass: organizationalUnit
 
dn: cn=Robert Smith,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob  smith
sn: smith
uid: rjsmith
userPassword:: ckpzbWl0SA==
carLicense: HISCAR 123
homePhone: 555-111-2222
mail: r.smith@example.com
mail: rsmith@example.com
mail: bob.smith@example.com
description: swell guy
ou: Human Resources

Modify root account

  • Change the database root password:
root@ldap:~# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# First, we enter the entry we want to modify:
dn: olcDatabase={2}hdb,cn=config
# Second, we type in the parameter we want to modify:
replace: olcRootPW
olcRootPW: {SHA}8sV4cDCNyH9DLlkS1N5vjjInIbo=

Hit Enter another time to commit the modification and the following line will appear

modifying entry "olcDatabase={2}hdb,cn=config"
  • Try to bind using the new password:
root@ldap:~# ldapsearch -LLL -D "cn=admin,dc=example,dc=com" -w newpassword -b dc=example,dc=com
dn: dc=example,dc=com
dc: example
description: My company
objectClass: dcObject
objectClass: organization
o: Example Inc.
 
dn: ou=people,dc=example,dc=com
ou: people
description: All people in organisation
objectClass: organizationalUnit
 
dn: cn=Robert Smith,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob  smith
sn: smith
uid: rjsmith
userPassword:: ckpzbWl0SA==
carLicense: HISCAR 123
homePhone: 555-111-2222
mail: r.smith@example.com
mail: rsmith@example.com
mail: bob.smith@example.com
description: swell guy
ou: Human Resources
 
root@ldap:~#

Used Documentation

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/
http://www.tldp.org/HOWTO/LDAP-HOWTO/utilities.html