Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-26-2011, 12:07 PM
|
#1
|
Member
Registered: Sep 2003
Location: Laurel MD
Posts: 296
Rep:
|
Ubuntu - ldap admin password recover, how?
Hello
I'm new to ldap (used NIS in the past) and have inherited a set of Ubuntu boxes that authenticate to an ldap server. The old SA left and gave me the wrong password, at least it doesn't seem to work. How do I reset the ldap admin password without knowing it.
My research says to run slappasswd and put that into the /etc/ldap/ldap.conf. First my ldap.conf file only contains the following.
Quote:
BASE dc=devnet,dc=ais,dc=com
URI ldaps://ldap.devnet.ais.com
TLS_REQCERT allow
TLS_CACERT /etc/ldap/ssl/cacert.crt
|
There is a file at /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif that has the following and I've tried without success to put the output of slappasswd into the line oldRootPW the restart slapd
Quote:
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
olcRootPW:: aoUmWECRh5GYmZhd3cmBTy9D09OivZjK
structuralObjectClass: olcDatabaseConfig
entryUUID: 601bc724-b1b8-102e-8e0a-6da0eb75deeb
creatorsName: cn=config
createTimestamp: 20100219153704Z
entryCSN: 20100219153704.822212Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100219153704Z
|
Thank you any help will be greatly appreciated.
|
|
|
01-26-2011, 12:50 PM
|
#2
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,209
|
Hi,
Replace
Quote:
olcRootPW:: aoUmWECRh5GYmZhd3cmBTy9D09OivZjK
|
with
Code:
olcRootPW:{SSHA}blahblahblah
Where {SSHA}blahblahblah is the slappasswd output. Note that you need one colon ":" instead of the 2 in the original file between olcRootPW and the hashed password. Also make sure to not leave a blank space.
And don't forget to make backups of the files you edit
Regards
Last edited by bathory; 01-26-2011 at 12:52 PM.
|
|
|
01-26-2011, 02:47 PM
|
#3
|
Member
Registered: Sep 2003
Location: Laurel MD
Posts: 296
Original Poster
Rep:
|
Tried that, still doesn't work. The error its giving me is
Quote:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
|
Could the real problem be the password the old admin gave me is correct, I just don't have certs setup for me?
|
|
|
01-26-2011, 02:57 PM
|
#4
|
Member
Registered: Sep 2003
Location: Laurel MD
Posts: 296
Original Poster
Rep:
|
also note when it asks for a password this is the prompt
Quote:
SASL/DIGEST-MD5 authentication started
Please enter your password:
|
|
|
|
01-26-2011, 04:44 PM
|
#5
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,209
|
What exactly is the way you do your tests?
Try:
Code:
ldapsearch -x -b 'cn=config' -D 'cn=admin,cn=config' -W -H ldaps://ldap.devnet.ais.com
|
|
|
01-27-2011, 09:23 AM
|
#6
|
Member
Registered: Sep 2003
Location: Laurel MD
Posts: 296
Original Poster
Rep:
|
I tried your suggestion and got the following error
Quote:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
|
If I try the following
Quote:
ldapsearch -x -b 'cn=config' -D 'cn=admin,cn=config' -W
|
I get
Quote:
ldap_bind: Invalid credentials (49)
|
I was trying simply to change an ldap passwd using the passwd command
or the following
such as
Quote:
tom.gossard@guide:~$ ldapsearch cn=admin
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
tom.gossard@guide:~$
|
I have tried my password, which I know and the ldap admin password.
|
|
|
01-27-2011, 12:18 PM
|
#7
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,209
|
Quote:
I tried your suggestion and got the following error
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
|
I've used the ldapuri from you 1st post. Better rename ldap.conf, so the various ldap utils do not use it
Regarding the "invalid credentials" error, I cannot tell what's wrong with your configuration.
Try to do the same for olcRootPW in olcDatabase\=\{1\}bdb.ldif (don't forget backups and restart slapd) and see if you can do a simple search, like:
Code:
ldapsearch -x -b 'dc=devnet,dc=ais,dc=com'-D 'cn=admin,dc=devnet,dc=ais,dc=com' -W
Make sure that seach-base (dc=devnet,dc=ais,dc=com) and the admin dn (cn=admin,dc=devnet,dc=ais,dc=com) are the correct one for your setup.
|
|
|
01-27-2011, 02:28 PM
|
#8
|
Member
Registered: Sep 2003
Location: Laurel MD
Posts: 296
Original Poster
Rep:
|
Good news YEA. I can modify the ldap entries now. Someone else who works here guessed the password. I never did get the stupid thing changed , but at least we now know the real password. The worst part, its a password that any experienced hacker would have guessed. Its good thing I don't hack for a living, I'd starve
|
|
|
All times are GMT -5. The time now is 11:27 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|