I would like to know how to reset the rootpw in OpenLDAP 2.4?
Do I need to recreate over the entire configuration database and the database itself or there is a trick?
Daniel Savard wrote:
I would like to know how to reset the rootpw in OpenLDAP 2.4?
You edit it. You can generate a value with slappasswd.
Depending on the configuration method you edit the text file slapd.conf or use ldapmodify to alter the value of attribute 'olcRootPW' in the accompanying database entry in cn=config.
Ciao, Michael.
Le samedi 04 février 2012 à 12:21 +0100, Michael Ströder a écrit :
You edit it. You can generate a value with slappasswd.
Depending on the configuration method you edit the text file slapd.conf or use ldapmodify to alter the value of attribute 'olcRootPW' in the accompanying database entry in cn=config.
Ciao, Michael.
There is no slapd.conf file at this point. So, I did try to use ldapmodify, however authentication is required to make this running and this is the problem I am having, I don't have the rootpw.
Can I go back to slapd.conf and put a new password there and restart the daemon? Will it modify the config database?
TIA
Daniel
Only if you move the slapd.d dir will the slapd.conf file be used.
Read the admin guide, it's worth it.
- chris
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Sat Feb 04 15:00:19 2012 Subject: Re: How do I reset rootdn password?
Le samedi 04 février 2012 à 12:21 +0100, Michael Ströder a écrit :
You edit it. You can generate a value with slappasswd.
Depending on the configuration method you edit the text file slapd.conf or use ldapmodify to alter the value of attribute 'olcRootPW' in the accompanying database entry in cn=config.
Ciao, Michael.
There is no slapd.conf file at this point. So, I did try to use ldapmodify, however authentication is required to make this running and this is the problem I am having, I don't have the rootpw.
Can I go back to slapd.conf and put a new password there and restart the daemon? Will it modify the config database?
TIA
Daniel
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Le samedi 04 février 2012 à 15:02 -0700, Chris Jacobs a écrit :
Only if you move the slapd.d dir will the slapd.conf file be used.
Read the admin guide, it's worth it.
- chris
I did, however I am a little bit lost and need some extra guidance. So, bottom line, the slapd.conf is useless in my case and ldapmodify cannot be run because I don't know the former password. That's what I understand for this discussion so far. My only choice is to scrap everything and start over with a new fresh database using the slapd.conf to create the new config database. That was my conclusion and I was seeking if there was an alternate solution before proceeding.
Thanks,
Am 04.02.2012 23:00, schrieb Daniel Savard:
Le samedi 04 février 2012 à 12:21 +0100, Michael Ströder a écrit :
You edit it. You can generate a value with slappasswd.
Depending on the configuration method you edit the text file slapd.conf or use ldapmodify to alter the value of attribute 'olcRootPW' in the accompanying database entry in cn=config.
Ciao, Michael.
There is no slapd.conf file at this point. So, I did try to use ldapmodify, however authentication is required to make this running and this is the problem I am having, I don't have the rootpw.
Can I go back to slapd.conf and put a new password there and restart the daemon? Will it modify the config database?
I'am not really sure, but this should work:
copy this into an ldif-file:
----------------------- dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {CRYPT}yxxxxxxxCEyEA -
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: {CRYPT}ye1xxxxxEyEA ---------------------------
by the way:
slappasswd -h {SSHA} New password: Re-enter new password:
and copy the encrypted value into the olcRootPW
and import this with the following command:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /root/db_change_password.ldif
Hi,
On Sat, Feb 4, 2012 at 1:56 AM, Daniel Savard dsavard@cids.ca wrote:
I would like to know how to reset the rootpw in OpenLDAP 2.4?
Do I need to recreate over the entire configuration database and the database itself or there is a trick?
Risking to be burned by the community, you could directly edit the slapd.d files (this is NOT recommended, but you could risk doing it in your case), this one in particular (shutdown slapd before doing this):
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
And change that line:
olcRootPW:: e1NTSEF9b085TTcyaUNnK2lKUVp1d2s3SENvZHpEOHFBS2c5VCs=
Note this is bsae64 encoded, so, will need to generate it with slappasswd and then encode it to base64, there are some online encoders you could use.
Also, I believe there are olcRootPW per-database (I don't remember seeing that on slapd.conf kind of configs, but I just saw it on the slapd.d right now):
On file: olcDatabase={1}hdb.ldif
olcRootPW: {SSHA}/VPQC7Z0ptwQyV5N24eX/IqyiZpvcrB5
And, this one is NOT base64 encoded... by seeing this, I could say that you could actually use the value from slappasswd (by removing the extra ":") on the other file.
I hope this helps,
Ildefonso Camargo
Jose Ildefonso Camargo Tolosa wrote:
Hi,
On Sat, Feb 4, 2012 at 1:56 AM, Daniel Savarddsavard@cids.ca wrote:
I would like to know how to reset the rootpw in OpenLDAP 2.4?
Do I need to recreate over the entire configuration database and the database itself or there is a trick?
Risking to be burned by the community, you could directly edit the slapd.d files (this is NOT recommended, but you could risk doing it in your case), this one in particular (shutdown slapd before doing this):
If you don't know what you're doing, keep your grubby hands out of there. If you know what you're doing, you don't need us to tell you what to do.
You don't know what you're doing, neither does the OP.
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
And change that line:
olcRootPW:: e1NTSEF9b085TTcyaUNnK2lKUVp1d2s3SENvZHpEOHFBS2c5VCs=
Note this is bsae64 encoded, so, will need to generate it with slappasswd and then encode it to base64, there are some online encoders you could use.
The first thing I would have done would be slapcat -n0 to see what all of the existing rootpw's were. They would all be base64 encoded; decode them to see if any of them are plaintext. If so, then the problem is already solved - you have the password.
Also, I believe there are olcRootPW per-database (I don't remember seeing that on slapd.conf kind of configs, but I just saw it on the slapd.d right now):
Don't guess. RTFM. It's all stated there clearly.
Howard Chu wrote:
The first thing I would have done would be slapcat -n0 to see what all of the existing rootpw's were. They would all be base64 encoded; decode them to see if any of them are plaintext. If so, then the problem is already solved - you have the password.
And what to do if the password is hashed?
Ciao, Michael.
Hi Howard! I had the feeling you would reply to my post :)
On Sat, Feb 4, 2012 at 9:41 PM, Howard Chu hyc@symas.com wrote:
Jose Ildefonso Camargo Tolosa wrote:
Hi,
On Sat, Feb 4, 2012 at 1:56 AM, Daniel Savarddsavard@cids.ca wrote:
I would like to know how to reset the rootpw in OpenLDAP 2.4?
Do I need to recreate over the entire configuration database and the database itself or there is a trick?
Risking to be burned by the community, you could directly edit the slapd.d files (this is NOT recommended, but you could risk doing it in your case), this one in particular (shutdown slapd before doing this):
If you don't know what you're doing, keep your grubby hands out of there. If you know what you're doing, you don't need us to tell you what to do.
You don't know what you're doing, neither does the OP.
Yes, I do know, and I have done that *several* times (without any problem, this far). I know it is a risky area, because you have warned us several times, but I have not hit any issue yet...
you know, it would be really good if you give us a way of seriously breaking the config by directly editing it (while keeping its format: maximum line length, no comments, ...) Last time you just used your "author right" to ask us to keep away of it, but never actually gave a reason for it... and experience have shown me that nothing wrong has happen (this far) however, after your warning, I'm always careful while doing so, including: shutdown the service and backing up the directory before touching its files.
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
And change that line:
olcRootPW:: e1NTSEF9b085TTcyaUNnK2lKUVp1d2s3SENvZHpEOHFBS2c5VCs=
Note this is bsae64 encoded, so, will need to generate it with slappasswd and then encode it to base64, there are some online encoders you could use.
The first thing I would have done would be slapcat -n0 to see what all of the existing rootpw's were. They would all be base64 encoded; decode them to see if any of them are plaintext. If so, then the problem is already solved
- you have the password.
Passwords are hashed by default on most distros, unfortunately :( .
Also, I believe there are olcRootPW per-database (I don't remember seeing that on slapd.conf kind of configs, but I just saw it on the slapd.d right now):
Don't guess. RTFM. It's all stated there clearly.
yeah, I should read the manual to find out and be sure, but this was a reply quickly written, so, I had to state somehow that I'm not sure.
Thanks!
Ildefonso Camargo
On 2/5/12 6:58 PM, Jose Ildefonso Camargo Tolosa wrote:
Hi Howard! I had the feeling you would reply to my post :)
On Sat, Feb 4, 2012 at 9:41 PM, Howard Chuhyc@symas.com wrote:
Jose Ildefonso Camargo Tolosa wrote:
Hi,
On Sat, Feb 4, 2012 at 1:56 AM, Daniel Savarddsavard@cids.ca wrote:
I would like to know how to reset the rootpw in OpenLDAP 2.4?
Do I need to recreate over the entire configuration database and the database itself or there is a trick?
Risking to be burned by the community, you could directly edit the slapd.d files (this is NOT recommended, but you could risk doing it in your case), this one in particular (shutdown slapd before doing this):
If you don't know what you're doing, keep your grubby hands out of there. If you know what you're doing, you don't need us to tell you what to do.
You don't know what you're doing, neither does the OP.
Yes, I do know, and I have done that *several* times (without any problem, this far). I know it is a risky area, because you have warned us several times, but I have not hit any issue yet...
you know, it would be really good if you give us a way of seriously breaking the config by directly editing it (while keeping its format: maximum line length, no comments, ...) Last time you just used your "author right" to ask us to keep away of it, but never actually gave a reason for it... and experience have shown me that nothing wrong has happen (this far) however, after your warning, I'm always careful while doing so, including: shutdown the service and backing up the directory before touching its files.
One very simple rational behind this choice is that, when running an LDAP server on a 24x7 production env (ie no service shutdown is allowed), with replication beetwen any servers, then simply modifying a file on a disk does not do the job.
But I think Howard already explained that once, or maybe more than once...
On Sun, Feb 5, 2012 at 1:47 PM, Emmanuel Lecharny elecharny@gmail.com wrote:
On 2/5/12 6:58 PM, Jose Ildefonso Camargo Tolosa wrote:
Hi Howard! I had the feeling you would reply to my post :)
On Sat, Feb 4, 2012 at 9:41 PM, Howard Chuhyc@symas.com wrote:
Jose Ildefonso Camargo Tolosa wrote:
Hi,
On Sat, Feb 4, 2012 at 1:56 AM, Daniel Savarddsavard@cids.ca wrote:
I would like to know how to reset the rootpw in OpenLDAP 2.4?
Do I need to recreate over the entire configuration database and the database itself or there is a trick?
Risking to be burned by the community, you could directly edit the slapd.d files (this is NOT recommended, but you could risk doing it in your case), this one in particular (shutdown slapd before doing this):
If you don't know what you're doing, keep your grubby hands out of there. If you know what you're doing, you don't need us to tell you what to do.
You don't know what you're doing, neither does the OP.
Yes, I do know, and I have done that *several* times (without any problem, this far). I know it is a risky area, because you have warned us several times, but I have not hit any issue yet...
you know, it would be really good if you give us a way of seriously breaking the config by directly editing it (while keeping its format: maximum line length, no comments, ...) Last time you just used your "author right" to ask us to keep away of it, but never actually gave a reason for it... and experience have shown me that nothing wrong has happen (this far) however, after your warning, I'm always careful while doing so, including: shutdown the service and backing up the directory before touching its files.
One very simple rational behind this choice is that, when running an LDAP server on a 24x7 production env (ie no service shutdown is allowed), with replication beetwen any servers, then simply modifying a file on a disk does not do the job.
But I think Howard already explained that once, or maybe more than once...
Yeah you are right, but if you *can* face the time down: I can't see a real problem (I actually love the feature that you don't have to restart / shutdown the server to edit/apply the config, and very seldom directly edit, only when doing small changes on a no-yet-in-production environment). However, I have never seen a single case where it have failed when you directly edit it (if you have one: please share! I'm really curious about it), I know there is the case of replicated configurations (where directly editing the configs becomes more complex) ... also, you are right: it have been discussed before A LOT of times... still, no use case where it fails (maybe I missed something).... all that I know is that it *could* eventually fail (and thus I think it is just one of these things to be careful with).
openldap-technical@openldap.org
-
Axel Birndt -
Chris Jacobs -
Daniel Savard -
Emmanuel Lecharny -
Howard Chu -
Jose Ildefonso Camargo Tolosa -
Michael Ströder