Dec 192011

Took me BIG time, some hack and research on the internet to find the information contained in this post.

Don’t want to redo it again therefore I “took note” in my universally accessible internet notepad 😉

The problem is the following: when I installed OpenLDAP, I have set a password for my OpenLDAP administrator that I would like to change. Admin account is normally NOT stored in the main LDAP bridge where other accounts are stored, and it is particularly difficult to find good documentation about how to do it.

If you find yourself in the same situation, here a working procedure you can follow (which at least worked on my OpenLDAP running on Ubuntu 10.10).

Although you can type in the password straight in a certain file in cleartext if you have root access to the machine, the more “elegant” way is to use the proper ldapmodify command.

First, we need to find a way to locate the credentials information of the administrator account in the correct database within the LDAP tree.

This can be done using the command:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcRootDN=cn=admin,dc=example,dc=com dn olcRootDN olcRootPW

(replace olcRootDN value highlighted in blue with the correct value to match your configuration)

This command will return:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
dn: olcDatabase={1}hdb,cn=config
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SHA}ksixAVfgRXavGCpkPefc6hRHL4X=

There are two interesting information we know now:

  1. we need to modify the entry “dn: olcDatabase={1}hdb,cn=config
  2. the current password is hashed with SHA1 algorythm.
    Therefore we need to generate our new password with the same algorythm using the command slappasswd using the syntax
slappasswd -h <the hashing scheme we want to use - for example {SHA}>

The system will then prompt us twice for the new password to use and will finally display the hashed value we’re interested in (example below with password = password)

root@testbox:~# slappasswd -h {SHA} New password:
Re-enter new password:

Then we’ll proceed to modify the entry we’ve identified above using the command:

root@testbox:~# ldapmodify -Y EXTERNAL -H ldapi:///

The system will start the listening mode for modifying commands:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

First, we enter the entry we want to modify:

dn: olcDatabase={1}hdb,cn=config

Second, we type in the parameter we want to modify:

replace: olcRootPW

Third, we type in the new password generated above (copy and paste is MUCH less error prone than manual typing at this point 😉 )

olcRootPW: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

Hit Enter another time to commit the modification and the following line will appear:

modifying entry "olcDatabase={1}hdb,cn=config"

After this, you can exit the listening mode with CTRL+C and restart the LDAP database service using

service slapd stop
service slapd start

and login now with the new password set.