Replication admin (adminUID ) password reset

This topic has 8 replies, 3 voices, and was last updated 5 years, 2 months ago by Ludo.

  • Author
    Posts
  • #13851
     smk169
    Participant

    I have setup a Replication between 2 opendj ldap master using adminUID admin and password as password one year back. 4 months back enabled the password policies for all the user accounts.
    Now I have noticed the replication admin UID admin’s password is not working anymore.
    But this is NOT affecting the current replication setup and the replication is working as expected.

    My queries
    1) When the password policy is enabled for other accounts – does it affect the replication admin account for dsreplication ?
    2) Can we reset password for replication admin account – can you please provide the command to change it ?
    3) How to remove the replication admin account from expiry in future ?
    4) But Administrator’s [cn=Directory Manager] is not changed, so only the replication’s admin account has changed.

    # ./dsreplication status -h localhost -p 4444 –adminUID admin –adminPassword password

    Directory server hostname or IP address [<hostname>]:
    Directory server administration port number [4444]:
    Global Administrator User ID [admin]:
    Password for user ‘admin’:
    The provided credentials are not valid in server
    <hostname>:4444. Details: [LDAP: error code 49 – Invalid Credentials]

    • This topic was modified 5 years, 3 months ago by smk169.
    • This topic was modified 5 years, 3 months ago by smk169.
    #13856
     JnRouvignac
    Participant

    Which version of OpenDJ are you using?

    #13857
     JnRouvignac
    Participant
    #13863
     smk169
    Participant

    Thanks for your reply, checked in the access log found ” user cn=admin,cn=Administrators,cn=admin data because that user’s password is expired” error .
    But this never happened before i have enabled the password policy.
    Is there any way to remove the password policy for user cn=admin,cn=Administrators,cn=admin data user ?
    Below is the access log extract

    ldap master 1 access log:

    [25/Oct/2016:08:59:54 +0000] CONNECT conn=58967 from=127.0.0.1:32913 to=127.0.0.1:4444 protocol=LDAPS
    [25/Oct/2016:08:59:54 +0000] BIND REQ conn=58967 op=0 msgID=1 type=SIMPLE dn=”cn=admin,cn=Administrators,cn=admin data”
    [25/Oct/2016:08:59:54 +0000] BIND RES conn=58967 op=0 msgID=1 result=49 authFailureID=197129 authFailureReason=”Rejecting a bind request for user cn=admin,cn=Administrators,cn=admin data because that user’s password is expired” etime=0
    [25/Oct/2016:08:59:54 +0000] DISCONNECT conn=58967 reason=”Client Disconnect”

    ldap master 2 access log:

    [25/Oct/2016:08:47:05 +0000] CONNECT conn=68979 from=127.0.0.1:38633 to=127.0.0.1:4444 protocol=LDAPS
    [25/Oct/2016:08:47:05 +0000] SEARCH REQ conn=2 op=1056969 msgID=1056970 base=”dc=XXXX,dc=YYYY” scope=wholeSubtree filter=”(&(objectClass=posixAccount)(uid=nagios))” attrs=”uid”
    [25/Oct/2016:08:47:05 +0000] SEARCH RES conn=2 op=1056969 msgID=1056970 result=0 nentries=0 etime=1
    [25/Oct/2016:08:47:06 +0000] BIND REQ conn=68979 op=0 msgID=1 type=SIMPLE dn=”cn=admin,cn=Administrators,cn=admin data”
    [25/Oct/2016:08:47:06 +0000] BIND RES conn=68979 op=0 msgID=1 result=49 authFailureID=197129 authFailureReason=”Rejecting a bind request for user cn=admin,cn=Administrators,cn=admin data because that user’s password is expired” etime=1
    [25/Oct/2016:08:47:06 +0000] DISCONNECT conn=68979 reason=”Client Disconnect”

    access log that shows what are all binded:

    [25/Oct/2016:08:59:16 +0000] CONNECT conn=58966 from=<IP1>:36500 to=<IP2>:1389 protocol=LDAP
    [25/Oct/2016:08:59:16 +0000] BIND REQ conn=58966 op=0 msgID=1 type=SIMPLE dn=”cn=Directory Manager”
    [25/Oct/2016:08:59:16 +0000] BIND RES conn=58966 op=0 msgID=1 result=0 authDN=”cn=Directory Manager,cn=Root DNs,cn=config” etime=0
    [25/Oct/2016:08:59:16 +0000] SEARCH REQ conn=58966 op=1 msgID=2 base=”dc=XXXX,dc=YYYY” scope=baseObject filter=”(objectclass=*)” attrs=”ALL”
    [25/Oct/2016:08:59:16 +0000] SEARCH RES conn=58966 op=1 msgID=2 result=0 nentries=1 etime=0
    [25/Oct/2016:08:59:16 +0000] UNBIND REQ conn=58966 op=2 msgID=3
    [25/Oct/2016:08:59:16 +0000] DISCONNECT conn=58966 reason=”Client Unbind”

    #13865
     Ludo
    Moderator

    Hi,

    Password Policy changes may impact the Replication Admin user. This depends on what you’ve changed.

    You can check which password policy is tied to the Admin User by reading the entry and more specifically the pwdPolicySubentry attribute.

    You can also assign a specific or different password policy to that user. If you do so and remove the max age for passwords, then it should allow to authenticate with the current Admin user and password.

    • This reply was modified 5 years, 3 months ago by Ludo.
    #13934
     smk169
    Participant

    Thanks Ludo.
    Haven’t setup the password policy using pwdPolicySubentry values.
    Used only one “Default Password Policy” for all accounts.
    But wasn’t aware that this might hit the “Admin” users as well.
    For now, what is the best approach ? create a new password policy with non-expiration and a Subentry Password Policy and assign to cn=admin,cn=Administrators,cn=admin data user ?

    # ./ldapsearch -h <hostname> -p 1389 -b “cn=admin data” cn=admin
    dn: cn=admin,cn=Administrators,cn=admin data
    objectClass: person
    objectClass: top
    description: The Administrator that can manage all the server instances.
    cn: admin
    sn: admin
    #

    # ./ldapsearch -h <hostname> -p 1389 -b dc=AAAAA,dc=BBBB uid=YYYY +
    dn: uid=YYYY,dc=AAAAA,dc=BBBB
    subschemaSubentry: cn=schema
    createTimestamp: 20150508061713Z
    entryUUID: 4740ad21-22cc-49c1-af92-4f7b15e39ef7
    entryDN: uid=YYYY,dc=AAAAA,dc=BBBB
    creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
    modifyTimestamp: 20161020131616Z
    modifiersName: uid=YYYY,dc=AAAAA,dc=BBBB
    #

    #13935
     smk169
    Participant

    Even the userpassword details in not shown. am wondering if we can change the password via ldappasswdmodify command ?
    thanks for your reply.

    # ./ldapsearch -h <hostname> -p 1389 -b “cn=admin data” cn=admin userpassword
    dn: cn=admin,cn=Administrators,cn=admin data

    #

    #13936
     smk169
    Participant

    Noticed “skip-validation-for-administrators” is set to “FALSE” in my “Default Password Policy”, can this be the culprit to force password policy to force expiration to admin account ” cn=admin,cn=Administrators,cn=admin data” ?

    ———–
    dsconfig get-password-policy-prop -p 4444 –hostname localhost –bindDN “cn=Directory Manager” –bindPassword password –policy-name “Default Password Policy” –advanced

    skip-validation-for-administrators : false
    ———–

    BTW, can see the userPassword for “admin” account

    # ./ldapsearch \
    > –port 1389 \
    > –bindDN “cn=Directory Manager” \
    > –bindPassword password \
    > -b “cn=admin data” cn=admin
    dn: cn=admin,cn=Administrators,cn=admin data
    userPassword: {SSHA}Z/o+j9G6k0we7vgGQ6OgOa9iosj0U4RnXpLpOg==
    objectClass: person
    objectClass: top
    description: The Administrator that can manage all the server instances.
    cn: admin
    sn: admin
    #

    #13964
     Ludo
    Moderator

    Skip validation for Administrator only influence whether to check new password constraints such as length, quality or history.

    I would suggest assigning the Root Password Policy to the Admin User.
    This is normally the default settings when the Admin User is created : ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config

    May be this attribute was removed somehow.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?