Am new to ApacheDS - am using apacheds-2.0.0-M17.
The default password for admin is secret.
Does anyone know where I can change the value to something else?
Inside:
apacheds/instances/default/conf/config.ldif
Found the following entry:
ads-pwdattribute: userPassword
When googling it, there are a lot of examples that mention doing it using Apache Directory Studio but the particular instance I am trying to configure is running in a Linux shell in a headless (no UI) mode.
Tried using the following command with ldapmodify and the cursor hangs (keeps blinking) after pressing enter. I even tried prepending it with sudo and the same thing happens.
ldapmodify -H ldap://localhost:10389 -D "uid=admin,ou=system" -x -w secret
Does anyone know why it hangs?
What am I possibly doing wrong?
Thanks again,
James
Changing the admin account password is documented in the ApacheDS documentation.
ldapmodify, if not given a file to process with -f parameter, waits for input from standard input, on which it expects a LDIF formatted file with modifications to perform.
In your case such a LDIF file would look something like:
dn: uid=admin,ou=system
changetype: modify
replace: userPassword
userPassword: new-password
BTW, you can still use Apache Directory Studio (or any other graphical LDAP client) to make this change, even if your directory is running on a headless server. LDAP is, after all, a network protocol. Just run the LDAP client on a local machine and connect over the network to your server. (Of course, I leave it to you to figure out if you have to open up some firewall rules or whatever.)
dn: uid=admin,ou=system
changetype: modify
replace: userPassword
userPassword: new-password
-
After each modification, you need to add the end of "-"!!!
Related
I have an OpenLdap Server 2.4 running in my company and I need to permitt people to change their picture in one of our WebApplication.
The function is already present. People in LDAP just don't have any rights to write their own attributes (specially here the "jpegPhoto" attribute needed).
I found this in the Documentation
access to attrs=jpegPhoto
by self =xw
by * read
I don't know how to use theses lines. What command to use or something else.
If someone could help me in the way to process it could be great.
Thanks
The modifications you need to apply are simple, if you are using slapd.conf as the server configuration file, and a bit more complicated if you are using the new cn=config layout. Be careful, anyway, that:
The older style slapd.conf(5) file is still supported, but its use is deprecated and support for it will be withdrawn in a future OpenLDAP release.
as stated in the OpenLDAP documentation.
1) cn=config layout
You need to modify the configuration for the database you are using. Your OpenLDAP server may contain multiple databases, but you are interested only in the one that stores people data and their pictures. To list all your available databases, use:
slapcat -b cn=config
This command must be executed from the OpenLDAP server. It will read the file named cn=config.ldif in your slapd configuration directory. In my case, it is located in
/usr/local/etc/openldap/slapd.d/cn=config.ldif
Be careful that slapcat -b cn=config will work only if the shell user can read this file. In my case, the file is
-rw------- 1 ldap ldap 680 10 mar 21:04 /usr/local/etc/openldap/slapd.d/cn=config.ldif
It belongs to user ldap, group ldap (they have been created during the OpenLDAP server installation). I have never set a password for user ldap, so:
tl;dr a way to read this file and to successfully run slapcat -b cn=config is to be root.
The output of slapcat -b cn=config is huge, but you can consider the last lines only, where the database you are interested in is listed. For example, it could be
dn: olcDatabase={1}mdb,cn=config
This is, for example, the Distinguished Name (dn) of the database containing users pictures. You want to allow users to change their pictures.
You can modify the database configuration running (similarly to the previous case, you need write permissions on the file cn=config.ldif, so you could be root as before):
ldapmodify -f /path/to/yourfile -x -D "cn=config" -W
-f /path/to/yourfile is your configuration file (see below);
-x is Simple Authentication, it is needed if you are not using SASL;
-D "cn=config" is the username you are using to enter the OpenLDAP database. There is usually a super-user for each single database (frequently called Manager), and a global super-user. The user named cn=config is the global super-user. You should have configured its password during the OpenLDAP server installation; if you don't have this password, you could be not able to modify the databases configuration;
-W asks you to type the password for the user cn=config.
The configuration file, located in /path/to/yourfile, must be a plain text file formatted as follows:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=jpegPhoto
by self write
by * read
I would suggest to you to prefer by self write instead of by self =xw (which would not permit users to read their pictures). Be careful to put two spaces before by, as stated in this answer.
You can now run again slapcat -b cn=config to check if the configuration has been modified, and also if the olcAccess statements are in the correct order. If not, you can delete them and add them again, knowing that each new olcAccess specification will be automatically put after the preceeding ones.
2) slapd.conf layout
If you are using the old slapd.conf configuration file, you simply need the write permissions to it. Usually it is:
-rw------- 1 ldap ldap 2557 Dec 15 2016 slapd.conf
So, you can open it as root, with your preferred text editor. Identify the database section you want to modify (for example the one beginning with:
database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
and simply add your lines at the bottom of this section, being careful if other access statements are already present. Again, I would suggest to use by self write instead of self =xw.
Regardless of your configuration, restart the OpenLDAP server (process slapd) after your modifications.
If you need further examples and/or clarifications, please consider:
A cn=config configuration example;
Access Control for OpenLDAP databases;
the OpenLDAP site, with the whole
documentation.
I try to setup an openLDAP server to manage a central addressbook which will primarily be used in MS Outlook. Still wondering, why there still is no out-of-the-box scheme implemented which provides all necessary fields, im stuck by the new cn=config backend.
I have no slapd.conf as all information is stored in the new backend. It's said, that I have to use ldapmodify to make changes to the configuration and schema-files. It is very inconvenient to me to do all the changes on CLI, I want to know, how to change the standard configuraion, to be able to make such modification with an LDAP tool of my choice on a remote machine.
At the moment, the only ways to modify the configuration are:
editing the data files while slapd is not executed
using ldapmodify with external authentication (e.g. ldapmodify -Y EXTERNAL -H ldapi:/// -f modifications.ldif)
Both methods are not what I want.
I tried to modify the config-backend-files to make it possible, but simply adding a RootPW didn't do the trick. Any help is appreciated!
It isn't
said [you] have to use ldapmodify
at all. You can use any LDAP client to modify the configuration. There are many:
JXplorer,
Userbooster,
...
Adding the olcRootPW to the entry dn: olcDatabase={0}config,cn=config should work.
If it still does not work, try to
slapcat the cn=config database to /path/to/file/slapd.conf.ldif (for example)
Modify the entry dn: olcDatabase={0}config,cn=config to add the attribute olcRootPW: YourPassword
slapadd the modified LDIF : slapadd -F /etc/ldap/slapd.d -b cn=config -l /path/to/file/slapd.conf.ldif
Every thing need to be done while slapd is stopped.
Is it possible to use {SHA} with ldappasswd? I didn't find responsible option in manual page and docs
Look for password-hash in slapd.conf(5), or for olcPasswordHash in slapd-config(5).
I know that's an old post but I found another solution for this problem.
This wolution works for ApacheDirectory servers (for org.apache implementation classes, but I think you can find interceptors for each openldap).
If you want use SHA encrypting by default when using ldappasswd you can change the interceptor implementation of password.
You have to modify following dn entry:
ads-interceptorId=passwordHashingInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
And change the value:
ads-interceptorclassname: arg.apache.directory.server.core.hash.ShaPasswordHashingInterceptor
By default, openldap is using:
ads-interceptorclassname: org.apache.directory.server.core.hash.SshaPasswordHashingInterceptor
Command to modify:
ldapmodify -h <LDAP_HOST> -p <LDAP_PORT> -D "<ADMIN_DN>" -w "<ADMIN_PASSWORD>" <<EOF
dn: ads-interceptorId=passwordHashingInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
changetype: modify
replace: ads-interceptorclassname
ads-interceptorclassname: org.apache.directory.server.core.hash.ShaPasswordHashingInterceptor
EOF
Then you have to restart your LDAP server. All new passwords added by ldappasswd will be in SHA and not in SSHA.
Note:
You can use another interceptor provided by Apache:
http://directory.apache.org/apacheds/advanced-ug/1.4-interceptors.html#existing-interceptors
Javadoc:
https://directory.apache.org/apacheds/gen-docs/2.0.0-M20/apidocs/org/apache/directory/server/core/hash/package-tree.html
I'm trying to install LDAP. I've installed slapd and the PhpLDAPAdmin tool on Debian, but when I'm logged in, I cannot do anything. Despite I've logged in as 'cn=admin,dc=barbucha', I see on the right side instead of the tree:
Logged in as: dc=example,dc=com
This base cannot be created with PLA.
I tried Google, but this error seems to be a rare one. I've created a database there is the 'cn=admin,dc=barbucha' in. (Otherwise I could not use the name to log in.)
This happens quite rarely. From an unknown reason the configuring process didn't get data from the LDAP server and didn't set proper values in the /etc/phpldapadmin/config.php script. Somewhere near by line 300 were two important lines generated erroneously:
$servers->setValue('server','base',array('dc=example,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
These settings uses PhpLDAPAdmin to access LDAP datatase regardless to the login name you've been logged in with. To update these lines helped:
$servers->setValue('server','base',array('dc=barbucha'));
$servers->setValue('login','bind_id','cn=admin,dc=barbucha');
probably you should add a LDAP root first:
create a file in /etc/openldap/
vim /etc/openldap/base.ldif
then input:
dn: dc=em,dc=com
o: RDCenter
objectclass: dcobject
objectclass: organization
and run this command in the directory:
ldapadd -f base.ldif -x -D cn=Admin,dc=em,dc=com -W
Input your own password,and the root node would be added.
Reopen the phpldapadmin,you will find everything is well
i have the following problem: i have installed and OpenLDAP server in which in the people/users tree the distinguished name have the following format:
Distinguished Name: cn=Luigi Rossi,ou=people,dc=prisma,dc=local
The problem is i wish to replace it using the uid (a.k.a. the account username) instead of the CN in order to have something like this
Distinguished Name: uid=lrossi,ou=people,dc=prisma,dc=local
I need this because i'm configuring ldap authentication for Alfresco Community 4.0.d and it need the username
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=prisma,dc=local
Any help?
It's an old post but I ran into this myself. The answer was actually pretty simple. If you're using phpldapadmin to create accounts, you need to edit the posixAccount template. Look for the <rdn></rdn> tags. Replace the cn with uid and save. Your accounts will now be created with a DN in the "uid=%s,dc=example,dc=com" form instead of "cn=%s,dc=example,dc=com"
http://phpldapadmin.sourceforge.net/wiki/index.php/Templates#Template_Header_Configuration
Use the modify DN LDAP request (in this case using the legacy OpenLDAP ldapmodify tool):
The uid attribute may need to be added:
ldapmodify -h host -p port -D bind-dn -w password <<!
dn: cn=Luigi Rossi,ou=people,dc=prisma,dc=local
changetype: modify
add: uid
uid: lrossi
!
ldapmodify -h host -p port -D bind-dn -w password <<!
dn: cn=Luigi Rossi,ou=people,dc=prisma,dc=local
changetype: moddn
newrdn: uid=lrossi,ou=people,dc=prisma,dc=local
deleteoldrdn: 1
!
see also
LDAP: modify DN
How to do this per object (not changing the format globally) in phpLDAPadmin:
click on the object in the hierarchy on the left to show up on the right
the title of the object is shown as: cn=Luigi Rossi
the subtitle just below contains "Distinguished Name: cn=Luigi Rossi,ou=people,dc=prisma,dc=local"
now click on "Rename" link just 4 lines below
change value "cn=Luigi Rossi" to "uid=lrossi"
that's it.
Worth mentioning is the ldapmodrdn tool, which e.g. in Debian is part of the ldap-utils package. It can read in a simple file where on first line is the old CN as a DN, and on the second line the new CN as an RDN. If there are many users to change, they can be all included in the same file, separated with empty lines.
With that tool its quite easy to process all the existing accounts and change their DNs.