Thanks for taking the time to file a bug > E.g. if the package was installed non-interactively through puppet or > ansible, it is not obvious where the root password comes from or how > to change it or how to re-setup.
Per Debian bug #134774, a change was made to generate a random one if a password cannot be provided (e.g. non-interactive mode), here is the change log entry: * If can not get a password for the admin entry when installing slapd generate one randomly. Closes: Bug#134774 A "normal" cli install would involve the following: $ apt update $ apt install slapd <user get's prompted for Administrator password and to confirm it> To find your hashed password, but also RootDN info for use the following: $ ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW dn: olcDatabase={1}mdb,cn=config olcRootDN: cn=admin,dc=lxd olcRootPW: {SSHA}6l+/PkFITcYX87C6RJ1sLAh8/CulOS78 To confirm the password: $ ldapsearch -h localhost -D "cn=admin,dc=lxd" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 If your password was incorrect you would get the following instead: ldap_bind: Invalid credentials (49) Of course a random password, let alone hashed password does not do you any good. To allow the use of some non-interactive mode the selection can be set before hand using debconf-set-selections: $ echo "slapd slapd/internal/adminpw password password" | debconf-set-selections $ echo "slapd slapd/password1 password password" | debconf-set-selections $ echo "slapd slapd/password2 password password" | debconf-set-selections $ apt update $ apt install slapd Then repeated the above to verify that my password was in fact set correctly. If instead you want to reset the admin password after the random one was generated you can do the following: $ ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW | tee password.ldif $ slappasswd -h {SSHA} New password: Re-enter new password: {SSHA}y/QP58Xotj6s38cVLOxZh/jsZ7W8scVT # Modify the password.ldif by removing dn, add changetype and replace lines, and adding the new password $ cat password.ldif dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}y/QP58Xotj6s38cVLOxZh/jsZ7W8scVT $ ldapmodify -H ldapi:// -Y EXTERNAL -f ~/password.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}mdb,cn=config" Then confirm the password as stated previously. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1742123 Title: obscure slapd configuration Status in openldap package in Ubuntu: Incomplete Bug description: Hi, the openldap server slapd comes with two configuration options, the old one based on slapd.conf, and a new one based on ldifs. The debian/ubuntu package performs some obscure magic to generate a ldif based config in /etc/slapd/slapd.d, but does not provide any hint or documentation about how to change/adjust it. E.g. if the package was installed non-interactively through puppet or ansible, it is not obvious where the root password comes from or how to change it or how to re-setup. Furthermore it is a security gap to create something like dn: dc=buero,dc=danisch,dc=de objectClass: top objectClass: dcObject objectClass: organization o: buero.danisch.de dc: buero structuralObjectClass: organization entryUUID: 4f765744-85aa-1037-9ee9-1db94ae2a6d4 creatorsName: cn=admin,dc=buero,dc=danisch,dc=de createTimestamp: 20180104145011Z entryCSN: 20180104145011.817411Z#000000#000#000000 modifiersName: cn=admin,dc=buero,dc=danisch,dc=de modifyTimestamp: 20180104145011Z dn: cn=admin,dc=buero,dc=danisch,dc=de objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9aUlUVXlxNE9ZWFFuZjA1ejhqem0yWnJpY09xaGxBc0Y= structuralObjectClass: organizationalRole entryUUID: 4f79fd9a-85aa-1037-9eea-1db94ae2a6d4 creatorsName: cn=admin,dc=buero,dc=danisch,dc=de createTimestamp: 20180104145011Z entryCSN: 20180104145011.841518Z#000000#000#000000 modifiersName: cn=admin,dc=buero,dc=danisch,dc=de modifyTimestamp: 20180104145011Z and olcRootDN: cn=admin,dc=buero,dc=danisch,dc=de olcRootPW:: e1NTSEF9aUlUVXlxNE9ZWFFuZjA1ejhqem0yWnJpY09xaGxBc0Y= that contains an admin password without me ever having set it or having a randomly generated one. Since I do not see how to cleanly change this with ldapmodify, I do not see an option to remove this all and restart with an old-style slapd.conf. regards To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1742123/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp