Recovering openLDAP rootdn

[William Muriithi]

Andrew,

Thanks for the response.

> The password for the rootdn account is specified is in the configuration
> itself, its the rootpw option. Use the slappasswd to generate a new hashed
> password.
Actually with openLDAP 2.4, its also possible to store it at the back
end with other user information and that is where it get tricky. That
happen to be my current case, we re using slapd.conf file - The old
way of setting up openLDAP - but there is no password on the
configuration file.  Thats the first thing I checked.  Really
confused, I researched and realized one can now also save it on the
backend. ldapsearch, which do not require password for binding do dump
that super root user which confirmed my hypothesis
>
> If you are using the slapd.conf file, just change the rootpw option and
> restart.
>
> If you are using the slapd.d "configuration system", and you are sure your
> slapd.config is up-to-date, you can change the rootpw option and run slaptest
> -f slapd.conf -F slapd.d
>
> If you have write access to your cn=config database via LDAP, then you can
> change the password in there. Look for the olcRootPW attribute
>
> Otherwise, you'll have to find the proper oldRootPW entry in your slapd.d
> configuration, eg, slapd.d/cn=config/olcDatabase={1}hdb.ldif and update the
> olcRootPW attribute with a Base64 encoded slappasswd password that you
> generated before.
Hmm, just actually learned something here.  I was initially
introducing olcRootPW without encoding it and slapd would refuse to
accept it.  It eventually worked when I used the ldapadd utility but
now that you mentioned that, may be I could have modified it directly
through vim
>
>
> Hope its not too late.
>
Actually, I chickened out and did not change it on the old openLDAP.
The way I went around it, I setup a new openLDAP from scratch and
initially set it up as a slave. Later, I configured both to be master
master and when I need to make change with ldapmodify, I just do it
with the new openLDAP and its replicated to the old slapd.
Inefficient I know, but I was not confident doing any change I would
not know how to revert

And the new openLDAP configuration is just a pain.  It took me two
weeks to figure out how to setup up one a fresh without using slaptest
to convert the old configuration to the new configuration. I am afraid
these guys just managed to get the learning curve more steep
>
> Andrew
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
William
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists