Thanks for taking the time to file a bug
> E.g. if the package was installed non-interactively through puppet or
> ansible, it is not obvious where the root password comes from or how
> to change it or how to re-setup.
Per Debian bug #134774, a change was made to generate a random one if a
password cannot be provided (e.g. non-interactive mode), here is the
change log entry:
* If can not get a password for the admin entry when installing slapd
generate one randomly. Closes: Bug#134774
A "normal" cli install would involve the following:
$ apt update
$ apt install slapd
<user get's prompted for Administrator password and to confirm it>
To find your hashed password, but also RootDN info for use the following:
$ ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn
olcRootDN olcRootPW
dn: olcDatabase={1}mdb,cn=config
olcRootDN: cn=admin,dc=lxd
olcRootPW: {SSHA}6l+/PkFITcYX87C6RJ1sLAh8/CulOS78
To confirm the password:
$ ldapsearch -h localhost -D "cn=admin,dc=lxd" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
If your password was incorrect you would get the following instead:
ldap_bind: Invalid credentials (49)
Of course a random password, let alone hashed password does not do you any
good. To allow the use of some non-interactive mode the selection can be set
before hand using debconf-set-selections:
$ echo "slapd slapd/internal/adminpw password password" | debconf-set-selections
$ echo "slapd slapd/password1 password password" | debconf-set-selections
$ echo "slapd slapd/password2 password password" | debconf-set-selections
$ apt update
$ apt install slapd
Then repeated the above to verify that my password was in fact set
correctly.
If instead you want to reset the admin password after the random one was
generated you can do the following:
$ ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn
olcRootDN olcRootPW | tee password.ldif
$ slappasswd -h {SSHA}
New password:
Re-enter new password:
{SSHA}y/QP58Xotj6s38cVLOxZh/jsZ7W8scVT
# Modify the password.ldif by removing dn, add changetype and replace lines,
and adding the new password
$ cat password.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}y/QP58Xotj6s38cVLOxZh/jsZ7W8scVT
$ ldapmodify -H ldapi:// -Y EXTERNAL -f ~/password.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
Then confirm the password as stated previously.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1742123
Title:
obscure slapd configuration
Status in openldap package in Ubuntu:
Incomplete
Bug description:
Hi,
the openldap server slapd comes with two configuration options, the
old one based on slapd.conf, and a new one based on ldifs.
The debian/ubuntu package performs some obscure magic to generate a
ldif based config in /etc/slapd/slapd.d, but does not provide any hint
or documentation about how to change/adjust it. E.g. if the package
was installed non-interactively through puppet or ansible, it is not
obvious where the root password comes from or how to change it or how
to re-setup.
Furthermore it is a security gap to create something like
dn: dc=buero,dc=danisch,dc=de
objectClass: top
objectClass: dcObject
objectClass: organization
o: buero.danisch.de
dc: buero
structuralObjectClass: organization
entryUUID: 4f765744-85aa-1037-9ee9-1db94ae2a6d4
creatorsName: cn=admin,dc=buero,dc=danisch,dc=de
createTimestamp: 20180104145011Z
entryCSN: 20180104145011.817411Z#000000#000#000000
modifiersName: cn=admin,dc=buero,dc=danisch,dc=de
modifyTimestamp: 20180104145011Z
dn: cn=admin,dc=buero,dc=danisch,dc=de
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9aUlUVXlxNE9ZWFFuZjA1ejhqem0yWnJpY09xaGxBc0Y=
structuralObjectClass: organizationalRole
entryUUID: 4f79fd9a-85aa-1037-9eea-1db94ae2a6d4
creatorsName: cn=admin,dc=buero,dc=danisch,dc=de
createTimestamp: 20180104145011Z
entryCSN: 20180104145011.841518Z#000000#000#000000
modifiersName: cn=admin,dc=buero,dc=danisch,dc=de
modifyTimestamp: 20180104145011Z
and
olcRootDN: cn=admin,dc=buero,dc=danisch,dc=de
olcRootPW:: e1NTSEF9aUlUVXlxNE9ZWFFuZjA1ejhqem0yWnJpY09xaGxBc0Y=
that contains an admin password without me ever having set it or having a
randomly generated one.
Since I do not see how to cleanly change this with ldapmodify, I do
not see an option to remove this all and restart with an old-style
slapd.conf.
regards
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1742123/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
