LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-26-2011, 12:07 PM   #1
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 296

Rep: Reputation: 32
Ubuntu - ldap admin password recover, how?


Hello
I'm new to ldap (used NIS in the past) and have inherited a set of Ubuntu boxes that authenticate to an ldap server. The old SA left and gave me the wrong password, at least it doesn't seem to work. How do I reset the ldap admin password without knowing it.

My research says to run slappasswd and put that into the /etc/ldap/ldap.conf. First my ldap.conf file only contains the following.

Quote:
BASE dc=devnet,dc=ais,dc=com
URI ldaps://ldap.devnet.ais.com
TLS_REQCERT allow
TLS_CACERT /etc/ldap/ssl/cacert.crt
There is a file at /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif that has the following and I've tried without success to put the output of slappasswd into the line oldRootPW the restart slapd

Quote:
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
olcRootPW:: aoUmWECRh5GYmZhd3cmBTy9D09OivZjK
structuralObjectClass: olcDatabaseConfig
entryUUID: 601bc724-b1b8-102e-8e0a-6da0eb75deeb
creatorsName: cn=config
createTimestamp: 20100219153704Z
entryCSN: 20100219153704.822212Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100219153704Z
Thank you any help will be greatly appreciated.
 
Old 01-26-2011, 12:50 PM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,209
Blog Entries: 1

Rep: Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064
Hi,

Replace
Quote:
olcRootPW:: aoUmWECRh5GYmZhd3cmBTy9D09OivZjK
with
Code:
olcRootPW:{SSHA}blahblahblah
Where {SSHA}blahblahblah is the slappasswd output. Note that you need one colon ":" instead of the 2 in the original file between olcRootPW and the hashed password. Also make sure to not leave a blank space.
And don't forget to make backups of the files you edit

Regards

Last edited by bathory; 01-26-2011 at 12:52 PM.
 
Old 01-26-2011, 02:47 PM   #3
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 296

Original Poster
Rep: Reputation: 32
Tried that, still doesn't work. The error its giving me is
Quote:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
Could the real problem be the password the old admin gave me is correct, I just don't have certs setup for me?
 
Old 01-26-2011, 02:57 PM   #4
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 296

Original Poster
Rep: Reputation: 32
also note when it asks for a password this is the prompt
Quote:
SASL/DIGEST-MD5 authentication started
Please enter your password:
 
Old 01-26-2011, 04:44 PM   #5
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,209
Blog Entries: 1

Rep: Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064
What exactly is the way you do your tests?
Try:
Code:
ldapsearch -x -b 'cn=config' -D 'cn=admin,cn=config' -W -H ldaps://ldap.devnet.ais.com
 
Old 01-27-2011, 09:23 AM   #6
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 296

Original Poster
Rep: Reputation: 32
I tried your suggestion and got the following error
Quote:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
If I try the following
Quote:
ldapsearch -x -b 'cn=config' -D 'cn=admin,cn=config' -W
I get
Quote:
ldap_bind: Invalid credentials (49)
I was trying simply to change an ldap passwd using the passwd command
or the following
Quote:
ldapsearch cn=admin
such as
Quote:
tom.gossard@guide:~$ ldapsearch cn=admin
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
tom.gossard@guide:~$
I have tried my password, which I know and the ldap admin password.
 
Old 01-27-2011, 12:18 PM   #7
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,209
Blog Entries: 1

Rep: Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064Reputation: 2064
Quote:
I tried your suggestion and got the following error
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I've used the ldapuri from you 1st post. Better rename ldap.conf, so the various ldap utils do not use it

Regarding the "invalid credentials" error, I cannot tell what's wrong with your configuration.
Try to do the same for olcRootPW in olcDatabase\=\{1\}bdb.ldif (don't forget backups and restart slapd) and see if you can do a simple search, like:
Code:
ldapsearch -x -b 'dc=devnet,dc=ais,dc=com'-D 'cn=admin,dc=devnet,dc=ais,dc=com' -W
Make sure that seach-base (dc=devnet,dc=ais,dc=com) and the admin dn (cn=admin,dc=devnet,dc=ais,dc=com) are the correct one for your setup.
 
Old 01-27-2011, 02:28 PM   #8
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 296

Original Poster
Rep: Reputation: 32
Talking

Good news YEA. I can modify the ldap entries now. Someone else who works here guessed the password. I never did get the stupid thing changed, but at least we now know the real password. The worst part, its a password that any experienced hacker would have guessed. Its good thing I don't hack for a living, I'd starve
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ldap client ubuntu 8.04 password unchanged problem. fahadaziz Linux - Server 9 04-20-2010 12:59 PM
how to recover root password in ubuntu 9.10 linux.ab Linux - Newbie 4 04-17-2010 06:00 AM
Ubuntu 8.04 / LDAP / NSS / PAM - not sharing shadow password hence not authenticating fuzzyworm Linux - Server 5 01-01-2009 03:29 PM
lost ldap admin password irvken Linux - Software 1 12-20-2007 02:03 AM
WARN: Ubuntu Admin Password Leak furfurdemon666 Linux - Security 6 03-13-2006 05:45 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration