Dec 192011

Took me BIG time, some hack and research on the internet to find the information contained in this post.

Don’t want to redo it again therefore I “took note” in my universally accessible internet notepad 😉

The problem is the following: when I installed OpenLDAP, I have set a password for my OpenLDAP administrator that I would like to change. Admin account is normally NOT stored in the main LDAP bridge where other accounts are stored, and it is particularly difficult to find good documentation about how to do it.

If you find yourself in the same situation, here a working procedure you can follow (which at least worked on my OpenLDAP running on Ubuntu 10.10).

Although you can type in the password straight in a certain file in cleartext if you have root access to the machine, the more “elegant” way is to use the proper ldapmodify command.

First, we need to find a way to locate the credentials information of the administrator account in the correct database within the LDAP tree.

This can be done using the command:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcRootDN=cn=admin,dc=example,dc=com dn olcRootDN olcRootPW

(replace olcRootDN value highlighted in blue with the correct value to match your configuration)

This command will return:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
dn: olcDatabase={1}hdb,cn=config
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SHA}ksixAVfgRXavGCpkPefc6hRHL4X=

There are two interesting information we know now:

  1. we need to modify the entry “dn: olcDatabase={1}hdb,cn=config
  2. the current password is hashed with SHA1 algorythm.
    Therefore we need to generate our new password with the same algorythm using the command slappasswd using the syntax
slappasswd -h <the hashing scheme we want to use - for example {SHA}>

The system will then prompt us twice for the new password to use and will finally display the hashed value we’re interested in (example below with password = password)

root@testbox:~# slappasswd -h {SHA} New password:
Re-enter new password:

Then we’ll proceed to modify the entry we’ve identified above using the command:

root@testbox:~# ldapmodify -Y EXTERNAL -H ldapi:///

The system will start the listening mode for modifying commands:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

First, we enter the entry we want to modify:

dn: olcDatabase={1}hdb,cn=config

Second, we type in the parameter we want to modify:

replace: olcRootPW

Third, we type in the new password generated above (copy and paste is MUCH less error prone than manual typing at this point 😉 )

olcRootPW: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

Hit Enter another time to commit the modification and the following line will appear:

modifying entry "olcDatabase={1}hdb,cn=config"

After this, you can exit the listening mode with CTRL+C and restart the LDAP database service using

service slapd stop
service slapd start

and login now with the new password set.


  29 Responses to “Change Root DN Password on OpenLDAP”

  1. It is saying “‘slappasswd’ is not recognized as an internal or external command,
    operable program or batch file. ”
    Any clue? 

  2. What platform r u using?

  3. is work at ubuntu 12.04 LTS, but the weird is it still remain the old password i still can using old passwd to login and the new one too.

  4. Maybe you have to restart the OpenLDAP service to process the new info, although that sounds quite strange to me…

  5. Thanks man, it really works, god bless you!!!

  6. Great! It works after 5 hours!

  7. This was a Godsend! Finally someone put some useful information about working with LDAP 2.4. Thank you goodness.

  8. That works on Debian too 🙂 thanks !

  9. Absolute lifesaver.

  10. My old password and new password  both are working, what could be the reason?

  11. After using below commands it solved two passwords for admin. we need to follow above steps and below steps also

    ldapmodify -h host -p port -D “cn=admin” -w password
    dn: cn=admin,ou=People,dc=example,dc=com
    changetype: modify
    replace: userPassword
    userPassword: ChAnGeMe

  12. LOL! I was about to reply to your previous comment that “the reason could be… you!” 🙂
    But you’ve been cool in finding the reason, and added a bit more knowledge to this thread… hence thank you!

  13. thanks! Still helpful. It did the trick for me too

  14. Thanks alot

  15. After restart i am getting below error Information

    No configuration directory was found for slapd at /etc/ldap/slapd.d/.
    If you have moved the slapd configuration directory please modify
    /etc/default/slapd to reflect this. If you chose to not
    configure slapd during installation then you need to do so
    prior to attempting to start slapd.

  16. Though during installation i have used this command #sudo dpkg-reconfigure slapd

    Just trying this for last 5 hours no Luck, any one help me out in this ?

  17. Any specific error?

  18. Thanks for the hint, Vinoth!

  19. Thanks a lot! After 10 hours of issuing this @ Ubuntu 15.04 successfully enabled logging and disabling anonymous access… Finally can go sleep.

  20. It is just perfect. I did not see even a single error in following it. Just a life saviour. Much appreciated.

  21. This shit worked like a charm on OpenSuse. Didnt even have to restart slapd.

  22. Gr8 man. it works for me..Banging my head since last two days.

  23. This helped me out! Thanks!

  24. In windows, you have to single-quote the encryption scheme
    slappasswd -h ‘{SHA}’

    otherwise it will complain about scheme not recognised.

  25. At long last, a reliable well documented process for how to reset the admin password to an openldap server. And it works. 1st time. Thanks for this, much appreciated. Solid work.

  26. Seems easier to just reinstall ldap!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>