Re: need to recover slapd password and upgrade openldap

[Aaron Richton <richton@nbcs.rutgers.edu>]

On Tue, 26 Jul 2016, Dan Hyatt wrote:

> So, a more simple question...
>
> Can I install a current version of OpenLDAP on a current RedHat/Centos 
> server (specially built for this purpose. Then use slapcat to export the 
> information from the old server, import it to the new server, where the 
> admin password is not corrupt.

The fundamental upgrade procedure is unchanged:

http://www.openldap.org/doc/admin24/maintenance.html#Migration

To that procedure you'd add an additional step, let's call that step 2a, 
which would be "fix any corrupted data in the slapcat output."

> Can I import the schemas or are there likely substantial changes to the 
> schemas across versions?

Standard schema ship with OpenLDAP itself and can be updated along with 
the rest of the package. Custom schema might need an update, but that's 
usually not the hard part.

> My goals are to create a new LDAP server running Centos/Redhat, transfer 20 
> users and allow them to keep their existing passwords, allow them to access 
> my servers, and allow them authentication to samba.
> and create an LDAP slave (or cluster)
> not sure if syncrepl is the current way to go.
>
> I have root to the server, but I do not have the admin password to the 
> Openldap 2.2 as it became corrupted somehow.

You can always use a rootpw (in your slapd configuration) to override ACLs 
if needed. And slapadd operates offline; all you need is filesystem write 
access. There's also nothing stopping you from interpreting "fix any 
corrupted data" as "fix any corrupted data and change a couple of 
userPassword values while you're at it in the slapcat output" as your 
"step 2a."