obscure slapd configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hi,
the openldap server slapd comes with two configuration options, the old one based on slapd.conf, and a new one based on ldifs.
The debian/ubuntu package performs some obscure magic to generate a ldif based config in /etc/slapd/slapd.d, but does not provide any hint or documentation about how to change/adjust it. E.g. if the package was installed non-interactively through puppet or ansible, it is not obvious where the root password comes from or how to change it or how to re-setup.
Furthermore it is a security gap to create something like
dn: dc=buero,
objectClass: top
objectClass: dcObject
objectClass: organization
o: buero.danisch.de
dc: buero
structuralObjec
entryUUID: 4f765744-
creatorsName: cn=admin,
createTimestamp: 20180104145011Z
entryCSN: 20180104145011.
modifiersName: cn=admin,
modifyTimestamp: 20180104145011Z
dn: cn=admin,
objectClass: simpleSecurityO
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9aUlUVXl
structuralObjec
entryUUID: 4f79fd9a-
creatorsName: cn=admin,
createTimestamp: 20180104145011Z
entryCSN: 20180104145011.
modifiersName: cn=admin,
modifyTimestamp: 20180104145011Z
and
olcRootDN: cn=admin,
olcRootPW:: e1NTSEF9aUlUVXl
that contains an admin password without me ever having set it or having a randomly generated one.
Since I do not see how to cleanly change this with ldapmodify, I do not see an option to remove this all and restart with an old-style slapd.conf.
regards
Thanks for taking the time to file a bug
> E.g. if the package was installed non-interactively through puppet or
> ansible, it is not obvious where the root password comes from or how
> to change it or how to re-setup.
Per Debian bug #134774, a change was made to generate a random one if a password cannot be provided (e.g. non-interactive mode), here is the change log entry:
* If can not get a password for the admin entry when installing slapd
generate one randomly. Closes: Bug#134774
A "normal" cli install would involve the following:
$ apt update
$ apt install slapd
<user get's prompted for Administrator password and to confirm it>
To find your hashed password, but also RootDN info for use the following: {1}mdb, cn=config /PkFITcYX87C6RJ 1sLAh8/ CulOS78
$ ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW
dn: olcDatabase=
olcRootDN: cn=admin,dc=lxd
olcRootPW: {SSHA}6l+
To confirm the password:
$ ldapsearch -h localhost -D "cn=admin,dc=lxd" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
If your password was incorrect you would get the following instead:
ldap_bind: Invalid credentials (49)
Of course a random password, let alone hashed password does not do you any good. To allow the use of some non-interactive mode the selection can be set before hand using debconf- set-selections: adminpw password password" | debconf- set-selections set-selections set-selections
$ echo "slapd slapd/internal/
$ echo "slapd slapd/password1 password password" | debconf-
$ echo "slapd slapd/password2 password password" | debconf-
$ apt update
$ apt install slapd
Then repeated the above to verify that my password was in fact set correctly.
If instead you want to reset the admin password after the random one was generated you can do the following: QP58Xotj6s38cVL OxZh/jsZ7W8scVT {1}mdb, cn=config QP58Xotj6s38cVL OxZh/jsZ7W8scVT 0+uidNumber= 0,cn=peercred, cn=external, cn=auth {1}mdb, cn=config"
$ ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW | tee password.ldif
$ slappasswd -h {SSHA}
New password:
Re-enter new password:
{SSHA}y/
# Modify the password.ldif by removing dn, add changetype and replace lines, and adding the new password
$ cat password.ldif
dn: olcDatabase=
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}y/
$ ldapmodify -H ldapi:// -Y EXTERNAL -f ~/password.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=
SASL SSF: 0
modifying entry "olcDatabase=
Then confirm the password as stated previously.