8

When I installed OpenLDAP I was asked to create a password for an admin user but now I realize there's another admin user for cn=config whose password I don't know. Does anyone know how should I proceed to change or get that admin password? I'm on a fresh Ubuntu 13.10 install.

I need that password cause I'm trying to setup sudo-ldap.

030
  • 5,901
  • 13
  • 68
  • 110
peris
  • 508
  • 2
  • 9
  • 27

2 Answers2

13

I don't know how the current Ubuntu packages do the initial OpenLDAP setup but both in 10.04 and 12.04 that process didn't account very well for cn=config. If set you should find the password in the attribute olcRootPW in /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif (it's probably base64 encoded).

To change the password use ldapmodify as root. Save this as an LDIF file rootpw_cnconfig.ldif:

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: foobar123

Note: In order to change the root password on CentOS7 use dn: olcDatabase={2}hdb,cn=config instead of dn: olcDatabase={0}config,cn=config.

Obviously set your password to something other than foobar123. Then run ldapmodify:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f rootpw_cnconfig.ldif

This presumes that the LDAP server and the cn=config database can be accessed using the ldapi protocol (-H ldapi:///) and that external SASL authentication (-Y EXTERNAL) is enabled and working, which it should by default on new OpenLDAP setups in Debian and Ubuntu. If you look at /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif it should contain an attribute olcAccess:

olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
  ,cn=auth manage by * break
030
  • 5,901
  • 13
  • 68
  • 110
daff
  • 4,809
  • 2
  • 28
  • 27
  • Running on CentOS I get an `ldap_modify: Object class violation (65)`with `additional info: attribute 'olcTLSCertificateFile' not allowed`. Do you have any idea how to resolve that issue? – Woltan Sep 28 '16 at 07:47
2

If you don't know how to change access rights for cn=config which has access to * by * none by default (in some openldap distributes) here is workaround:

  1. create appropriate slapd.conf which contains:
database config
rootdn "cn=admin,cn=config"
rootpw password
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
  1. convert it into LDIF:
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
  1. run slapd
  2. add/modify LDAP databases using SASL authorization, for example:
sudo ldapadd -Y EXTERNAL -Q -H ldapi:/// <<EOF
dn: cn=config
objectClass: olcGlobal
cn: config
olcIdleTimeout: 30
olcLogLevel: stats config sync
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcRootPW: secret
olcDbDirectory: /var/lib/openldap/openldap-data
olcDbIndex: objectClass eq
EOF
oukooveu
  • 21
  • 1