Hi,

Im having a few problems changing a user password on LDAP, should be easy enough but nothing ever is...

Ive googled and also found similar threads on linuxquestions but am unable to resolve the issue. Basically when I do the following (please note ive masked a couple of fields):

# ldappasswd -x -W -D "cn=Manager,dc=TBC,dc=TBC" "uid=TBC,ou=people,dc=TBC,dc=TBC"
Enter LDAP Password: 'I now add the password from slapd.conf'
ldap_bind: Invalid credentials (49)

I then used slappasswd and copied the output to slapd.conf and retried with the new password but unfortunately had the same error message.

One thing I didn't do was restart ldap which I may have to do.. if so are there any gotta's with users logged on..??.. (im not an ldap expert as you can tell but interesting learning never the less)

Heres a except from sldapd.conf with masked entries again.

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix "dc=TBC,dc=TBC"
rootdn "cn=Manager,dc=TBC,dc=TBC"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}zA9zaAzdQxLdGaZKlAqkeD9wcKeM31Tr

[root@servname openldap]# slapd -VV
@(#) $OpenLDAP: slapd 2.3.27 (Jul 9 2008 13:10:56) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd

Any input would be gratefully received...

Since you've changed the admin password, you should restart slapd to read the new one

Regards

1 members found this post helpful.

Restarted LDAP and tried the command again:

# ldappasswd -x -W -D "cn=Manager,dc=TBC,dc=TBC" "uid=TBC,ou=people,dc=TBC,dc=TBC"
Enter LDAP Password: <I enter the new rootpw from sldpa.conf>
ldap_bind: Invalid credentials (49)

Will carry on investigating but if anyone has any ideas please...

Hi,

Are you sure that your openldap server uses slapd.conf and not the new cn=config configuration? To verify, start slapd from command line using:
and watch for lines containing "cn=config"

In this case the rootpw is defined as olcRootPW and you need to run ldapmodify to change it. But, you need to know the old admin password to run ldapmodify, so just test if you use cn=config and we'll see what we can do

Regards

1 members found this post helpful.

Thanks again Bathory,

The version of LDAP is 2.3 and from what I read cn=config is only valid at V2.4 (correct me if im wrong please). Ive looked in slapd.conf and can see the line 'database bdb' so presume the server uses slapd.conf, although I will try your method of 'slapd -d 1' and see what happens.

On another note, ive downloaded and installed jxexplorer, I can see all the LDAP users but when I try to change the user password I receive a message:

Unable to perform Modify Operation.

Which I presume is due to the issue with the Administrator password.

And I thought NIS+ was long winded!!!

Sorry, just read the cn=config feature was introduced in Version 2.3...

So, have you find out what kind of configuration your ldap server is using?

Hi Bathory,

Here's a sample from starting LDAP from command line (slapd -d 1)

Thanks again for the assistance

[root@craws11505 samples]# slapd -d 1
@(#) $OpenLDAP: slapd 2.3.27 (Jul 9 2008 13:10:56) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Sleepycat Software: Berkeley DB 4.4.20: (January 10, 2006)
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Sleepycat Software: Berkeley DB 4.4.20: (January 10, 2006)
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=TBC,dc=TBC>
<<< dnPrettyNormal: <dc=TBC,dc=TBC>, <dc=TBC,dc=TBC>
>>> dnPrettyNormal: <cn=Manager,dc=TBC,dc=TBC>
<<< dnPrettyNormal: <cn=Manager,dc=TBC,dc=TBC>, <cn=manager,dc=TBC,dc=TBC>
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
1.2.840.113556.1.4.804 (integerBitOrMatch):

etc etc
etc etc

slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=include{0}"
config_build_entry: "cn=include{1}"
config_build_entry: "cn=include{2}"
config_build_entry: "cn=include{3}"
config_build_entry: "cn=include{4}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}inetorgperson"
config_build_entry: "cn={3}nis"
config_build_entry: "cn={4}autofs"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}bdb"
backend_startup_one: starting "dc=TBC,dc=TBC"
bdb_db_open: dbenv_open(/var/lib/ldap)
slapd starting
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
====> bdb_cache_release_all
slapd destroy: freeing system resources.
slapd stopped.

Find the file olcDatabase={1}bdb.ldif, make a backup of it and then change the olcRootPW to the value of the rootpw in slapd.conf
Just make sure you have just one colon ":" after the keyword olcRootPW. In had a problem with this, because I had convert from slapd.conf and there were 2 "::" (I guess the SSHA password was converted in base64) and slapd could not start.
Restart slapd and you'll be ok.

PS: You can do the same for olcDatabase={0}config.ldif. This is for the admin of the cn=config DIT and you'll need it if you want to make changes in the configuration.

1 members found this post helpful.

Hi Bathory,

Unable to find any file named 'olcDatabase={1}bdb.ldif'. The only ldif files are in /root/12082008/openldap/samples which contain some files which I presume were initially added to complement the LDAP user database.

Would it be easier to remove the user and re-add which I have sometimes done on NIS+ when the credentials have been invalid..??..



Thanks again...

You can stop slapd, rename the directory slapd.d (it should be in /etc/openldap/slapd.d or /etc/ldap/slapd.d) to something else and restart slapd. This way it will use slapd.conf with the already known rootpw.
Then if you like you can convert again slapd.conf to slapd.d

1 members found this post helpful.

Thanks so much!!! -- was spending a few hours already trying to figure out why my newly salted passed was not working. I have been working to take our non-redundant single ldap server and get the ldif data into a load-balanced backed server(s) running Centos6.2

FYI: It seems the latest version of EPEL opensky2.4.x does not include the slapd.conf file (even thought its listed in the RPM manifest)

Also, before you import anything from a slapcat ldif backup, remove or rename that damn /etc/openldap/slapd.d -- then it should read the slapd.conf file correct, BUT ALSO allow you to slapadd the backup ldif properly....


Thanks again!

I have the same exact problem...my setup doesn't have the directory - /etc/openldap/slapd.d


I update rootpw in the /etc/openldap/slapd.conf , but still I can't get in..

Please start your own thread giving more details (like slapd.conf, the error you get, etc)

Hi Bathory,

I started a new thread and no one is helping me.. could you please help me on this issues? I can post the slapd.conf and the error here.