[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin user has two passwords



----- Original Message -----
> From: "Wiebe Cazemier" <wiebe@halfgaar.net>
> To: "Dan White" <dwhite@olp.net>
> Cc: "Maarten Vanraes" <maarten.vanraes@gmail.com>, openldap-technical@openldap.org
> Sent: Friday, 28 December, 2012 4:53:52 PM
> Subject: Re: Admin user has two passwords
> 
> ----- Original Message -----
> > From: "Dan White" <dwhite@olp.net>
> > To: "Wiebe Cazemier" <wiebe@halfgaar.net>
> > Cc: "Maarten Vanraes" <maarten.vanraes@gmail.com>,
> > openldap-technical@openldap.org
> > Sent: Friday, 28 December, 2012 3:47:58 PM
> > Subject: Re: Admin user has two passwords
> > 
> > 
> > There is no admin user per se. There is an authentication identity
> > that
> > you can specify in your configuration with rootdn/olcRootDN, along
> > with
> > it's password, rootpw/OlcRootPW.
> > 
> > Creating the same DN within your DIT may confuse things, and it is
> > not
> > necessary that it actually exist (unless you do not specify a
> > rootpw).
> > 
> > See:
> > 
> > http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn%20access
> > 
> > and the slapd.conf/slapd-config man pages.
> > 
> > --
> > Dan White
> > 
> 
> Does that mean that the Ubuntu docs [1] give the wrong instructions?
> Because in its backend.example.ldif, it makes:
> 
> 
> olcRootDN: cn=admin,dc=example,dc=com
> olcRootPW: secret
> 
> 
> and then it loads an admin user with frontend.example.ldif:
> 
> 
> # Admin user.
> dn: cn=admin,dc=example,dc=com
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: admin
> description: LDAP administrator
> userPassword: secret
> 
> 
> So what I should do is remove the admin user, and set olcRootPW (but
> then to a value generated with slappasswd to avoid plain text)?
> 
> 
> 
> [1] https://help.ubuntu.com/10.04/serverguide/openldap-server.html
> 
> 

It does appear that the Ubuntu docs are wrong. I deleted the admin user:


# fed to ldapmodify
dn: cn=admin,dc=domain,dc=tld
changetype: delete


And I updated olcRootPW:


# fed to ldapmodify
dn: olcDatabase={1}hdb,cn=config
replace: olcRootPW
olcRootPW: {SSHA}hashcode


Now it only has one admin password, and it's the new one.