Skip to content

Instantly share code, notes, and snippets.

@vjove

vjove/cheatsheet.openldap.md

Last active May 14, 2019 16:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save vjove/980ab5e31822b264e4461e5b8404da30 to your computer and use it in GitHub Desktop.
Save vjove/980ab5e31822b264e4461e5b8404da30 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cheatsheet.openldap.md

OpneLDAP Cheat Sheet

Change admin password

A typical command would look like this:

ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=com" -W -A -S

But there is also this:

This is extracted from here: http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

First, we need to find a way to locate the credentials information of the administrator account in the correct database within the LDAP tree. This can be done using the command:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcRootDN=cn=admin,dc=example,dc=com dn olcRootDN olcRootPW

(replace olcRootDN value with the correct value to match your configuration)

This command will return:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}hdb,cn=config
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SHA}ksixAVfgRXavGCpkPefc6hRHL4X=

There are two interesting information we know now:

  • we need to modify the entry “dn: olcDatabase={1}hdb,cn=config“
  • the current password is hashed with SHA1 algorythm.

Therefore we need to generate our new password with the same algorythm using the command slappasswd using the syntax

slappasswd -h <the hashing scheme we want to use - for example {SHA}>

The system will then prompt us twice for the new password to use and will finally display the hashed value we’re interested in (example below with password = password)

# slappasswd -h {SHA} New password:
Re-enter new password:
{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

Then we’ll proceed to modify the entry we’ve identified above using the command:

# ldapmodify -Y EXTERNAL -H ldapi:///

The system will start the listening mode for modifying commands:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

First, we enter the entry we want to modify:

dn: olcDatabase={1}hdb,cn=config

Second, we type in the parameter we want to modify:

replace: olcRootPW

Third, we type in the new password generated above (copy and paste is MUCH less error prone than manual typing at this point 😉 )

olcRootPW: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

Hit Enter another time to commit the modification and the following line will appear:

modifying entry "olcDatabase={1}hdb,cn=config"

After this, you can exit the listening mode with CTRL+C

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment