---------- Forwarded message ---------- From: Naufal Sheikh naufalzamir@gmail.com Date: Oct 30, 2007 1:16 PM Subject: Re: setting up admin password on openldap To: Michael Ströder michael@stroeder.com
please find the embedded answers.
On 10/30/07, Michael Ströder michael@stroeder.com wrote:
Naufal Sheikh wrote:
I compiled and installed openldap version 2.2.20
Why the hell are you using such an ancient version?
If you're already building yourself why didn't you use recent stable version 2.3.3x?
I have already had a discussion on this. My boss does not allow me to change versions, and I cannot help it!
The only catch being that I was never asked to
supply any password during the installation,
It does not work like that.
Ok I thought So as well.
which some of the posts in the mailing list suggested.
I doubt that anyone here claimed that 'make install' asks for a password.
I have a running version of 2.2.20 on Solaris 8.0.
So watch out for rootdn and rootpw in the file slapd.conf.
rootpw line is hashed on the production system and I am using the same rootDN on my linux server as it is on my production.
I first copied all of the slapd.conf from solaris server file to my red
hat server, but the slapd gave errors and was not able to start
initially.
If you don't provide the exact error message noone will be able to help.
AS I said I have been able to resolve that already and that is no more a problem.
I then used slapcat on my production system to generate an ldif which I
imported on red hat server using slapadd. I had few errors about the syntax of "clientOrg" attribute being not correct, but those entries contained the extended character set in their values and I deleted them from the ldif file till I was able to import all the ldif from the production system to red hat server.
Do you really know what you're doing? I bet "clientOrg" is a custom schema. Who defined that? Isn't the data therein important for you?
there was a custom schema on the production system, and I did inlcuded it in my new installation as well. Umm yeah I am not really sure till now how openldap works and I am more of trying to replicate what I have on my old server.
Now as Piotr suggested that
after creating a password I can hash the rootpw line again, so that the authentication can be done using only the passwords in the database. So using slappasswd i generated a hash value of the password and copied it into the slapd.conf. While slapd starts fine it still cannot connect to ldap using the supplied credentials saying invalid credentials.
Does your LDIF contain an entry with attribute "userPassword" for the "rootdn" in slapd.conf? Maybe try changing rootdn in slapd.conf to something else and try with that one.
The ldiff I have genrated using slapcat on my new server in order to keep it as backup has the hashed entry of password in the entry of the administrator. ldap browser has the plain text password in the uid of the administrator.
Here is my slapd.conf from my new server :
# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /main/soft/openldap/TRAC/tracweb//etc/openldap/schema/core.schem a include /main/soft/openldap/TRAC/tracweb//etc/openldap/schema/cosine.schema include /main/soft/openldap/TRAC/tracweb//etc/openldap/schema/inetorgperson.sche ma include /main/soft/openldap/TRAC/tracweb/etc/openldap/schema/trac.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /main/soft/openldap/TRAC/tracweb//var/run/slapd.pid argsfile /main/soft/openldap/TRAC/tracweb//var/run/slapd.args
# Load dynamic backend modules: # modulepath /main/soft/openldap/TRAC/tracweb//libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") #
#access to * \ # by peername.regex="IP=128.230.156." read stop # by * none stop
# rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions #######################################################################
allow bind_v2
backend bdb
database monitor
database bdb suffix "o=trac" rootdn "cn=nsadmin,o=trac"
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw test
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /main/soft/openldap/TRAC/tracweb//var/openldap-data
# Performance cachesize 1000 #dbnosync #threads 1 #dbnosync #threads 16 #timelimit 3600 #sizelimit 9999 sizelimit unlimited mode 600
#dbcachesize 10000000
# Indices to maintain index uid eq index cn pres,eq,sub index sn pres,eq,sub index mail eq index default sub index objectClass eq #index uniqueMember eq #index affiliation eq #index mailPreferenceOption eq #index keyWords eq index telephoneNumber pres,eq,sub #index cn,sn,mail pres,eq,approx,sub
database bdb suffix "" rootdn "cn=nsadmin" directory /main/soft/openldap/TRAC/tracweb//var/openldap-data2 index uid eq index cn pres,eq,sub index sn pres,eq,sub index mail eq index default sub index objectClass eq
The only custom schema I have which I copied from my old server and inlcuded is trac.schema as following:
# TRAC's Extended Schema
objectIdentifier TracOID 1.3.6.1.4.1.25088 objectIdentifier TracSNMP TracOID:1 objectIdentifier TracLDAP TracOID:2 objectIdentifier TracAttributeType TracLDAP:1 objectIdentifier TracObjectClass TracLDAP:2
attributetype ( TracAttributeType:1 NAME 'contactinfo' DESC 'Information about the contact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributetype ( TracAttributeType:2 NAME 'regsite' DESC 'Registered site' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributetype ( TracAttributeType:3 NAME 'tracfedquota' DESC 'Quota tracfed' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:4 NAME 'clientorg' DESC 'Client organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributetype ( TracAttributeType:5 NAME 'clearpassword' DESC 'Clear text password' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:6 NAME 'regdate' DESC 'Date of registration' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:7 NAME 'keyWords' DESC 'keywords' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:8 NAME 'affiliation' DESC 'Affiliation' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributetype ( TracAttributeType:9 NAME 'billpostaladdress' DESC 'Bill postal address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:10 NAME 'billpostalcode' DESC 'Billing postal code' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:11 NAME 'middlename' DESC 'Middle name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:12 NAME 'regip' DESC 'IP address during registration' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:13 NAME 'siteip' DESC 'IP address of the site' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:14 NAME 'sitemaxlocker' DESC 'Maximum number of locker data per site' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:15 NAME 'sitemaxusers' DESC 'Maximum number of users at the site' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:16 NAME 'siteuid' DESC 'Site User ID' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributetype ( TracAttributeType:17 NAME 'maxqueries' DESC 'Maximum number of queries' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:18 NAME 'userflags' DESC 'Maximum number of queries' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:19 NAME 'termsagree' DESC 'Maximum number of queries' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:20 NAME 'morequeries' DESC 'Maximum number of queries' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:21 NAME 'overusemethod' DESC 'Overuse handling method' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:22 NAME 'queryfee' DESC 'Query fee' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:23 NAME 'licenddate' DESC 'Date of license end' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:24 NAME 'licstartdate' DESC 'Date of start of license' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:25 NAME 'subscribedate' DESC 'Date of subscription' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
#attributetype ( TracAttributeType:9 NAME 'mailpreferenceoption' # DESC 'Mail preference option' # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} # )
attributetype ( TracAttributeType:26 NAME 'lastModifiedBy' DESC 'The user who last modified the entry' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
attributetype ( TracAttributeType:27 NAME 'lastModifiedTime' DESC 'The time the entry was last modified' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32768} )
objectclass ( TracObjectClass:1 NAME 'tracperson' DESC 'RFC2256: a person' SUP inetOrgPerson STRUCTURAL MUST ( sn $ cn ) MAY ( contactinfo $ regsite $ tracfedquota $ clientorg $ clearpassword $ regdate $ keyWords $ affiliation $ mailPreferenceOption $ billpostaladdress $ billpostalcode $ middlename $ regip $ siteip $ sitemaxlocker $ sitemaxusers $ siteuid $ maxqueries $ userflags $ termsagree $ morequeries $ overusemethod $ queryfee $ licenddate $ licstartdate $ subscribedate $ lastModifiedBy $ lastModifiedTime ))
ldif entry for cn=nsadmin is as following:
dn: uid=nsadmin,o=trac objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: SuiteSpot Administrator sn: Administrator givenName: SuiteSpot uid: nsadmin creatorsName: cn=nsadmin createTimestamp: 19980218204619Z userPassword:: e1NIQX12bm4rOFpBNFNzdzJJMnlQOVZ2clBJVFlGRzg9 modifiersName: uid=nsadmin,o=trac modifyTimestamp: 19980722182149Z structuralObjectClass: inetOrgPerson entryUUID: 8179b9a2-74d7-102a-9988-90f8caf384a9 entryCSN: 20060511011623Z#000003#00#000000
I am not sure where the problem is, everything is in order but I cannot connect using the credentials. I will try your suggestion about changing the rootdn and will let you know.
Ciao, Michael.
The ldiff I have genrated using slapcat on my new server in order to keep it as backup has the hashed entry of password in the entry of the administrator. ldap browser has the plain text password in the uid of the administrator.
If You use slapcat-based ldif, you should probably remove lines of various system attributes from ldif file, especially like these:
structuralObjectClass: ..... creatorsName: cn=nsadmin createTimestamp: 19980218204619Z modifiersName: uid=nsadmin,o=trac modifyTimestamp: 19980722182149Z entryUUID: 8179b9a2-74d7-102a-9988-90f8caf384a9 entryCSN: 20060511011623Z#000003#00#000000
These attributes are read-only, and automatically added by server, they can appear in slapcat-result file to be loaded with slapadd command, with the all objects tree, but you cannot add object with ldapadd, with ldif containing these attributes (I don't remember whether ldapadd simply ignores it, or returns ldap error). Regards, Piotr
for all the entries?.... Because the file is loading fine, and I can browse all the entries. Tell me onething, isn;t my scenario like simply that I have forgotten the ldap admin password and somehow or the other I need to reset it. I cannot use ldappasswd because it asks for the old password. So is there any way to do it. I have already as you suggested tried generating the password using slappasswd and then pasting it in slapd.conf....... that still gives invalid credentials on bind.
On 10/30/07, Piotr Wadas pwadas@jewish.org.pl wrote:
The ldiff I have genrated using slapcat on my new server in order to
keep it
as backup has the hashed entry of password in the entry of the administrator. ldap browser has the plain text password in the uid of
the
administrator.
If You use slapcat-based ldif, you should probably remove lines of various system attributes from ldif file, especially like these:
structuralObjectClass: ..... creatorsName: cn=nsadmin createTimestamp: 19980218204619Z modifiersName: uid=nsadmin,o=trac modifyTimestamp: 19980722182149Z entryUUID: 8179b9a2-74d7-102a-9988-90f8caf384a9 entryCSN: 20060511011623Z#000003#00#000000
These attributes are read-only, and automatically added by server, they can appear in slapcat-result file to be loaded with slapadd command, with the all objects tree, but you cannot add object with ldapadd, with ldif containing these attributes (I don't remember whether ldapadd simply ignores it, or returns ldap error). Regards, Piotr
openldap-software@openldap.org