Thanks
It was also configured dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=domain,dc=com - replace: olcRootDN olcRootDN: cn=admin,dc=domain,dc=com - replace: olcRootPW olcRootPW: 123 - replace: olcSyncRepl olcSyncRepl: rid=001 provider=ldaps://ldap1.domain.com searchbase="dc=domain,dc=com" bindmethod=simple credentials=123 binddn="cn=admin,dc=domain,dc=com" tls_reqcert=allow type=refreshAndPersist retry="30 +" timeout=1 olcSyncRepl: rid=002 provider=ldaps://ldap2.domain.com searchbase="dc=domain,dc=com" bindmethod=simple credentials=123 binddn="cn=admin,dc=domain,dc=com" tls_reqcert=allow type=refreshAndPersist retry="30 +" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE
Plan for changing the replication administrator password when
1) On the same server. For example, ldap1.domain.comhttp://ldap1.domain.com
slappasswd -h {SSHA}
Enter a new password, such as newpass {SSHA}fx6qbwq5h4mzDAzD+ft5kA+b0uVA+29t
Create a newpasswd.ldif file cat newpasswd. LDIF file format dn: olcDatabase={1}hdb,cn=config olcRootDN: cn=admin,dc=domain,dc=com olcRootPW: {SSHA}fx6qbwq5h4mzDAzD+ft5kA+b0uVA+29t
To perform ldapmodify -H ldapi:// -Y EXTERNAL -f newpasswd.ldif
Create a root file.ldif format
dn: olcDatabase={0}config, cn=config changetype: modify add: olcRootPW olcRootPW: newpass
Run ldapmodify -H ldapi:// -Y EXTERNAL -f root.ldif
Create a repl.ldif
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: rid=001 provider=ldaps://ldap1.domain.com searchbase="cn=config" bindmethod=simple credentials=newpass binddn="cn=admin,cn=config" tls_reqcert=never type=refreshAndPersist retry="30 +" timeout=1 olcSyncRepl: rid=002 provider=ldaps://ldap2.domain.com searchbase="cn=config" bindmethod=simple credentials=newpass binddn="cn=admin,cn=config" tls_reqcert=never type=refreshAndPersist retry="30 +" timeout=1 - replace: olcMirrorMode olcMirrorMode: TRUE ldapmodify -Y EXTERNAL -H ldapi:/// -f repl.ldif
Create file dbrepl.ldif dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=domain,dc=com - replace: olcRootDN olcRootDN: cn=admin,dc=domain,dc=com - replace: olcRootPW olcRootPW: newpass - replace: olcSyncRepl olcSyncRepl: rid=001 provider=ldaps://ldap1.domain.com searchbase="dc=domain,dc=com" bindmethod=simple credentials=newpass binddn="cn=admin,dc=domain,dc=com" tls_reqcert=allow type=refreshAndPersist retry="30 +" timeout=1 olcSyncRepl: rid=002 provider=ldaps://ldap2.domain.com searchbase="dc=domain,dc=com" bindmethod=simple credentials=newpass binddn="cn=admin,dc=domain,dc=com" tls_reqcert=allow type=refreshAndPersist retry="30 +" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE
service slapd restart
2) on the second server , service slapd restart
Right ? Sorry for being so detailed...
20 нояб. 2020 г., в 02:37, Quanah Gibson-Mount <quanah@symas.commailto:quanah@symas.com> написал(а):
--On Thursday, November 19, 2020 11:41 AM +0000 Клеусов Владимир Сергеевич <Kleusov.Vladimir@wildberries.rumailto:Kleusov.Vladimir@wildberries.ru> wrote:
Hi.
How do I change the admin password correctly and not break replication ? =)
here when setting up replication the password was mentioned
It appears you've set up cn=config replication. I would warn that replicating cn=config in OpenLDAP 2.4 has known issues and is not advised. Replicating an underlying binary db (such as a back-mdb database) is fine. In the latter case, best practice is to use a replication specific identity for doing the replication and not the rootdn.
As far as your overall question goes, you would want to:
a) update the olcRootPW value in cn=config
b) update the olcSyncrepl attribute values with the new password
Something like:
ldapmodify <options>
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: mynewpassword - dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: .... olcSyncRepl: ....
I would note that these updates should not affect/break *existing* replication connections. I.e., there would be no effect until slapd is restarted.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com