I am running Linux Redhat 7.3, with the follwowing LDAP RPMs:

openldap-clients-2.0.23-4
nss_ldap-189-4
openldap-servers-2.0.23-4
openldap-devel-2.0.23-4
openldap-2.0.23-4

PAM uses LDAP for authentication and holding information about users
on the system (UID, GID, homedir, shell) instead of /etc/passwd and
/etc/shadow.

I need to change the master LDAP user's password where cn=root
I believe that the name being "root" is a coincidence and is not the
same as the unix user "root", since the unix root user has a different
password than the one that is currently allowed to connect to the LDAP
server.

Some background information: I have a perl script that is part of a
program that is used when changing information in the LDAP directory
by first connecting to LDAP with priveleges to modify anything.
Relevant perl code showing the connection using the password that I
need to have changed is here:

use Net::LDAPS;
my $ldap = undef;

sub anon_bind()
{
  $ldap = Net::LDAPS->new("myhost.com", port => 636, verify =>
"none");
  $result = $ldap->bind();
  if($result->code) { return 0; }
  return $ldap;
}

sub root_bind()
{
  if(!$ldap) { $ldap = anon_bind(); }
  $result = $ldap->bind("cn=root,dc=myhost,dc=com", password =>
"$changeme");
  return $ldap;
}

It is that $changeme password that I need to change in LDAP. I think
changing it is done with the ldapmodify command, but I am not sure.

My question is: Please show me how to change the cn=root password on
my LDAP directory.

---

Request for Question Clarification by maniac-ga on 04 Feb 2003 18:00 PST

Hello Flight553,

Hmm. If I understand the set up properly, the "rootpw" is stored in
the file
  /etc/openldap/slapd.conf
and cannot be changed through the normal LDAP interfaces. Once this
file is updated, use
  /etc/init.d/ldap restart   [or stop followed by start]
to reload the updated configuration file to make the rootpw change.

For references, see
  http://yolinux.com/TUTORIALS/LinuxTutorialLDAP-SLAPD-LDIF-V2-config.html
  http://yolinux.com/TUTORIALS/LinuxTutorialLDAP.html

To confirm this interpretation, you may want to try the gq LDAP client
at
  http://biot.com/gq/
and see if you can browse / change the rootpw value.

Would you be interested in some suggestions on how to do this remotely
or do you want a more detailed search on how to do this through the
LDAP interfaces.

  --Maniac

---

Clarification of Question by flight553-ga on 04 Feb 2003 23:38 PST

Your Request for Clarification was enough to help me change the rootpw
on my LDAP directory. This is my first time using Google Answers, so I
did not hit Close Question because I want to make sure you get paid
for your answer.

One thing while changing the password, I tried using an {SSHA} style
passwd as recommended in the docs you showed me (generated by a perl
script on same site), but it did not work, and I got "no write access
to parent". I re-tried using an md5_crypt {crypt} passwd generated by
another perl script on the same site and that one worked, so I can
bind to LDAP with the new changed passwd, which is what I wanted to
accomplish.

But do you know why the recommended SSHA passwd was not usable? (this
extra question is not necessary for you to answer in order to be paid)

As soon as I see something to click on here that says you have
answered, I will do so. Thanks.

Hello Flight553,

Thank you for the nice comments and let me take a shot at the
additional question as well.

The root password needs to be in a format that is supported by the
various utilities. I did a quick check of Red Hat's site, comparing
the following to documents:
  http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-ldap-files.html
for RH 7.3 (your version) and
  http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-ldap-files.html
for RH 8.0.

The latter has an example of the root password using SSHA, the former
has an older style crypt password. It may be that you need a more
recent version to use SSHA on your LDAP server. In both cases, it
recommends the use of slappasswd to generate the password to use here.
You may try that instead of the perl script.

For further information, I used the following types of searches to
produce the question clarification request and this answer:
  change root ldap password linux
  ldap password linux
  rootpw slapd ssha
There are a number of good resources on line and I only touched on a
few of them.

Don't hesitate to ask for a clarification on this and good luck with
your work.


  --Maniac

This researcher's Request for Clarification contained enough
information to fully solve my problem. I think that LDAP is a cryptic
and powerful software and I thought my question was fairly complicated
and obscure, but this researcher answered it fully within hours of my
asking it. This was a great first experience using Google Answers.