Thanks

It was also configured
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=domain,dc=com
-
replace: olcRootDN
olcRootDN: cn=admin,dc=domain,dc=com
-
replace: olcRootPW
olcRootPW: 123
-
replace: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldaps://ldap1.domain.com
  searchbase="dc=domain,dc=com"
  bindmethod=simple
  credentials=123
  binddn="cn=admin,dc=domain,dc=com"
  tls_reqcert=allow
  type=refreshAndPersist
  retry="30 +"
  timeout=1
olcSyncRepl: rid=002
  provider=ldaps://ldap2.domain.com
  searchbase="dc=domain,dc=com"
  bindmethod=simple
  credentials=123
  binddn="cn=admin,dc=domain,dc=com"
  tls_reqcert=allow
  type=refreshAndPersist
  retry="30 +"
  timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE




Plan for changing the replication administrator password when

1) On the same server. For example, ldap1.domain.com

slappasswd -h {SSHA}

Enter a new password, such as newpass
{SSHA}fx6qbwq5h4mzDAzD+ft5kA+b0uVA+29t

Create a newpasswd.ldif file
cat newpasswd. LDIF file format
dn: olcDatabase={1}hdb,cn=config
olcRootDN: cn=admin,dc=domain,dc=com
olcRootPW: {SSHA}fx6qbwq5h4mzDAzD+ft5kA+b0uVA+29t


To perform
ldapmodify -H ldapi:// -Y EXTERNAL -f newpasswd.ldif

Create a root file.ldif format

dn: olcDatabase={0}config, cn=config
changetype: modify
add: olcRootPW
olcRootPW: newpass

Run
ldapmodify -H ldapi:// -Y EXTERNAL -f root.ldif

Create a repl.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldaps://ldap1.domain.com
  searchbase="cn=config"
  bindmethod=simple 
  credentials=newpass
  binddn="cn=admin,cn=config"
  tls_reqcert=never
  type=refreshAndPersist
  retry="30 +"
  timeout=1
olcSyncRepl: rid=002
  provider=ldaps://ldap2.domain.com
  searchbase="cn=config"
  bindmethod=simple
  credentials=newpass
  binddn="cn=admin,cn=config"
  tls_reqcert=never type=refreshAndPersist
  retry="30 +"
  timeout=1
-
replace: olcMirrorMode
olcMirrorMode: TRUE
ldapmodify -Y EXTERNAL -H ldapi:///  -f repl.ldif


Create file dbrepl.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=domain,dc=com
-
replace: olcRootDN
olcRootDN: cn=admin,dc=domain,dc=com
-
replace: olcRootPW
olcRootPW: newpass
-
replace: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldaps://ldap1.domain.com
  searchbase="dc=domain,dc=com"
  bindmethod=simple
  credentials=newpass
  binddn="cn=admin,dc=domain,dc=com"
  tls_reqcert=allow
  type=refreshAndPersist
  retry="30 +"
  timeout=1
olcSyncRepl: rid=002
  provider=ldaps://ldap2.domain.com
  searchbase="dc=domain,dc=com"
  bindmethod=simple
  credentials=newpass
  binddn="cn=admin,dc=domain,dc=com"
  tls_reqcert=allow
  type=refreshAndPersist
  retry="30 +"
  timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE





service slapd restart

2) on the second server
,
service slapd restart



Right ? 
Sorry for being so detailed...



20 нояб. 2020 г., в 02:37, Quanah Gibson-Mount <quanah@symas.com> написал(а):



--On Thursday, November 19, 2020 11:41 AM +0000 Клеусов Владимир Сергеевич <Kleusov.Vladimir@wildberries.ru> wrote:


Hi.

How do I change the admin password correctly and not break replication ?
=)

here when setting up replication the password was mentioned

It appears you've set up cn=config replication.  I would warn that replicating cn=config in OpenLDAP 2.4 has known issues and is not advised. Replicating an underlying binary db (such as a back-mdb database) is fine. In the latter case, best practice is to use a replication specific identity for doing the replication and not the rootdn.

As far as your overall question goes, you would want to:

a) update the olcRootPW value in cn=config

b) update the olcSyncrepl attribute values with the new password

Something like:

ldapmodify <options>

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: mynewpassword
-
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: ....
olcSyncRepl: ....


I would note that these updates should not affect/break *existing* replication connections.  I.e., there would be no effect until slapd is restarted.

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>