OpenLDAP: How to Change Admin Password

Sep 12, 2020 3 min read OpenLDAP

Installation of OpenLDAP was the first step, we took when we started with the Keyper project. We wanted to use it as a backend Public Key storage. The choice was between OpenLDAP and one of many open-source RDBMS (e.g. MySQL, Postgres, etc). However, considering the future needs (e.g. integration with sudo), we settled on OpenLDAP.

Although LDAP was not new for me and having used many proprietary directories in the past (e.g. DSEE by SUN, and MS Active Directory), OpenLDAP did pose few challenges in the beginning. Instead of using a distro provided OpenLDAP, we decided to compile from scratch to better understand the inner workings. We created our first LDAP database using stock slapd.ldif file and wanted to change the cn=admin password and that was our first challenge. Most distro based OpenLDAP use SASL that allows one to use OS users as LDAP users. Usually, the root is allowed to make changes to the configuration directory. Database created with the stock slapd.ldif does not set a password for user “cn=config” and without SASL access one cannot change the password for cn=config.

Although Google search did not provide many relevant results, we stumbled upon this excellent blog post. Using this blog post as a reference here are the steps we took to change cn=admin password:

Backup OpenLDAP

We created a backup using slapcat commend. slapcat outputs directories in LDIF format.

$ slapcat -n 0 -l config.ldif
$ slapcat -n 1 -l data.ldif

"-n 0" tells slapcat to use database 0, which is the configuratiin directory.

Generate a Password Hash

OpenLDAP stores passwords as Hash. We used slappasswd utility to generate a password hash

# slappasswd 
New password: 
Re-enter new password: 
{SSHA}Gk1dNwnoJeXsNhGsik/BNOvFwZMnEbID

Change config.ldif

We looked into config.ldif generated by backup command. And the relevant sections looked like this:

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 9fb31806-5351-103a-847d-753f8d1ab4f4
creatorsName: cn=config
modifiersName: cn=config

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /u01/app/openldap/var/openldap-data
olcSuffix: dc=dbsentry,dc=com
olcRootDN: cn=Manager,dc=dbsentry,dc=com
olcDbIndex: objectClass eq
structuralObjectClass: olcMdbConfig
entryUUID: 9fb316b2-5351-103a-847c-753f8d1ab4f4
creatorsName: cn=config
createTimestamp: 20200705212416Z
olcRootPW:: e1NTSEF9OWXrTWFoa3ZzT2JubU5LL0lYUXkyQkYzT0ZMbWpWSXo=
modifiersName: cn=config

Notice dn: olcDatabase={0}config,cn=config has olcRootDN set to cn=config and does not have olcRootPW.

Modify config.ldif with password

Modified config.ldif and change olcRootPW:

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcRootPW:: {SSHA}Gk1dNwnoJeXsNhGsik/BNOvFwZMnEbID
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 9fb31806-5351-103a-847d-753f8d1ab4f4
creatorsName: cn=config
modifiersName: cn=config

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /u01/app/openldap/var/openldap-data
olcSuffix: dc=dbsentry,dc=com
olcRootDN: cn=Manager,dc=dbsentry,dc=com
olcRootPW:: {SSHA}Gk1dNwnoJeXsNhGsik/BNOvFwZMnEbID
olcDbIndex: objectClass eq
structuralObjectClass: olcMdbConfig
entryUUID: 9fb316b2-5351-103a-847c-753f8d1ab4f4
creatorsName: cn=config
createTimestamp: 20200705212416Z
modifiersName: cn=config

Stop OpenLDAP

We stopped OpenLDAP using pkill

$ pkill slapd

Restore configuration

Used slapadd for restoration. Before running slapadd we took a backup of both config and data directories and emptied them:

$ cd /etc
$ tar -czf slapd.d.tar.gz slapd.d
$ rm -rf /etc/slapd.d/*
$ cd /var/lib/openldap
$ tar -czf opendlap-data.tar.gz openldap-data
$ rm -rf openldap-data/*

Ran slapadd to restore directory:

$ slapadd -n 0 -F /etc/slapd.d -l config.ldif
$ slapadd -n 1 -F /etc/slapd.d -l data.ldif

Test changed password

We tested chanaged password using ldapsearch

root@getafix openldap]# ../../bin/ldapsearch -x -D "cn=config" -b "cn=config" -W | grep olcRootPW
Enter LDAP Password: 
olcAttributeTypes: ( OLcfgDbAt:0.9 NAME 'olcRootPW' SYNTAX OMsDirectoryString 
 cRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $
olcRootPW:: {SSHA}Gk1dNwnoJeXsNhGsik/BNOvFwZMnEbID
olcRootPW:: {SSHA}Gk1dNwnoJeXsNhGsik/BNOvFwZMnEbID

OpenLDAP ldap password