1144107 – After installing openldap-servers how to login without breaking checksum of the olc

Bug 1144107 - After installing openldap-servers how to login without breaking checksum of the olc

Summary: After installing openldap-servers how to login without breaking checksum of t...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openldap
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Jan Synacek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-18 16:40 UTC by dapoman
Modified:	2014-09-19 06:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-19 06:54:32 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description dapoman 2014-09-18 16:40:44 UTC

Description of problem:
When installing openldap-servers, you cannot access the predefined dc=my-example,dc=com database or the cn=config database, as they are not configured with passwords.

Two solutions exists, one is to add the line olcRootPassword: manually to the olcDatabase={2}hdb.ldif, but my checks is that is breaking the checksum control of the configurations files.

The other solution is to go back to the deprecated way use the slapd.conf, which is working but I think not the preferred way.

Version-Release number of selected component (if applicable):

openldap-servers-2.4.39-4.fc20.x86_64

How reproducible:

Everytime you install openldap-servers on the machine


Steps to Reproduce:

yum install openldap-servers -y

ldapadd -x -Dcn=Manager,dc=my-example,dc=com -W
ERROR: No access without password (not quite the exact error output but it is close by)

[root@localhost ~]# ldapadd -x -Dcn=Manager,dc=my-domain,dc=com -W
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
[root@localhost ~]# ldapadd -x -Dcn=Manager,dc=my-domain,dc=com 
ldap_bind: Server is unwilling to perform (53)
	additional info: unauthenticated bind (DN with no password) disallowed



Actual results:

Failing because we don't have a password and we cannot add a new database with a password into the existing files

Expected results:

Using a default password so you can actually manage the slapd server, or maybe not generating default configuration so the user can define it himself.


Additional info:

Am I missing some form of documentation, tried reading the man pages, /usr/share/doc/ and internet, but I expected it to work a bit better.

Comment 1 Rich Megginson 2014-09-18 18:01:01 UTC

You can use slapcat to dump the cn=config database to an ldif file, edit the ldif file, then use slapadd to load the cn=config database from the ldif file.

Also, is our openldap server configured to allow the root user to use -Y EXTERNAL bind to the ldapi port?

Comment 2 Jan Synacek 2014-09-19 06:54:32 UTC

Yes, the server is configured so that you can use -Y EXTERNAL as root to manage configuration.

$ cat /tmp/change-rootpw.ldif 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: secret

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/change-rootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "olcDatabase={2}hdb,cn=config" olcRootPW
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={2}hdb,cn=config
olcRootPW: secret

Comment 3 Jan Synacek 2014-09-19 06:57:01 UTC

The default bugzilla wrapping is unfortunate... Note that the "olcRootPW" string is part of the last command, not part of its output.

Note You need to log in before you can comment on or make changes to this bug.