Hello,
I recently set about changing the rootdn password of my OpenLDAP 2.4 server.
I constructed an LDIF file looking something like this:
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}new_passwd_hash
and fed that into ldapmodify. The server then started accepting the new password and I figured I was done.
What I noticed a few minutes later, however, was that the server was *also* still accepting the *old* password.
After some peeking around, my guess is that this is due to the fact that while my config database ended up containing, as expected:
dn: olcDatabase={1}mdb,cn=config # etc... olcSuffix: dc=mydomain,dc=tld olcRootDN: cn=admin,dc=mydomain,dc=tld olcRootPW:: [base64 of {SSHA}new_passwd_hash]
the "main" database entry for cn=admin,dc=mydomain,dc=tld still had a userPassword attribute of [base64 of {SSHA}old_passwd_hash]. Prior to the password change the same base64 hash had been present in both, but my change of course only updated the config database.
So I'm left with a few questions:
Is it "normal" to have both olcRootPW and the rootdn's userPassword stored redundantly like this? If not, is the fact that I do a sign that I did something inappropriate when initially configuring the server? (Unfortunately I no longer remember exactly what I did at the time.)
If so, I assume the recommended password update procedure would be to update both in tandem, though I have to wonder what the point of the redundancy (and resulting potential for inconsistency) is. And should section 5.2.5.5 of the admin guide perhaps make some mention of this?
Thanks, Zev Weiss
On 2/12/19 12:30 PM, Zev Weiss wrote:
Is it "normal" to have both olcRootPW and the rootdn's userPassword stored redundantly like this?
Yes, both are accepted. Remove the one not needed.
Or better remove password for rootdn completely because no access control and no constraints are applied to rootdn.
Thus you should never bind as rootdn, especially not for external access.
Ciao, Michael.
openldap-technical@openldap.org