| Summary: | no root password in new-style config | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Dimitri Maziuk <dmaziuk> |
| Component: | openldap | Assignee: | Jan Vcelak <jvcelak> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0 | CC: | jplans, jvcelak, rvokal, tsmetana |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-08-11 16:22:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Dimitri Maziuk
2011-06-03 21:14:10 UTC
Please, use the latest OpenLDAP package available in RHEL6. Anyway, I'm unable
to reproduce the issue with both openldap-servers-2.4.19-15.el6_0.2.x86_64 and
openldap-servers-2.4.23-15.el6.x86_64
# service slapd stop
Stopping slapd: [ OK ]
# cd /etc/openldap
# grep ^root slapd.conf.bak
rootdn "cn=Manager,dc=my-domain,dc=com"
rootpw secret
# rm -rf slapd.d
# mkdir slapd.d
# slaptest -f slapd.conf.bak -F slapd.d
config file testing succeeded
# grep ^olcRoot slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcRootPW:: c2VjcmV0
# chown -R ldap: slapd.d
# service slapd start
Starting slapd: [ OK ]
# ldapsearch -LLL -x -D "cn=Manager,dc=my-domain,dc=com" -w secret
dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: organization
o: xx
dc: my-domain
Please, can you double check?
It seems if you wipe out slapd.d completely, do the slaptest -f slapd.conf.bak -F slapd.d, then chown -R ldap:ldap slapd.d, it will work.
As a naive root user (well, you can't su - ldap anyway), from clean slate:
[root@rendena etc]# yum install openldap-servers
...
Installing : openldap-servers-2.4.19-15.el6_0.2.x86_64
...
[root@rendena openldap]# yum install openldap-clients
...
Installing : openldap-clients-2.4.19-15.el6_0.2.x86_64
...
[root@rendena etc]# cd openldap
[root@rendena openldap]# slappasswd -s 'temp123'
{SSHA}C3MiVoyqm9KOgxQ/r0CdiJ7Mj3iAx4aw
[root@rendena etc]# vi slapd.conf.bak
-- changed:
suffix "dc=nmrfam,dc=wisc,dc=edu"
rootdn "cn=Manager,dc=nmrfam,dc=wisc,dc=edu"
rootpw {SSHA}C3MiVoyqm9KOgxQ/r0CdiJ7Mj3iAx4aw
-- (since "secret" and "My-domain.com" aren't useful to anyone)
[root@rendena openldap]# slaptest -f slapd.conf.bak -F slapd.d
config file testing succeeded
[root@rendena openldap]# service slapd start
Starting slapd: [ OK ]
[root@rendena openldap]# ldapsearch -LL -x -D "cn=Manager,dc=nmrfam,dc=wisc,dc=edu" -w 'temp123'
ldap_bind: Invalid credentials (49)
[root@rendena openldap]# grep ^olcRoot slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
olcRootDN: cn=Manager,dc=my-domain,dc=com
The purpose of "slaptest -f slapd.conf -F slapd.d" is to convert the old style configuration to new one. It can not be used for updating the configuration. For this purpose, ldapmodify can be used (cn=config root). When slapd.d is empty, attribute olcRootPW is created and set correctly. Therefore I am closing this report as NOTABUG. |