Wednesday, July 8, 2015

Reset openldap default admin password

This usually will be used during the installation of ldap, or when you have forgotten your ldap admin password. It took me quite a while to find these, so thanks to these article, that pointed me to the right direction. Here is how i did it:

  1. Find the root dn account and root dn password hash: 
    $ sudo ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW | tee ~/newpasswd.ldif
  2. You can see the above info right away since we are using tee (tee is for writing to new file, and show to stdout at the same time). This is how it looks like: 
    $ cat newpasswd.ldif
    dn: olcDatabase={1}hdb,cn=config
    olcRootDN: cn=admin,dc=ubuntu-ldap,dc=com
    olcRootPW: {SSHA}CS9o0OVuD4YOj1eFNf4q6eqSe8O4MBMy
  3. Generate a new password for the admin, and append it to the newpasswd.ldif. -h is the flag to specify the scheme, and you can know the scheme by referring to the newpasswd.ldif file that we have generated, in this case {SSHA}: 
    $ sudo slappasswd -h {SSHA} >> newpasswd.ldif
    New password:
    Re-enter new password:
  4. Edit the newpasswd.ldif, so that it will look like below (just comment olcRootDN, add changetype and replace, and change the oldRootPW to the one we generated in step 3:
    dn: olcDatabase={1}hdb,cn=config
    #olcRootDN: cn=admin,dc=ubuntu-ldap,dc=com
    changetype: modify
    replace: olcRootPW
    olcRootPW: {SSHA}CS9o0OVuD4YOj1eFNf4q6eqSe8O4MBMy
  5. Implement the password change using ldapmodify command, where the flags are -H is for ldap uri, -Y for the SASL mechanism and -f for reading the input from file: 
    $ sudo ldapmodify -H ldapi:// -Y EXTERNAL -f ~/newpasswd.ldif
  6. Test the new password by listing the entries using ldapsearch, making sure that the new password is working: 
    $ ldapsearch -h localhost -b "dc=ubuntu-cacti,dc=com" -D "cn=admin,dc=ubuntu-cacti,dc=com" -W
That should be it, your admin user is now having new shiny password.