types of video game jobs: Change Root DN Password on OpenLDAP

Wednesday, May 17, 2017

Change Root DN Password on OpenLDAP

First, we need to locate the credentials information of the administrator account in the correct database within the LDAP tree.

This can be done using the ldapsearch command:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcRootDN=cn=admin,dc=example,dc=com dn olcRootDN olcRootPW

(replace the olcRootDN value with the correct value to match your configuration)

This command will return something like:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}hdb,cn=config
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SHA}ks1xBVfgRXavGCpkPefc9hRHL4X=

There are two interesting information we know now:

we need to modify the entry �dn: olcDatabase={1}hdb,cn=config�
the current password is hashed with SHA1 algorythm.
To generate our new password with the same algorythm well use the command slappasswd with the syntax:

slappasswd -h <the hashing scheme we want to use - for example {SHA}>

The system will then prompt you for the new password to use, twice, and will finally display the hashed value we�re interested in:

root@testbox:~# slappasswd -h {SHA}
New password:
Re-enter new password:
{SHA}W6ph5Mm7Ps6GglULbPgzG37mj0g=

Then we�ll proceed to modify the entry we�ve identified above using the command:

root@testbox:~# ldapmodify -Y EXTERNAL -H ldapi:///

The system will start the listening mode for modifying commands:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

First, we enter the entry we want to modify:

dn: olcDatabase={1}hdb,cn=config

Second, we type in the parameter we want to modify:

replace: olcRootPW

Third, we type in the new password generated above (copy and paste is MUCH less error prone than manual typing at this point ;) )

olcRootPW: {SHA}W6ph5Mm7Ps6GglULbPgzG37mj0g=

Hit Enter another time to commit the modification and the following line will appear:

modifying entry "olcDatabase={1}hdb,cn=config"

After this, you can exit the listening mode with CTRL+C and restart the LDAP database service using:

service slapd stop
service slapd start

and login now with the new password set.