I'm attempting to follow several tutorials on setting the root LDAP password (our previous sysadmin departed…abruptly), which all say more or less the same thing:
- http://sysadminnotebook.blogspot.com/2014/06/change-root-dn-password-on-openldap.html
- https://tech.feedyourhead.at/content/openldap-set-config-admin-password
- https://www.linuxwave.info/2015/07/reset-openldap-default-admin-password.html
…but getting stuck at the first step. This seems bad:
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
No such object (32)
What I've tried so far:
I can locate the data that query is intended to retrieve by digging it out of the slapd-config files:
# find /etc/ldap/slapd.d -type f -exec grep Root {} +
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif:olcRootDN: cn=admin,cn=config
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif:olcRootPW: {SSHA}[xxxxxx hash redacted xxxxxx]
/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcRootDN: cn=admin,dc=example,dc=com
/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcRootPW: {SSHA}[xxxxxx hash redacted xxxxxx]
and confirmed that slapd is in theory set up to read from those files:
# ps -ef | grep slapd
openldap 2244 1 0 Oct26 ? 00:00:16 /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -F /etc/ldap/slapd.d
When I turn on ACL logging (and run from the command line; turning on logging from init.d makes slapd hang on start) I get this:
5bdb2ef2 => access_allowed: search access to "cn=config" "entry" requested
5bdb2ef2 => acl_get: [1] attr entry
5bdb2ef2 => acl_mask: access to entry "cn=config", attr "entry" requested
5bdb2ef2 => acl_mask: to all values by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)
5bdb2ef2 <= check a_dn_pat: *
5bdb2ef2 <= acl_mask: [1] applying none(=0) (stop)
5bdb2ef2 <= acl_mask: [1] mask: none(=0)
5bdb2ef2 => slap_access_allowed: search access denied by none(=0)
5bdb2ef2 => access_allowed: no more rules
Ideas?
Best Answer
On a number of modern Linux systems root as identified by
SASL/EXTERNALasgidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authis either therootDNor hasmanagerpermissions when openldap-server/slapd is installed.For your existing installation that is not currently the case.
If you know the password for your various rootDNs, use those. Otherwise, replace your rootDN (or it's password) to something you can use. You'll have to do this outside of LDAP by editing
/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldifor your equivalent and restarting slapd.