Thanks for taking the time to file a bug
> E.g. if the package was installed non-interactively through puppet or
> ansible, it is not obvious where the root password comes from or how
> to change it or how to re-setup.
Per Debian bug #134774, a change was made to generate a random one if a
password cannot be provided (e.g. non-interactive mode), here is the
change log entry:
* If can not get a password for the admin entry when installing slapd
generate one randomly. Closes: Bug#134774
A "normal" cli install would involve the following:
$ apt update
$ apt install slapd
To find your hashed password, but also RootDN info for use the following:
$ ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn
olcRootDN olcRootPW
dn: olcDatabase={1}mdb,cn=config
olcRootDN: cn=admin,dc=lxd
olcRootPW: {SSHA}6l+/PkFITcYX87C6RJ1sLAh8/CulOS78
To confirm the password:
$ ldapsearch -h localhost -D "cn=admin,dc=lxd" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
If your password was incorrect you would get the following instead:
ldap_bind: Invalid credentials (49)
Of course a random password, let alone hashed password does not do you any
good. To allow the use of some non-interactive mode the selection can be set
before hand using debconf-set-selections:
$ echo "slapd slapd/internal/adminpw password password" | debconf-set-selections
$ echo "slapd slapd/password1 password password" | debconf-set-selections
$ echo "slapd slapd/password2 password password" | debconf-set-selections
$ apt update
$ apt install slapd
Then repeated the above to verify that my password was in fact set
correctly.
If instead you want to reset the admin password after the random one was
generated you can do the following:
$ ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn
olcRootDN olcRootPW | tee password.ldif
$ slappasswd -h {SSHA}
New password:
Re-enter new password:
{SSHA}y/QP58Xotj6s38cVLOxZh/jsZ7W8scVT
# Modify the password.ldif by removing dn, add changetype and replace lines,
and adding the new password
$ cat password.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}y/QP58Xotj6s38cVLOxZh/jsZ7W8scVT
$ ldapmodify -H ldapi:// -Y EXTERNAL -f ~/password.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
Then confirm the password as stated previously.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1742123
Title:
obscure slapd configuration
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1742123/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs