Last week I have decided to take some OpenDS practise. The practical solving of a problem is better
then hundreds lines of reading about the others activity. At least that's the way I feel.
Task: Multiple the Directory Manager account to delegate administration without providing your secret password.
In theory it is possible without any problems.
The only requirement is the object class of
ds-cfg-root-dn-user.
I have copied almost the all attributes from the current "root" account into a new one.
$ ldapsearch -p 1389 -D cn=dirmgr -j ~/.odspwd -b cn=config "cn=Directory Manager"
dn: cn=Directory Manager,cn=Root DNs,cn=config
sn: Manager
ds-cfg-alternate-bind-dn: cn=dirmgr
cn: Directory Manager
givenName: Directory
objectClass: ds-cfg-root-dn-user
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6
aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0
$ ldapmodify -p 1389 -D cn=dirmgr -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: add
objectClass: ds-cfg-root-dn-user
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: odsmgr
givenName: ODS
sn: Manager
userPAssword: secret
Processing ADD request for cn=odsmgr,cn=Root DNs,cn=config
ADD operation successful for DN cn=odsmgr,cn=Root DNs,cn=config
For the initial testing I have duplicated also the password.
$ ldappasswordmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd \
> -a "dn:cn=odsmgr,cn=Root DNs,cn=config" -c secret -N ~/.odspwd
The LDAP password modify operation was successful
During the cut'n'copy session of ldapmodify I have omitted
ds-cfg-alternate-bind-dn intentionally.
I thought the adjective "alternate" is self-explanatory.
Wrong!
$ ldapsearch -p 1389 -D cn=odsmgr -j ~/.odspwd -b cn=config cn=odsmgr
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)
$ ldapmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
add: ds-cfg-alternate-bind-dn
ds-cfg-alternate-bind-dn: cn=odsmgr
Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config
$ ldapsearch -p 1389 -D cn=odsmgr -j ~/.odspwd -b cn=config cn=odsmgr
dn: cn=odsmgr,cn=Root DNs,cn=config
sn: Manager
ds-cfg-alternate-bind-dn: cn=odsmgr
cn: odsmgr
givenName: ODS
objectClass: top
objectClass: ds-cfg-root-dn-user
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: person
userPassword: {SSHA}gF7nQ6N6gmpuufM1/8FemlwH1/HikScaVOlP3Q==
Why not to test a case with multiple
ds-cfg-alternate-bind-dn attibute values.
$ ldapmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
add: ds-cfg-alternate-bind-dn
ds-cfg-alternate-bind-dn: cn=dsmgr
Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config
$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config cn=odsmgr
dn: cn=odsmgr,cn=Root DNs,cn=config
ds-cfg-alternate-bind-dn: cn=odsmgr
ds-cfg-alternate-bind-dn: cn=dsmgr
sn: Manager
cn: odsmgr
givenName: ODS
objectClass: ds-cfg-root-dn-user
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userPassword: {SSHA}gF7nQ6N6gmpuufM1/8FemlwH1/HikScaVOlP3Q==
But wait a minute. Why the userPassword value is encoded with a
SSHA password scheme, while
the Directory Manager and the default root scheme is pointing to
SSHA512.
$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config cn="Directory Manager" userpassword
dn: cn=Directory Manager,cn=Root DNs,cn=config
userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6
aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0
$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config "cn=Root Password Policy" \
> ds-cfg-default-password-storage-scheme
dn: cn=Root Password Policy,cn=Password Policies,cn=config
ds-cfg-default-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Sc
hemes,cn=config
The answer has come with the hint from
Ludovic Poitou.
The virtual attribute of
ds-pwp-password-policy-dn should be set explicitly.
$ ldapmodify -p 1389 -D cn=dsmgr -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
add: ds-pwp-password-policy-dn
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config
$ openssl rand -base64 12 > ~/.dspwd
$ ldappasswordmodify -p 1389 -D cn=dsmgr -j ~/.odspwd -a "cn=odsmgr,cn=Root DNs,cn=config" \
> -C ~/.odspwd -N ~/.dspwd
The LDAP password modify operation was successful
$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config cn=odsmgr userpassword
dn: cn=odsmgr,cn=Root DNs,cn=config
userpassword: {SSHA512}BxvZzrhuVpwOv6FMc9sI1infjPC7PQ0dXXdry4ZLNgq6FJbjCVfSiLwBO
A1uzaXAscS7pkNbfkP4hG11L9DTPsRfpusta+4x
Nice.