[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin user has two passwords

To: Dan White <dwhite@olp.net>
Subject: Re: Admin user has two passwords
From: Wiebe Cazemier <wiebe@halfgaar.net>
Date: Mon, 31 Dec 2012 10:39:05 +0100 (CET)
Cc: Maarten Vanraes <maarten.vanraes@gmail.com>, openldap-technical@openldap.org
In-reply-to: <1920299867.15225.1356710032327.JavaMail.root@halfgaar.net>
References: <1529556058.12305.1356354959157.JavaMail.root@halfgaar.net> <1377196.LojZCyujiC@localhost> <1188048307.14468.1356683419703.JavaMail.root@halfgaar.net> <20121228144757.GB6488@dan.olp.net> <1920299867.15225.1356710032327.JavaMail.root@halfgaar.net>
Thread-index: oiZW5U+Nny2tIctGULO37yZGh77hNu8UCmB+
Thread-topic: Admin user has two passwords

----- Original Message -----
> From: "Wiebe Cazemier" <wiebe@halfgaar.net>
> To: "Dan White" <dwhite@olp.net>
> Cc: "Maarten Vanraes" <maarten.vanraes@gmail.com>, openldap-technical@openldap.org
> Sent: Friday, 28 December, 2012 4:53:52 PM
> Subject: Re: Admin user has two passwords
> 
> ----- Original Message -----
> > From: "Dan White" <dwhite@olp.net>
> > To: "Wiebe Cazemier" <wiebe@halfgaar.net>
> > Cc: "Maarten Vanraes" <maarten.vanraes@gmail.com>,
> > openldap-technical@openldap.org
> > Sent: Friday, 28 December, 2012 3:47:58 PM
> > Subject: Re: Admin user has two passwords
> > 
> > 
> > There is no admin user per se. There is an authentication identity
> > that
> > you can specify in your configuration with rootdn/olcRootDN, along
> > with
> > it's password, rootpw/OlcRootPW.
> > 
> > Creating the same DN within your DIT may confuse things, and it is
> > not
> > necessary that it actually exist (unless you do not specify a
> > rootpw).
> > 
> > See:
> > 
> > http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn%20access
> > 
> > and the slapd.conf/slapd-config man pages.
> > 
> > --
> > Dan White
> > 
> 
> Does that mean that the Ubuntu docs [1] give the wrong instructions?
> Because in its backend.example.ldif, it makes:
> 
> 
> olcRootDN: cn=admin,dc=example,dc=com
> olcRootPW: secret
> 
> 
> and then it loads an admin user with frontend.example.ldif:
> 
> 
> # Admin user.
> dn: cn=admin,dc=example,dc=com
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: admin
> description: LDAP administrator
> userPassword: secret
> 
> 
> So what I should do is remove the admin user, and set olcRootPW (but
> then to a value generated with slappasswd to avoid plain text)?
> 
> 
> 
> [1] https://help.ubuntu.com/10.04/serverguide/openldap-server.html
> 
> 

It does appear that the Ubuntu docs are wrong. I deleted the admin user:


# fed to ldapmodify
dn: cn=admin,dc=domain,dc=tld
changetype: delete


And I updated olcRootPW:


# fed to ldapmodify
dn: olcDatabase={1}hdb,cn=config
replace: olcRootPW
olcRootPW: {SSHA}hashcode


Now it only has one admin password, and it's the new one.

Follow-Ups:
- Re: Admin user has two passwords
  - From: Wiebe Cazemier <wiebe@halfgaar.net>

References:
- Admin user has two passwords
  - From: Wiebe Cazemier <wiebe@halfgaar.net>
- Re: Admin user has two passwords
  - From: Maarten Vanraes <maarten.vanraes@gmail.com>
- Re: Admin user has two passwords
  - From: Wiebe Cazemier <wiebe@halfgaar.net>
- Re: Admin user has two passwords
  - From: Dan White <dwhite@olp.net>
- Re: Admin user has two passwords
  - From: Wiebe Cazemier <wiebe@halfgaar.net>

Prev by Date: olcToolthreads and slapadd -n0
Next by Date: Re: Admin user has two passwords
Index(es):
- Chronological
- Thread