LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-21-2010, 08:05 AM   #1
BFCsaus
Member
 
Registered: Jan 2007
Posts: 36

Rep: Reputation: 15
ldap password reset


Hi,

Im having a few problems changing a user password on LDAP, should be easy enough but nothing ever is...

Ive googled and also found similar threads on linuxquestions but am unable to resolve the issue. Basically when I do the following (please note ive masked a couple of fields):

# ldappasswd -x -W -D "cn=Manager,dc=TBC,dc=TBC" "uid=TBC,ou=people,dc=TBC,dc=TBC"
Enter LDAP Password: 'I now add the password from slapd.conf'
ldap_bind: Invalid credentials (49)

I then used slappasswd and copied the output to slapd.conf and retried with the new password but unfortunately had the same error message.

One thing I didn't do was restart ldap which I may have to do.. if so are there any gotta's with users logged on..??.. (im not an ldap expert as you can tell but interesting learning never the less)

Heres a except from sldapd.conf with masked entries again.

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix "dc=TBC,dc=TBC"
rootdn "cn=Manager,dc=TBC,dc=TBC"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}zA9zaAzdQxLdGaZKlAqkeD9wcKeM31Tr

[root@servname openldap]# slapd -VV
@(#) $OpenLDAP: slapd 2.3.27 (Jul 9 2008 13:10:56) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd

Any input would be gratefully received...
 
Old 07-21-2010, 09:12 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Since you've changed the admin password, you should restart slapd to read the new one

Regards
 
1 members found this post helpful.
Old 07-27-2010, 05:30 AM   #3
BFCsaus
Member
 
Registered: Jan 2007
Posts: 36

Original Poster
Rep: Reputation: 15
Restarted LDAP and tried the command again:

# ldappasswd -x -W -D "cn=Manager,dc=TBC,dc=TBC" "uid=TBC,ou=people,dc=TBC,dc=TBC"
Enter LDAP Password: <I enter the new rootpw from sldpa.conf>
ldap_bind: Invalid credentials (49)

Will carry on investigating but if anyone has any ideas please...
 
Old 07-27-2010, 07:29 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Hi,

Are you sure that your openldap server uses slapd.conf and not the new cn=config configuration? To verify, start slapd from command line using:
Code:
slapd -d 1
and watch for lines containing "cn=config"

In this case the rootpw is defined as olcRootPW and you need to run ldapmodify to change it. But, you need to know the old admin password to run ldapmodify, so just test if you use cn=config and we'll see what we can do

Regards
 
1 members found this post helpful.
Old 07-28-2010, 06:24 AM   #5
BFCsaus
Member
 
Registered: Jan 2007
Posts: 36

Original Poster
Rep: Reputation: 15
Thanks again Bathory,

The version of LDAP is 2.3 and from what I read cn=config is only valid at V2.4 (correct me if im wrong please). Ive looked in slapd.conf and can see the line 'database bdb' so presume the server uses slapd.conf, although I will try your method of 'slapd -d 1' and see what happens.

On another note, ive downloaded and installed jxexplorer, I can see all the LDAP users but when I try to change the user password I receive a message:

Unable to perform Modify Operation.

Which I presume is due to the issue with the Administrator password.

And I thought NIS+ was long winded!!!
 
Old 07-28-2010, 07:26 AM   #6
BFCsaus
Member
 
Registered: Jan 2007
Posts: 36

Original Poster
Rep: Reputation: 15
Sorry, just read the cn=config feature was introduced in Version 2.3...
 
Old 07-28-2010, 09:50 AM   #7
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
So, have you find out what kind of configuration your ldap server is using?
 
Old 07-28-2010, 12:26 PM   #8
BFCsaus
Member
 
Registered: Jan 2007
Posts: 36

Original Poster
Rep: Reputation: 15
Hi Bathory,

Here's a sample from starting LDAP from command line (slapd -d 1)

Thanks again for the assistance

[root@craws11505 samples]# slapd -d 1
@(#) $OpenLDAP: slapd 2.3.27 (Jul 9 2008 13:10:56) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Sleepycat Software: Berkeley DB 4.4.20: (January 10, 2006)
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Sleepycat Software: Berkeley DB 4.4.20: (January 10, 2006)
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=TBC,dc=TBC>
<<< dnPrettyNormal: <dc=TBC,dc=TBC>, <dc=TBC,dc=TBC>
>>> dnPrettyNormal: <cn=Manager,dc=TBC,dc=TBC>
<<< dnPrettyNormal: <cn=Manager,dc=TBC,dc=TBC>, <cn=manager,dc=TBC,dc=TBC>
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
1.2.840.113556.1.4.804 (integerBitOrMatch):

etc etc
etc etc

slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=include{0}"
config_build_entry: "cn=include{1}"
config_build_entry: "cn=include{2}"
config_build_entry: "cn=include{3}"
config_build_entry: "cn=include{4}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}inetorgperson"
config_build_entry: "cn={3}nis"
config_build_entry: "cn={4}autofs"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}bdb"
backend_startup_one: starting "dc=TBC,dc=TBC"
bdb_db_open: dbenv_open(/var/lib/ldap)
slapd starting
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
====> bdb_cache_release_all
slapd destroy: freeing system resources.
slapd stopped.
 
Old 07-28-2010, 01:45 PM   #9
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Quote:
config_build_entry: "olcDatabase={1}bdb"
Find the file olcDatabase={1}bdb.ldif, make a backup of it and then change the olcRootPW to the value of the rootpw in slapd.conf
Code:
olcRootPW: {SSHA}zA9zaAzdQxLdGaZKlAqkeD9wcKeM31Tr
Just make sure you have just one colon ":" after the keyword olcRootPW. In had a problem with this, because I had convert from slapd.conf and there were 2 "::" (I guess the SSHA password was converted in base64) and slapd could not start.
Restart slapd and you'll be ok.

PS: You can do the same for olcDatabase={0}config.ldif. This is for the admin of the cn=config DIT and you'll need it if you want to make changes in the configuration.
 
1 members found this post helpful.
Old 07-30-2010, 11:52 AM   #10
BFCsaus
Member
 
Registered: Jan 2007
Posts: 36

Original Poster
Rep: Reputation: 15
Hi Bathory,

Unable to find any file named 'olcDatabase={1}bdb.ldif'. The only ldif files are in /root/12082008/openldap/samples which contain some files which I presume were initially added to complement the LDAP user database.

Would it be easier to remove the user and re-add which I have sometimes done on NIS+ when the credentials have been invalid..??..



Thanks again...
 
Old 07-30-2010, 05:14 PM   #11
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
You can stop slapd, rename the directory slapd.d (it should be in /etc/openldap/slapd.d or /etc/ldap/slapd.d) to something else and restart slapd. This way it will use slapd.conf with the already known rootpw.
Then if you like you can convert again slapd.conf to slapd.d
 
1 members found this post helpful.
Old 05-05-2012, 11:45 AM   #12
jedblack
LQ Newbie
 
Registered: Nov 2003
Posts: 2

Rep: Reputation: 0
Quote:
Originally Posted by bathory View Post
You can stop slapd, rename the directory slapd.d (it should be in /etc/openldap/slapd.d or /etc/ldap/slapd.d) to something else and restart slapd. This way it will use slapd.conf with the already known rootpw.
Then if you like you can convert again slapd.conf to slapd.d
Thanks so much!!! -- was spending a few hours already trying to figure out why my newly salted passed was not working. I have been working to take our non-redundant single ldap server and get the ldif data into a load-balanced backed server(s) running Centos6.2

FYI: It seems the latest version of EPEL opensky2.4.x does not include the slapd.conf file (even thought its listed in the RPM manifest)

Also, before you import anything from a slapcat ldif backup, remove or rename that damn /etc/openldap/slapd.d -- then it should read the slapd.conf file correct, BUT ALSO allow you to slapadd the backup ldif properly....


Thanks again!
 
Old 05-21-2012, 06:19 PM   #13
itz4vj
LQ Newbie
 
Registered: May 2012
Posts: 8
Blog Entries: 1

Rep: Reputation: Disabled
I have the same exact problem...my setup doesn't have the directory - /etc/openldap/slapd.d


I update rootpw in the /etc/openldap/slapd.conf , but still I can't get in..
 
Old 05-22-2012, 01:17 AM   #14
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,516

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Quote:
Originally Posted by itz4vj View Post
I have the same exact problem...my setup doesn't have the directory - /etc/openldap/slapd.d


I update rootpw in the /etc/openldap/slapd.conf , but still I can't get in..
Please start your own thread giving more details (like slapd.conf, the error you get, etc)
 
Old 05-25-2012, 10:28 AM   #15
itz4vj
LQ Newbie
 
Registered: May 2012
Posts: 8
Blog Entries: 1

Rep: Reputation: Disabled
Hi Bathory,

I started a new thread and no one is helping me.. could you please help me on this issues? I can post the slapd.conf and the error here.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
HOW TO RESET LDAP server password? centos Linux - Newbie 5 11-16-2008 02:45 PM
How to retrieve( or reset) root password in Mandrake Linux, as I forgot my password? Reghunath Linux - Software 4 05-08-2008 05:11 AM
web based reset password for ldap/ADS paul_mat Linux - Software 0 05-17-2006 10:05 PM
Compare LDAP password with php crypt password coolamit78 Linux - Networking 1 01-30-2006 06:35 AM
password reset problems with ssh/ldap cary_anderson Red Hat 0 01-24-2006 12:40 PM


All times are GMT -5. The time now is 10:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration