----- Original Message -----
From: "Wiebe Cazemier" wiebe@halfgaar.net To: "Dan White" dwhite@olp.net Cc: "Maarten Vanraes" maarten.vanraes@gmail.com, openldap-technical@openldap.org Sent: Friday, 28 December, 2012 4:53:52 PM Subject: Re: Admin user has two passwords
----- Original Message -----
From: "Dan White" dwhite@olp.net To: "Wiebe Cazemier" wiebe@halfgaar.net Cc: "Maarten Vanraes" maarten.vanraes@gmail.com, openldap-technical@openldap.org Sent: Friday, 28 December, 2012 3:47:58 PM Subject: Re: Admin user has two passwords
There is no admin user per se. There is an authentication identity that you can specify in your configuration with rootdn/olcRootDN, along with it's password, rootpw/OlcRootPW.
Creating the same DN within your DIT may confuse things, and it is not necessary that it actually exist (unless you do not specify a rootpw).
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn...
and the slapd.conf/slapd-config man pages.
-- Dan White
Does that mean that the Ubuntu docs [1] give the wrong instructions? Because in its backend.example.ldif, it makes:
olcRootDN: cn=admin,dc=example,dc=com olcRootPW: secret
and then it loads an admin user with frontend.example.ldif:
# Admin user. dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret
So what I should do is remove the admin user, and set olcRootPW (but then to a value generated with slappasswd to avoid plain text)?
[1] https://help.ubuntu.com/10.04/serverguide/openldap-server.html
It does appear that the Ubuntu docs are wrong. I deleted the admin user:
# fed to ldapmodify dn: cn=admin,dc=domain,dc=tld changetype: delete
And I updated olcRootPW:
# fed to ldapmodify dn: olcDatabase={1}hdb,cn=config replace: olcRootPW olcRootPW: {SSHA}hashcode
Now it only has one admin password, and it's the new one.