Unknown LDAP cn=config admin password

password linux ldap openldap

When I installed OpenLDAP I was asked to create a password for an admin user but now I realize there's another admin user for cn=config whose password I don't know. Does anyone know how should I proceed to change or get that admin password? I'm on a fresh Ubuntu 13.10 install.

I need that password cause I'm trying to setup sudo-ldap.


I don't know how the current Ubuntu packages do the initial OpenLDAP setup but both in 10.04 and 12.04 that process didn't account very well for cn=config. If set you should find the password in the attribute olcRootPW in /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif (it's probably base64 encoded).

To change the password use ldapmodify as root. Save this as an LDIF file rootpw_cnconfig.ldif:

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: foobar123

Note: In order to change the root password on CentOS7 use dn: olcDatabase={2}hdb,cn=config instead of dn: olcDatabase={0}config,cn=config.

Obviously set your password to something other than foobar123. Then run ldapmodify:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f rootpw_cnconfig.ldif

This presumes that the LDAP server and the cn=config database can be accessed using the ldapi protocol (-H ldapi:///) and that external SASL authentication (-Y EXTERNAL) is enabled and working, which it should by default on new OpenLDAP setups in Debian and Ubuntu. If you look at /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif it should contain an attribute olcAccess:

olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
  ,cn=auth manage by * break

If you don't know how to change access rights for cn=config which has access to * by * none by default (in some openldap distributes) here is workaround:

  1. create appropriate slapd.conf which contains:
database config
rootdn "cn=admin,cn=config"
rootpw password
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
  1. convert it into LDIF:
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
  1. run slapd
  2. add/modify LDAP databases using SASL authorization, for example:
sudo ldapadd -Y EXTERNAL -Q -H ldapi:/// <<EOF
dn: cn=config
objectClass: olcGlobal
cn: config
olcIdleTimeout: 30
olcLogLevel: stats config sync
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcRootPW: secret
olcDbDirectory: /var/lib/openldap/openldap-data
olcDbIndex: objectClass eq
EOF

Related

Can I create the active directory forest corp.domain.com without creating domain.com first?
Renaming a TFS Server
Alias doesn't work in script with #!/usr/bin/env php
Good practices regarding discontinued software in production (OpenDS)?
SSH connection - after some time I can't type anything
Ansible ssh as user and execute has root (expect like)
Haproxy "use_backend" match order
Google Dynamic DNS Wildcard Subdomains
What do users see when Apache reaches MaxClients?
CEPH's raw space usage
Launching an EC2 Instance with an IAM Role Using Ansible
Server Manager won't start in Windows Server 2012 R2