5:15 a.m.
Hi,
I tried changing the password for the admin user in my OpenLDAP tree, but now I can log in
with both. When I do this:
ldapsearch -vxZZH ldap://ldap.domain.tld/ -D "cn=admin,dc=domain,dc=tld" -W
Entering a wrong password makes it fail, but entering the old or new password both work.
I thought maybe it used the root account, so in an attempt to fix this, I tried setting
the rootpw with this:
# cat change-rootpw.ldif
dn: olcDatabase={0}config,cn=config
replace: olcRootPW
olcRootPW: {SSHA}some hash
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f change-rootpw.ldif
But that didn't fix it.
I'm quite confused. Any help is appreciated.
Regards,
Wiebe
4:08 p.m.
you could just have multiple userPassword values...
Op maandag 24 december 2012 14:15:59 schreef Wiebe Cazemier:
Hi,
I tried changing the password for the admin user in my OpenLDAP tree, but
now I can log in with both. When I do this:
ldapsearch -vxZZH ldap://ldap.domain.tld/ -D "cn=admin,dc=domain,dc=tld" -W
Entering a wrong password makes it fail, but entering the old or new
password both work.
I thought maybe it used the root account, so in an attempt to fix this, I
tried setting the rootpw with this:
# cat change-rootpw.ldif
dn: olcDatabase={0}config,cn=config
replace: olcRootPW
olcRootPW: {SSHA}some hash
ldapmodify -v -Y EXTERNAL -H ldapi:/// -f change-rootpw.ldif
But that didn't fix it.
I'm quite confused. Any help is appreciated.
Regards,
Wiebe
12:30 a.m.
----- Original Message -----
From: "Maarten Vanraes" <maarten.vanraes(a)gmail.com>
To: openldap-technical(a)openldap.org
Cc: "Wiebe Cazemier" <wiebe(a)halfgaar.net>
Sent: Tuesday, 25 December, 2012 1:08:46 AM
Subject: Re: Admin user has two passwords
you could just have multiple userPassword values...
That doesn't seem to be it. When I do:
ldapsearch -D "cn=admin,dc=domain,dc=tld" -W -xLLL -H ldap://ldap.domain.tld/
uid userPassword
It shows that admin has only one password:
dn: cn=admin,dc=ytec,dc=nl
userPassword:: [hash]=
But about the root user. How does that relate to an admin user?
6:47 a.m.
On 12/28/12 09:30 +0100, Wiebe Cazemier wrote:
----- Original Message -----
> From: "Maarten Vanraes" <maarten.vanraes(a)gmail.com>
> To: openldap-technical(a)openldap.org
> Cc: "Wiebe Cazemier" <wiebe(a)halfgaar.net>
> Sent: Tuesday, 25 December, 2012 1:08:46 AM
> Subject: Re: Admin user has two passwords
>
> you could just have multiple userPassword values...
That doesn't seem to be it. When I do:
ldapsearch -D "cn=admin,dc=domain,dc=tld" -W -xLLL -H ldap://ldap.domain.tld/
uid userPassword
It shows that admin has only one password:
dn: cn=admin,dc=ytec,dc=nl
userPassword:: [hash]=
But about the root user. How does that relate to an admin user?
There is no admin user per se. There is an authentication identity that
you can specify in your configuration with rootdn/olcRootDN, along with
it's password, rootpw/OlcRootPW.
Creating the same DN within your DIT may confuse things, and it is not
necessary that it actually exist (unless you do not specify a rootpw).
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20roo...
and the slapd.conf/slapd-config man pages.
--
Dan White
7:53 a.m.
----- Original Message -----
From: "Dan White" <dwhite(a)olp.net>
To: "Wiebe Cazemier" <wiebe(a)halfgaar.net>
Cc: "Maarten Vanraes" <maarten.vanraes(a)gmail.com>,
openldap-technical(a)openldap.org
Sent: Friday, 28 December, 2012 3:47:58 PM
Subject: Re: Admin user has two passwords
There is no admin user per se. There is an authentication identity
that
you can specify in your configuration with rootdn/olcRootDN, along
with
it's password, rootpw/OlcRootPW.
Creating the same DN within your DIT may confuse things, and it is
not
necessary that it actually exist (unless you do not specify a
rootpw).
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20roo...
and the slapd.conf/slapd-config man pages.
--
Dan White
Does that mean that the Ubuntu docs [1] give the wrong instructions? Because in its
backend.example.ldif, it makes:
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: secret
and then it loads an admin user with frontend.example.ldif:
# Admin user.
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: secret
So what I should do is remove the admin user, and set olcRootPW (but then to a value
generated with slappasswd to avoid plain text)?
[1] https://help.ubuntu.com/10.04/serverguide/openldap-server.html
1:39 a.m.
----- Original Message -----
From: "Wiebe Cazemier" <wiebe(a)halfgaar.net>
To: "Dan White" <dwhite(a)olp.net>
Cc: "Maarten Vanraes" <maarten.vanraes(a)gmail.com>,
openldap-technical(a)openldap.org
Sent: Friday, 28 December, 2012 4:53:52 PM
Subject: Re: Admin user has two passwords
----- Original Message -----
> From: "Dan White" <dwhite(a)olp.net>
> To: "Wiebe Cazemier" <wiebe(a)halfgaar.net>
> Cc: "Maarten Vanraes" <maarten.vanraes(a)gmail.com>,
> openldap-technical(a)openldap.org
> Sent: Friday, 28 December, 2012 3:47:58 PM
> Subject: Re: Admin user has two passwords
>
>
> There is no admin user per se. There is an authentication identity
> that
> you can specify in your configuration with rootdn/olcRootDN, along
> with
> it's password, rootpw/OlcRootPW.
>
> Creating the same DN within your DIT may confuse things, and it is
> not
> necessary that it actually exist (unless you do not specify a
> rootpw).
>
> See:
>
>
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20roo...
>
> and the slapd.conf/slapd-config man pages.
>
> --
> Dan White
>
Does that mean that the Ubuntu docs [1] give the wrong instructions?
Because in its backend.example.ldif, it makes:
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: secret
and then it loads an admin user with frontend.example.ldif:
# Admin user.
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: secret
So what I should do is remove the admin user, and set olcRootPW (but
then to a value generated with slappasswd to avoid plain text)?
[1] https://help.ubuntu.com/10.04/serverguide/openldap-server.html
It does appear that the Ubuntu docs are wrong. I deleted the admin user:
# fed to ldapmodify
dn: cn=admin,dc=domain,dc=tld
changetype: delete
And I updated olcRootPW:
# fed to ldapmodify
dn: olcDatabase={1}hdb,cn=config
replace: olcRootPW
olcRootPW: {SSHA}hashcode
Now it only has one admin password, and it's the new one.
1:53 a.m.
----- Original Message -----
From: "Wiebe Cazemier" <wiebe(a)halfgaar.net>
To: "Dan White" <dwhite(a)olp.net>
Cc: "Maarten Vanraes" <maarten.vanraes(a)gmail.com>,
openldap-technical(a)openldap.org
Sent: Monday, 31 December, 2012 10:39:05 AM
Subject: Re: Admin user has two passwords
It does appear that the Ubuntu docs are wrong. I deleted the admin
user:
# fed to ldapmodify
dn: cn=admin,dc=domain,dc=tld
changetype: delete
And I updated olcRootPW:
# fed to ldapmodify
dn: olcDatabase={1}hdb,cn=config
replace: olcRootPW
olcRootPW: {SSHA}hashcode
Now it only has one admin password, and it's the new one.
And I reported the bug:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-docs/+bug/1094842
3311
days inactive
3318
days old
openldap-technical@openldap.org
6 comments
3 participants
participants (3)
-
Dan White -
Maarten Vanraes -
Wiebe Cazemier