How to change an OpenLDAP password depends on whether it is a regular user or an administrative user. The configuration directory and each database (with a few exceptions) have an administrative account. I will cover how to change all three.
Run all of the commands in this guide on your directory server as the root user.
Command Options
There are a few options that the commands in this guide have in common. The table below explains them.
| Option | Description |
|---|---|
-Y |
The next argument is the type of SASL authentication that should be used. In most cases this is EXTERNAL, which is to use your OS user and group. |
-Q |
Suppress SASL messages from command output. |
-W |
Prompt you for the password of the DN you are binding with. |
-H |
The URI of the directory server. If you are logged into the host your server is running on, you can probably use ldapi:/// to connect using an address family UNIX socket. |
-D |
The DN you are binding to the directory server with. |
-x |
Use simple authentication instead of SASL. I.e. a username (DN) and password. |
Administrative Users
The administrative passwords can be changed in two ways. If you have SASL access or know the configuration directory password, you can change it with ldapmodify and slappasswd. The other way is to backup the configuration directory to an LDIF, generate a new password with slappasswd, and restore the modified backup.
Sometimes, especially when SASL is available, the administrative users don’t have passwords. In this case, you can set one if you wish.
Getting Administrative Users’ DNs and Password Hashes
The DN for the configuration database is always going to be olcDatabase={0}config,cn=config. The rest will vary with type and the number of databases configured.
This is how you can view the databases you have configured along with their respective administrative user DN:
[root@ldap ~]# slapcat -n 0 -a '(objectClass=olcDatabaseConfig)' | grep -E '^dn:|RootDN|RootPW|olcSuffix'
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=config
dn: olcDatabase={1}mdb,cn=config
olcSuffix: dc=tylersguides,dc=com
olcRootDN: cn=admin,dc=tylersguides,dc=com
olcRootPW:: e1NTSEE1MTJ9c2dqaThPVkE3YkI4Tytub2VBTUp0d1oraGcxTW5JYkJpN0gySlFl
The first line of the output is the DN of the frontend database. It is a special database used to configure the server and that doesn’t have an administrative user. It uses the administrative user for the configuration database instead.
The second line is the DN of the configuration database, which as stated earlier, is always olcDatabase={0}config,cn=config.
The third line displays the administrative user for the configuration directory. It defaults to cn=config. You can change this if you want, but I recommend leaving it as it is. In this case, it has no password set. If it did, the next line would start with olcRootPW.
The next four lines describe a database used to store my actual data. As you can see, it does have a password set. That isn’t the actual password, it is a SHA512 hash of the password
Generate a Password Hash
OpenLDAP stores passwords as cryptographic hashes. If you don’t know what a hash is, it doesn’t really matter to be able to follow this guide, but if you are curious, I explain it in my introduction to cryptography.
Generate a password hash with slappasswd:
[root@ldap ~]# slappasswd -h '{SSHA512}' -o module-load=pw-sha2.la -o module-path=/opt/openldap-current/libexec/openldap
New password:
Re-enter new password:
{SSHA512}ZmCZs1SC7s4oKFqIDMY65Y6FOZHlVhc12TApeInlTd165H+FyA6Q9t4m+74UTYWBx5djAleE/g093FA41y3lfHVF/qgwkSnHReplace the path in the example with your module path. If you aren’t sure what it is, the table below should help.
| OS | PATH |
|---|---|
| CentOS 7 | /usr/lib64/openldap |
| openSUSE | /usr/lib64/openldap |
| Debian (Stretch) | /usr/lib/ldap |
| FreeBSD | /usr/local/libexec/openldap |
| Source (Tyler’s Guides) | /opt/openldap-current/libexec/openldap |
| Source (default) | /usr/local/libexec/openldap |
SASL Access
Most installations use SASL to treat OS users as LDAP users. Usually, root is allowed to make changes to the configuration directory. If this is true of your installation, then you will be able to use the OpenLDAP command line tools to reset your administrative passwords.
Using the password hash generated earlier, set the password for cn=config by using ldapmodify. Press Ctrl+D when it says modifying entry to exit ldapmodify
[root@ldap ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA512}ZmCZs1SC7s4oKFqIDMY65Y6FOZHlVhc12TApeInlTd165H+FyA6Q9t4m+74UTYWBx5djAleE/g093FA41y3lfHVF/qZmCZs1SC7s4oKFqIDMY65Y6FOZHlVhc12TApeInlTd165H+FyA6Q9t4m+74UTYWBx5djAleE/g093FA41y3lfHVF/qgwkSnH
modifying entry "olcDatabase={0}config,cn=config"
Here I use the information collected earlier to change the password of the administrative user for the database serving the suffix dc=tylersguides,dc=com. Its DN is cn=admin,dc=tylersguides,dc=com:
[root@ldap ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA512}ZmCZs1SC7s4oKFqIDMY65Y6FOZHlVhc12TApeInlTd165H+FyA6Q9t4m+74UTYWBx5djAleE/g093FA41y3lfHVF/qZmCZs1SC7s4oKFqIDMY65Y6FOZHlVhc12TApeInlTd165H+FyA6Q9t4m+74UTYWBx5djAleE/g093FA41y3lfHVF/qgwkSnH
modifying entry "olcDatabase={1}mdb,cn=config"
No SASL Access
If you know the password for cn=config, you can use ldapmodify in a manner similar to the previous example. Assuming you have it, here is an example of changing the password for cn=config:
[root@ldap ~]# ldapmodify -x -D "cn=config" -W -H ldapi:///
Enter LDAP Password:
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA512}OfqphU46KFQnYAlfD+u2OPpOr+P3qmoo3/+yoElJUhy38WavwIY95UdVlPnlEyivTVDSSkgq6izlv7nfB+JjkiQjnfoQfJU7
modifying entry "olcDatabase={0}config,cn=config"
If you don’t have it, you will have to dump the configuration database into an LDIF file, modify the LDIF file with a known hash generated by slappasswd, and restore the modified LDIF. See my guide on backing up and restoring OpenLDAP if you don’t know how to do this.
The LDIF file created during a backup is just a text file. Add or modify the olcRootPW attribute under the appropriate database configuration entry with a hash from slappasswd. Database configuration entries follow this form:
olcDatabase={0}config,cn=configThe highlighted portions will be populated with the database number and type, respectively.
Normal Users
Use ldappasswd to change the password of a regular user. Depending on the database ACLs, you will need the user’s current password, a trusted OS user, or an administrative user’s password.
To set the password of the user with the DN uid=testuser,ou=users,dc=tylersguides,dc=com using the administrative user for the corresponding database, follow this example:
[root@ldap ~]# ldappasswd -H ldapi:/// -x -D "cn=admin,dc=tylersguides,dc=com" -W -S uid=testuser,ou=users,dc=tylersguides,dc=com
New password:
Re-enter new password:
Enter LDAP Password: The -S option instructs ldappasswd to prompt you for the new password.
Here is how a user can change their own password:
[root@ldap ~]# ldappasswd -H ldapi:/// -x -D "uid=testuser,ou=users,dc=tylersguides,dc=com" -W -S uid=testuser,ou=users,dc=tylersguides,dc=com
New password:
Re-enter new password:
Enter LDAP Password: Notice how you use the DN of the user for the bind DN.
Finally, if the database is configured to use SASL for an OS user:
ldappasswd -Q -H ldapi:/// -Y EXTERNAL -S uid=testuser,ou=users,dc=tylersguides,dc=com
New password:
Re-enter new password: