Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all, I am new to ldap and now having problem in changing admin password.
I saw few sites suggested to use slappasswd to change admin password. I did that and change the rootpw value on my slapd.conf on my ldap server. After restarted the slapd service, the client machine that used to connect to the ldap server having problem in connecting to the ldap service and it causes the ldap user not able to log in to the system. I found a file named ldap.secret in the client machine with a clear text words residing in it.
Now my question is
1. What is ldap.secret file function in client machine? Is it associated with the ldap server rootpw?
2. If i change rootpw in ldap server, do i need to change any other values in my client ldap.conf?
your rootpw value should NEVER EVER be used outside of the server. that account is for management of the underlying server, not an account to ever be used to use the ldap service it provides. create system accounts for user binds etc, and never ever use that password for anything like that.
the ldap.secret file is generally a credentials file that can be used in lieu of putting passwords into scripts or configuration files which are world readable. so a script might be able to be read by anyone, but the password file can only be read by root or similar, so the password is much more secure.
Thanks. Anyway, my client machine fail to connect to the ldap server after i change the rootpw value and restart slapd service. The ldap user could not log in either. What would be the possible reason causing this?
no idea what your client and server configs are, so can't really comment. Clearly if you are binding with that admin account and the password has changed, that's pretty obvious.
Below is my slapd.conf in my server and ldap.conf of my client.
slapd.conf
include /opt/etc/openldap/schema/core.schema
include /opt/etc/openldap/schema/cosine.schema
include /opt/etc/openldap/schema/inetorgperson.schema
include /opt/etc/openldap/schema/nis.schema
include /opt/etc/openldap/schema/ppolicy.schema
include /opt/etc/openldap/schema/samba.schema
include /opt/etc/openldap/schema/apple_auxillary.schema
include /opt/etc/openldap/schema/apple.schema
what am I supposed to say? I must be missing something... you're binding with the admin account. you changed the password to the admin account...???
please understand how dangerous / dumb it is to be using THAT account over ANY other account to do this bind. It's just mental. you'd be more secure by allowing anonymous read only binds to the relevant OUs and filtering the available attributes to the posix essential ones only. As well as being more secure (at all secure) your original issue dissapears into thin air instantly.
what am I supposed to say? I must be missing something... you're binding with the admin account. you changed the password to the admin account...???
please understand how dangerous / dumb it is to be using THAT account over ANY other account to do this bind. It's just mental. you'd be more secure by allowing anonymous read only binds to the relevant OUs and filtering the available attributes to the posix essential ones only. As well as being more secure (at all secure) your original issue dissapears into thin air instantly.
Hi Chris, I have changed my ACL in server side to the following.
access to attrs=userPassword
by dn="cn=ldap,dc=local" write
by self write
by * auth
access to attrs=loginShell,homeDirectory,cn,givenName,sn,mail,gecos
by dn="cn=ldap,dc=local" write
by self write
by anonymous read
by * auth
I have created another account called ldap and do the binding from client by using binddn and bindpw directive and commented out rootbinddn directive.
binddn cn=ldap,dc=local
bindpw xxxxxx
After i done that, my ldap user can't logged in to the system anymore. I know it might be a dumb question but please help since i m so new in ldap as the previous setup is done by someone who has left the company. Thanks.
I don't see an obvious problem with your slapd configuration / ACLs in post #7. What I would suggest (for a service account) would look similar to that.
Please turn on logging so that we can make sense out of what's happening.
"err=49" is invalid credentials. wrong password 99% of the time.
Are you getting accounts back from a "getent passwd"?
No. I cant see the user accounts. But I tested the account with the password and the password is correct. Is there any other possible field for wrong credentials?
There are a couple of subtle issues that can cause it, but things like locked out accounts you'd get an err=19 instead, which is "Constraint Violation". I think I've seen it when there is NO password attribute on the account, not sure what else. can you ldapsearch the data instead? post the command that works with a search, and there might be something you're not mapping across into the config files.
Last edited by acid_kewpie; 04-18-2012 at 02:01 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.