data.haus blog

minimal tech for today

Tips for OpenLDAP

2019-02-07 - psic4t

Reset cn=config admin password

If lost you can reset the cn=admin password like this

You find the password in the attribute olcRootPW in /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif base64 encoded.

To change the password use ldapmodify as root. Save this as an LDIF file rootpw_cnconfig.ldif:

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: foobar123

Obviously set your password to something other than foobar123. Then run ldapmodify:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f rootpw_cnconfig.ldif

This presumes that the LDAP server and the cn=config database can be accessed using the ldapi protocol (-H ldapi:///) and that external SASL authentication (-Y EXTERNAL) is enabled and working, which it should by default on new OpenLDAP setups in Debian and Ubuntu. If you look at /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif it should contain an attribute olcAccess

Links: https://tobru.ch/openldap-password-policy-overlay/

View more postsRSS