Hi,
I tried changing the password for the admin user in my OpenLDAP tree, but now I can log in with both. When I do this:
ldapsearch -vxZZH ldap://ldap.domain.tld/ -D "cn=admin,dc=domain,dc=tld" -W
Entering a wrong password makes it fail, but entering the old or new password both work.
I thought maybe it used the root account, so in an attempt to fix this, I tried setting the rootpw with this:
# cat change-rootpw.ldif dn: olcDatabase={0}config,cn=config replace: olcRootPW olcRootPW: {SSHA}some hash
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f change-rootpw.ldif
But that didn't fix it.
I'm quite confused. Any help is appreciated.
Regards,
Wiebe
you could just have multiple userPassword values...
Op maandag 24 december 2012 14:15:59 schreef Wiebe Cazemier:
Hi,
I tried changing the password for the admin user in my OpenLDAP tree, but now I can log in with both. When I do this:
ldapsearch -vxZZH ldap://ldap.domain.tld/ -D "cn=admin,dc=domain,dc=tld" -W
Entering a wrong password makes it fail, but entering the old or new password both work.
I thought maybe it used the root account, so in an attempt to fix this, I tried setting the rootpw with this:
# cat change-rootpw.ldif dn: olcDatabase={0}config,cn=config replace: olcRootPW olcRootPW: {SSHA}some hash
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f change-rootpw.ldif
But that didn't fix it.
I'm quite confused. Any help is appreciated.
Regards,
Wiebe
----- Original Message -----
From: "Maarten Vanraes" maarten.vanraes@gmail.com To: openldap-technical@openldap.org Cc: "Wiebe Cazemier" wiebe@halfgaar.net Sent: Tuesday, 25 December, 2012 1:08:46 AM Subject: Re: Admin user has two passwords
you could just have multiple userPassword values...
That doesn't seem to be it. When I do:
ldapsearch -D "cn=admin,dc=domain,dc=tld" -W -xLLL -H ldap://ldap.domain.tld/ uid userPassword
It shows that admin has only one password:
dn: cn=admin,dc=ytec,dc=nl userPassword:: [hash]=
But about the root user. How does that relate to an admin user?
On 12/28/12 09:30 +0100, Wiebe Cazemier wrote:
----- Original Message -----
From: "Maarten Vanraes" maarten.vanraes@gmail.com To: openldap-technical@openldap.org Cc: "Wiebe Cazemier" wiebe@halfgaar.net Sent: Tuesday, 25 December, 2012 1:08:46 AM Subject: Re: Admin user has two passwords
you could just have multiple userPassword values...
That doesn't seem to be it. When I do:
ldapsearch -D "cn=admin,dc=domain,dc=tld" -W -xLLL -H ldap://ldap.domain.tld/ uid userPassword
It shows that admin has only one password:
dn: cn=admin,dc=ytec,dc=nl userPassword:: [hash]=
But about the root user. How does that relate to an admin user?
There is no admin user per se. There is an authentication identity that you can specify in your configuration with rootdn/olcRootDN, along with it's password, rootpw/OlcRootPW.
Creating the same DN within your DIT may confuse things, and it is not necessary that it actually exist (unless you do not specify a rootpw).
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn...
and the slapd.conf/slapd-config man pages.
----- Original Message -----
From: "Dan White" dwhite@olp.net To: "Wiebe Cazemier" wiebe@halfgaar.net Cc: "Maarten Vanraes" maarten.vanraes@gmail.com, openldap-technical@openldap.org Sent: Friday, 28 December, 2012 3:47:58 PM Subject: Re: Admin user has two passwords
There is no admin user per se. There is an authentication identity that you can specify in your configuration with rootdn/olcRootDN, along with it's password, rootpw/OlcRootPW.
Creating the same DN within your DIT may confuse things, and it is not necessary that it actually exist (unless you do not specify a rootpw).
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn...
and the slapd.conf/slapd-config man pages.
-- Dan White
Does that mean that the Ubuntu docs [1] give the wrong instructions? Because in its backend.example.ldif, it makes:
olcRootDN: cn=admin,dc=example,dc=com olcRootPW: secret
and then it loads an admin user with frontend.example.ldif:
# Admin user. dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret
So what I should do is remove the admin user, and set olcRootPW (but then to a value generated with slappasswd to avoid plain text)?
[1] https://help.ubuntu.com/10.04/serverguide/openldap-server.html
----- Original Message -----
From: "Wiebe Cazemier" wiebe@halfgaar.net To: "Dan White" dwhite@olp.net Cc: "Maarten Vanraes" maarten.vanraes@gmail.com, openldap-technical@openldap.org Sent: Friday, 28 December, 2012 4:53:52 PM Subject: Re: Admin user has two passwords
----- Original Message -----
From: "Dan White" dwhite@olp.net To: "Wiebe Cazemier" wiebe@halfgaar.net Cc: "Maarten Vanraes" maarten.vanraes@gmail.com, openldap-technical@openldap.org Sent: Friday, 28 December, 2012 3:47:58 PM Subject: Re: Admin user has two passwords
There is no admin user per se. There is an authentication identity that you can specify in your configuration with rootdn/olcRootDN, along with it's password, rootpw/OlcRootPW.
Creating the same DN within your DIT may confuse things, and it is not necessary that it actually exist (unless you do not specify a rootpw).
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn...
and the slapd.conf/slapd-config man pages.
-- Dan White
Does that mean that the Ubuntu docs [1] give the wrong instructions? Because in its backend.example.ldif, it makes:
olcRootDN: cn=admin,dc=example,dc=com olcRootPW: secret
and then it loads an admin user with frontend.example.ldif:
# Admin user. dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret
So what I should do is remove the admin user, and set olcRootPW (but then to a value generated with slappasswd to avoid plain text)?
[1] https://help.ubuntu.com/10.04/serverguide/openldap-server.html
It does appear that the Ubuntu docs are wrong. I deleted the admin user:
# fed to ldapmodify dn: cn=admin,dc=domain,dc=tld changetype: delete
And I updated olcRootPW:
# fed to ldapmodify dn: olcDatabase={1}hdb,cn=config replace: olcRootPW olcRootPW: {SSHA}hashcode
Now it only has one admin password, and it's the new one.
----- Original Message -----
From: "Wiebe Cazemier" wiebe@halfgaar.net To: "Dan White" dwhite@olp.net Cc: "Maarten Vanraes" maarten.vanraes@gmail.com, openldap-technical@openldap.org Sent: Monday, 31 December, 2012 10:39:05 AM Subject: Re: Admin user has two passwords
It does appear that the Ubuntu docs are wrong. I deleted the admin user:
# fed to ldapmodify dn: cn=admin,dc=domain,dc=tld changetype: delete
And I updated olcRootPW:
# fed to ldapmodify dn: olcDatabase={1}hdb,cn=config replace: olcRootPW olcRootPW: {SSHA}hashcode
Now it only has one admin password, and it's the new one.
And I reported the bug:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-docs/+bug/1094842
openldap-technical@openldap.org
-
Dan White -
Maarten Vanraes -
Wiebe Cazemier