9:27 a.m.
My admin openLDAP 2.2 password became corrupt in the last week and I
cannot log in as admin.
I was hoping there was an easy recovery such as lunix has shutting down
slapd, removing the hashed password, bringing it back up and resetting
the blank password using slappasswd. I can't take a chance unless I know
for sure.
I have searched Google and read the admin manual. I inherited a system
using open ldap server on an old redhat, and the slapd password was
corrupted (or locked out by another admin????).
this is openldap 2.2 on an old redhat box.
I cannot risk having a group of users locked out for more than an hour
because LDAP is down.
What I need to do today is recover (reset) the slapd password so I can
log into the database.
I found some instructions which seem simple risky and no backout
strategy. Simply running
http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/
After recovery of root. I was planning on
1. shutting down server, making a P2V copy for a hypervisor, then
creating another ldap master and slave servers on redhat6 with
openldap2.4 once I have this password issue resolved.
Having the LDAP on two separate hyper visors (with local disks) to avoid
the storage/authentication chicken/egg
Is there a better upgrade plan
I have the log files, is there a way to backout to last week without the
admin password (which became corrupt last week).
7:15 p.m.
On Fri, 22 Jul 2016, Dan Hyatt wrote:
My admin openLDAP 2.2 password became corrupt in the last week and I
cannot
[...]
I found some instructions which seem simple risky and no backout
strategy.
Simply running
http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/
That link (apparently from 2011) doesn't apply to your software from 2003.
There's no back-config in OpenLDAP 2.2. So don't try that...
[...]
Having the LDAP on two separate hyper visors (with local disks) to
avoid the
storage/authentication chicken/egg
Is there a better upgrade plan
Are you saying that your one and only LDAP server uses itself for its own
A&A?
[...]
I have the log files, is there a way to backout to last week without
the
admin password (which became corrupt last week).
I'm not sure what you're referring to by "log files." The general-case
OpenLDAP backup tool is slapcat(8). Hopefully you have been running it
routinely. The resulting LDIF can be easily inspected; if you have enough
backups, you might even be able to find one without corruption.
10:15 a.m.
So, a more simple question...
Can I install a current version of OpenLDAP on a current RedHat/Centos
server (specially built for this purpose.
Then use slapcat to export the information from the old server, import
it to the new server, where the admin password is not corrupt.
Can I import the schemas or are there likely substantial changes to the
schemas across versions?
My goals are to create a new LDAP server running Centos/Redhat, transfer
20 users and allow them to keep their existing passwords, allow them to
access my servers, and allow them authentication to samba.
and create an LDAP slave (or cluster)
not sure if syncrepl is the current way to go.
I have root to the server, but I do not have the admin password to the
Openldap 2.2 as it became corrupted somehow.
On 07/24/2016 09:15 PM, Aaron Richton wrote:
On Fri, 22 Jul 2016, Dan Hyatt wrote:
> My admin openLDAP 2.2 password became corrupt in the last week and I
> cannot
[...]
> I found some instructions which seem simple risky and no backout
> strategy. Simply running
> http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/
>
That link (apparently from 2011) doesn't apply to your software from
2003. There's no back-config in OpenLDAP 2.2. So don't try that...
@(#) $OpenLDAP: slapd 2.2.13 (Nov 26 2010 07:45:22) $
mockbuild@x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd
[...]
> Having the LDAP on two separate hyper visors (with local disks) to
> avoid the storage/authentication chicken/egg
> Is there a better upgrade plan
Are you saying that your one and only LDAP server uses itself for its
own A&A?
Authentication and Authorization?
The server provides authentication and authorization for my group. The
server only does LDAP and home dirs.
I want to upgrade it to Centos 6.8 or Centos 7 (that is equal to redhat
6.8 or redhat 7) on a hypervisor with a slave running the current
favored release.
[...]
> I have the log files, is there a way to backout to last week without
> the admin password (which became corrupt last week).
I'm not sure what you're referring to by "log files." The general-case
OpenLDAP backup tool is slapcat(8). Hopefully you have been running it
routinely. The resulting LDIF can be easily inspected; if you have
enough backups, you might even be able to find one without corruption.
We took over responsibility the LDAP in December, there was not a happy
handoff... no documenation..just the password and had to move it to the
new VLAN.
12:10 p.m.
On Tue, 26 Jul 2016, Dan Hyatt wrote:
So, a more simple question...
Can I install a current version of OpenLDAP on a current RedHat/Centos
server (specially built for this purpose. Then use slapcat to export the
information from the old server, import it to the new server, where the
admin password is not corrupt.
The fundamental upgrade procedure is unchanged:
http://www.openldap.org/doc/admin24/maintenance.html#Migration
To that procedure you'd add an additional step, let's call that step 2a,
which would be "fix any corrupted data in the slapcat output."
Can I import the schemas or are there likely substantial changes to
the
schemas across versions?
Standard schema ship with OpenLDAP itself and can be updated along with
the rest of the package. Custom schema might need an update, but that's
usually not the hard part.
My goals are to create a new LDAP server running Centos/Redhat,
transfer 20
users and allow them to keep their existing passwords, allow them to access
my servers, and allow them authentication to samba.
and create an LDAP slave (or cluster)
not sure if syncrepl is the current way to go.
I have root to the server, but I do not have the admin password to the
Openldap 2.2 as it became corrupted somehow.
You can always use a rootpw (in your slapd configuration) to override ACLs
if needed. And slapadd operates offline; all you need is filesystem write
access. There's also nothing stopping you from interpreting "fix any
corrupted data" as "fix any corrupted data and change a couple of
userPassword values while you're at it in the slapcat output" as your
"step 2a."
1:33 a.m.
Am Fri, 22 Jul 2016 11:27:05 -0500
schrieb Dan Hyatt <dhyatt(a)dsgmail.wustl.edu>:
My admin openLDAP 2.2 password became corrupt in the last week and I
cannot log in as admin.
I was hoping there was an easy recovery such as lunix has shutting
down slapd, removing the hashed password, bringing it back up and
resetting the blank password using slappasswd. I can't take a chance
unless I know for sure.
[...]
Are you referring to rootDN, which is defined in
slapd.conf, or are you referring to an admin object within the
directory?
To modify rootpw see slappasswd(8)
To modify an entry run ldappasswd(1) as rootdn.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
2505
days inactive
2509
days old
openldap-technical@openldap.org
4 comments
3 participants
participants (3)
-
Aaron Richton -
Dan Hyatt -
Dieter Klünter