How to Recover/Reset OpenLDAP cn=config Admin Password for sudo-ldap Configuration on Ubuntu


2 views

During OpenLDAP installation on Ubuntu, administrators typically set the regular admin password (usually for cn=admin,dc=example,dc=com), but often overlook the separate cn=config credentials. This becomes critical when implementing sudo-ldap integration or making server configuration changes.

First, check your slapd configuration to confirm the authentication mechanism:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcRootDN olcRootPW

If the server allows EXTERNAL authentication (common in default Ubuntu installations), you can reset the password without knowing the original:


# Generate new hashed password
slappasswd -h {SSHA} -s "new_password"

# Create LDIF file (reset.ldif)
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}hashed_password_string

Apply the changes:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f reset.ldif

For cases where EXTERNAL auth isn't available, you can recreate the config database:


# Backup current config
sudo slapcat -n0 > config_backup.ldif

# Stop slapd
sudo systemctl stop slapd

# Remove old config
sudo rm -rf /etc/ldap/slapd.d/*

# Reinitialize with new password
sudo dpkg-reconfigure slapd

Once you regain access, configure sudo schema import:


# Add sudo schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/sudo.ldif

# Configure sudo database (sudoers.ldif)
dn: ou=sudoers,dc=example,dc=com
objectClass: organizationalUnit
ou: sudoers
  • Always use TLS for password resets in production
  • Consider using SSHA-512 instead of SSHA
  • Document passwords in secure password managers
  • Set up monitoring for configuration changes

During OpenLDAP installation on Ubuntu systems, two separate admin accounts are created:

  • The traditional cn=admin,dc=example,dc=com account (which you set the password for)
  • The configuration admin cn=admin,cn=config account (with auto-generated credentials)

First verify if your slapd configuration allows external access:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcRootDN=cn=admin,cn=config

If your server has SASL external authentication enabled (default on Ubuntu), you can reset without knowing the current password:

# Generate new password hash
slappasswd -h {SSHA} -s "your_new_password"

# Create LDIF file (reset.ldif)
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}hashed_password_here

# Apply changes
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f reset.ldif

For fresh installs where you can afford to rebuild the configuration:

# Stop slapd
sudo service slapd stop

# Delete existing config
sudo rm -rf /etc/ldap/slapd.d/*

# Create new config with known password
sudo slaptest -f /path/to/your/slapd.conf -F /etc/ldap/slapd.d

# Set proper permissions
sudo chown -R openldap:openldap /etc/ldap/slapd.d

# Restart slapd
sudo service slapd start

After resetting the password, test sudo-ldap integration:

# Test sudoers lookup
sudo ldapsearch -x -D "cn=admin,cn=config" -W -b "ou=sudoers,dc=example,dc=com"

# Sample sudoers LDIF entry
dn: cn=defaults,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudo options
sudoOption: !authenticate