Sunday 15 June 2014

Change Root DN Password on OpenLDAP

First, we need to locate the credentials information of the administrator account in the correct database within the LDAP tree.

This can be done using the ldapsearch command:
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcRootDN=cn=admin,dc=example,dc=com dn olcRootDN olcRootPW
(replace the olcRootDN value with the correct value to match your configuration)

This command will return something like:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}hdb,cn=config
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SHA}ks1xBVfgRXavGCpkPefc9hRHL4X=
There are two interesting information we know now:

we need to modify the entry “dn: olcDatabase={1}hdb,cn=config“
the current password is hashed with SHA1 algorythm.
To generate our new password with the same algorythm we'll use the command slappasswd with the syntax:
slappasswd -h <the hashing scheme we want to use - for example {SHA}>
The system will then prompt you for the new password to use, twice, and will finally display the hashed value we’re interested in:
root@testbox:~# slappasswd -h {SHA}
New password:
Re-enter new password:
{SHA}W6ph5Mm7Ps6GglULbPgzG37mj0g=
Then we’ll proceed to modify the entry we’ve identified above using the command:
root@testbox:~# ldapmodify -Y EXTERNAL -H ldapi:///
The system will start the listening mode for modifying commands:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
First, we enter the entry we want to modify:
dn: olcDatabase={1}hdb,cn=config
Second, we type in the parameter we want to modify:
replace: olcRootPW
Third, we type in the new password generated above (copy and paste is MUCH less error prone than manual typing at this point ;) )
olcRootPW: {SHA}W6ph5Mm7Ps6GglULbPgzG37mj0g=
Hit Enter another time to commit the modification and the following line will appear:
modifying entry "olcDatabase={1}hdb,cn=config"
After this, you can exit the listening mode with CTRL+C and restart the LDAP database service using:
service slapd stop
service slapd start
and login now with the new password set.

Possibly Related Posts

No comments:

Post a Comment