My admin openLDAP 2.2 password became corrupt in the last week and I cannot log in as admin. I was hoping there was an easy recovery such as lunix has shutting down slapd, removing the hashed password, bringing it back up and resetting the blank password using slappasswd. I can't take a chance unless I know for sure.
I have searched Google and read the admin manual. I inherited a system using open ldap server on an old redhat, and the slapd password was corrupted (or locked out by another admin????).
this is openldap 2.2 on an old redhat box.
I cannot risk having a group of users locked out for more than an hour because LDAP is down.
What I need to do today is recover (reset) the slapd password so I can log into the database. I found some instructions which seem simple risky and no backout strategy. Simply running
http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/
After recovery of root. I was planning on 1. shutting down server, making a P2V copy for a hypervisor, then creating another ldap master and slave servers on redhat6 with openldap2.4 once I have this password issue resolved. Having the LDAP on two separate hyper visors (with local disks) to avoid the storage/authentication chicken/egg Is there a better upgrade plan
I have the log files, is there a way to backout to last week without the admin password (which became corrupt last week).
On Fri, 22 Jul 2016, Dan Hyatt wrote:
My admin openLDAP 2.2 password became corrupt in the last week and I cannot
[...]
I found some instructions which seem simple risky and no backout strategy. Simply running http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/
That link (apparently from 2011) doesn't apply to your software from 2003. There's no back-config in OpenLDAP 2.2. So don't try that...
[...]
Having the LDAP on two separate hyper visors (with local disks) to avoid the storage/authentication chicken/egg Is there a better upgrade plan
Are you saying that your one and only LDAP server uses itself for its own A&A?
[...]
I have the log files, is there a way to backout to last week without the admin password (which became corrupt last week).
I'm not sure what you're referring to by "log files." The general-case OpenLDAP backup tool is slapcat(8). Hopefully you have been running it routinely. The resulting LDIF can be easily inspected; if you have enough backups, you might even be able to find one without corruption.
So, a more simple question...
Can I install a current version of OpenLDAP on a current RedHat/Centos server (specially built for this purpose. Then use slapcat to export the information from the old server, import it to the new server, where the admin password is not corrupt.
Can I import the schemas or are there likely substantial changes to the schemas across versions?
My goals are to create a new LDAP server running Centos/Redhat, transfer 20 users and allow them to keep their existing passwords, allow them to access my servers, and allow them authentication to samba. and create an LDAP slave (or cluster) not sure if syncrepl is the current way to go.
I have root to the server, but I do not have the admin password to the Openldap 2.2 as it became corrupted somehow.
On 07/24/2016 09:15 PM, Aaron Richton wrote:
On Fri, 22 Jul 2016, Dan Hyatt wrote:
My admin openLDAP 2.2 password became corrupt in the last week and I cannot
[...]
I found some instructions which seem simple risky and no backout strategy. Simply running http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/
That link (apparently from 2011) doesn't apply to your software from 2003. There's no back-config in OpenLDAP 2.2. So don't try that...
@(#) $OpenLDAP: slapd 2.2.13 (Nov 26 2010 07:45:22) $ mockbuild@x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd
[...]
Having the LDAP on two separate hyper visors (with local disks) to avoid the storage/authentication chicken/egg Is there a better upgrade plan
Are you saying that your one and only LDAP server uses itself for its own A&A?
Authentication and Authorization? The server provides authentication and authorization for my group. The server only does LDAP and home dirs. I want to upgrade it to Centos 6.8 or Centos 7 (that is equal to redhat 6.8 or redhat 7) on a hypervisor with a slave running the current favored release.
[...]
I have the log files, is there a way to backout to last week without the admin password (which became corrupt last week).
I'm not sure what you're referring to by "log files." The general-case OpenLDAP backup tool is slapcat(8). Hopefully you have been running it routinely. The resulting LDIF can be easily inspected; if you have enough backups, you might even be able to find one without corruption.
We took over responsibility the LDAP in December, there was not a happy handoff... no documenation..just the password and had to move it to the new VLAN.
On Tue, 26 Jul 2016, Dan Hyatt wrote:
So, a more simple question...
Can I install a current version of OpenLDAP on a current RedHat/Centos server (specially built for this purpose. Then use slapcat to export the information from the old server, import it to the new server, where the admin password is not corrupt.
The fundamental upgrade procedure is unchanged:
http://www.openldap.org/doc/admin24/maintenance.html#Migration
To that procedure you'd add an additional step, let's call that step 2a, which would be "fix any corrupted data in the slapcat output."
Can I import the schemas or are there likely substantial changes to the schemas across versions?
Standard schema ship with OpenLDAP itself and can be updated along with the rest of the package. Custom schema might need an update, but that's usually not the hard part.
My goals are to create a new LDAP server running Centos/Redhat, transfer 20 users and allow them to keep their existing passwords, allow them to access my servers, and allow them authentication to samba. and create an LDAP slave (or cluster) not sure if syncrepl is the current way to go.
I have root to the server, but I do not have the admin password to the Openldap 2.2 as it became corrupted somehow.
You can always use a rootpw (in your slapd configuration) to override ACLs if needed. And slapadd operates offline; all you need is filesystem write access. There's also nothing stopping you from interpreting "fix any corrupted data" as "fix any corrupted data and change a couple of userPassword values while you're at it in the slapcat output" as your "step 2a."
Am Fri, 22 Jul 2016 11:27:05 -0500 schrieb Dan Hyatt dhyatt@dsgmail.wustl.edu:
My admin openLDAP 2.2 password became corrupt in the last week and I cannot log in as admin. I was hoping there was an easy recovery such as lunix has shutting down slapd, removing the hashed password, bringing it back up and resetting the blank password using slappasswd. I can't take a chance unless I know for sure.
[...] Are you referring to rootDN, which is defined in slapd.conf, or are you referring to an admin object within the directory? To modify rootpw see slappasswd(8) To modify an entry run ldappasswd(1) as rootdn.
-Dieter
openldap-technical@openldap.org
-
Aaron Richton -
Dan Hyatt -
Dieter Klünter