mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: e8a4783b | patch | commit | ignore whitespace
Mark Craig
15.57.2012 568864d6fc5ba81c4c23afb6389853cfa4f72576 
Fix for OPENDJ-523: Troubleshooting doc should cover reset of administrative passwords
2 files modified
155 ■■■■ changed files
opendj3/src/main/docbkx/admin-guide/chap-ldap-operations.xml 38 ●●●● patch | view | raw | blame | history
opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml 117 ●●●●● patch | view | raw | blame | history 
 opendj3/src/main/docbkx/admin-guide/chap-ldap-operations.xml


@@ -939,7 +939,10 @@


  


  <example xml:id="password-reset">


   <title>Password Reset</title>


   


   <indexterm>


    <primary>Resetting passwords</primary>


   </indexterm>




   <para>The following example shows Kirsten Vaughan resetting Sam Carter's


   password. Kirsten has the appropriate privilege to reset Sam's


   password.</para>


@@ -1031,39 +1034,6 @@


cn: Babs Jensen


</screen>


  </example>




  <tip xml:id="fix-forgotten-directory-manager-pwd">


   <para>If you forget the password for <literal>cn=Directory Manager</literal>,


   then one remedy uses the following steps.</para>


    <orderedlist>


     <listitem>


      <para>Generate an encoded password value using the


      <command>encode-password</command> command.</para>


      <para>By default, the password for Directory Manager uses the SSHA512


      password storage scheme. In the following example, the encoded password


      is wrapped to fit on a printed page.</para>


      <screen>$ encode-password --storageScheme SSHA512 --interactivePassword


Please enter the password :


Please renter the password:


Encoded Password:


 "{SSHA512}U7Kx5oYcLxdsqSrpSkBk425LwL0Z61loNfS0dBVCcEKVhMyTT


 oe3oWikDJ/AJjKEkYBg+q3VUQ5hWgrGVf7MjfDrm5mum6yI"</screen>


     </listitem>


     <listitem>


      <para>Stop OpenDJ.</para>


     </listitem>


     <listitem>


      <para>Edit <filename>config/config.ldif</filename>, replacing the


      <literal>userPassword</literal> value on the entry for


      <literal>cn=Directory Manager,cn=Root DNs,cn=config</literal> with


      the encoded password, taking care not to leave any whitespace at the


      end of the line.</para>


     </listitem>


     <listitem>


      <para>Start OpenDJ.</para>


     </listitem>


    </orderedlist>


  </tip>


 </section>




 <section xml:id="tools-properties">




 opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml


@@ -75,7 +75,7 @@


 


 <section xml:id="troubleshoot-installation">


  <title>Troubleshooting Installation &amp; Upgrade</title>


 




  <para>Installation and upgrade procedures result in a log file tracing


  the operation. The log location differs by operating system, but look for


  lines in the command output of the following form.</para>


@@ -83,6 +83,121 @@


  <literallayout class="monospaced">See /var/....log for a detailed log of this operation.</literallayout>


 </section>




 <section xml:id="troubleshoot-reset-admin-passwords">


  <title>Resetting Administrator Passwords</title>




  <para>This section describes what to do if you forgot the password for


  Directory Manager or for the global (replication) administrator.</para>




  <procedure xml:id="reset-directory-manager-password">


   <title>Resetting the Directory Manager's Password</title>


   <indexterm>


    <primary>Resetting passwords</primary>


    <secondary>cn=Directory Manager</secondary>


   </indexterm>




   <para>OpenDJ directory server stores the entry for Directory Manager in


   the LDIF representation of its configuration. You must be able to edit


   directory server files in order to reset Directory Manager's password.</para>




   <step>


    <para>Generate the encoded version of the new password using the OpenDJ


    <command>encode-password</command> command.</para>


    <screen>$ cd /path/to/OpenDJ/bin/


$ ./encode-password --storageScheme SSHA512 --clearPassword password


Encoded Password:  "{SSHA512}yWqHnYV4a5llPvE7WHLe5jzK27oZQWLIlVcs9gySu4TyZJMg


 NQNRtnR/Xx2xces1wu1dVLI9jVVtl1W4BVsmOKjyjr0rWrHt"</screen>


   </step>




   <step>


    <para>Stop OpenDJ directory server while you edit the configuration.</para>


    <screen>$ ./stop-ds</screen>


   </step>




   <step>


    <para>Find Directory Manager's entry, which has DN <literal>cn=Directory


    Manager,cn=Root DNs,cn=config</literal>, in


    <filename>/path/to/OpenDJ/config/config.ldif</filename>, and carefully


    replace the <literal>userpassword</literal> attribute value with the


    encoded version of the new password, taking care not to leave any


    whitespace at the end of the line.</para>


    <programlisting language="ldif"


    >dn: cn=Directory Manager,cn=Root DNs,cn=config


objectClass: person


objectClass: inetOrgPerson


objectClass: organizationalPerson


objectClass: ds-cfg-root-dn-user


objectClass: top


userpassword: {SSHA512}yWqHnYV4a5llPvE7WHLe5jzK27oZQWLIlVcs9gySu4TyZJMg


 NQNRtnR/Xx2xces1wu1dVLI9jVVtl1W4BVsmOKjyjr0rWrHt


givenName: Directory


cn: Directory Manager


ds-cfg-alternate-bind-dn: cn=Directory Manager


sn: Manager


ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies


 ,cn=config


ds-rlim-time-limit: 0


ds-rlim-lookthrough-limit: 0


ds-rlim-idle-time-limit: 0


ds-rlim-size-limit: 0</programlisting>


   </step>




   <step>


    <para>Start OpenDJ directory server again.</para>


    <screen>$ ./start-ds</screen>


   </step>




   <step>


    <para>Verify that you can administer the server as Directory Manager using


    the new password.</para>


    <screen>$ ./dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password






&gt;&gt;&gt;&gt; OpenDJ configuration console main menu




What do you want to configure?




...




Enter choice: q</screen>


   </step>


  </procedure>




  <procedure xml:id="reset-repl-admin-password">


   <title>To Reset the Global Administrator's Password</title>


   <indexterm>


    <primary>Resetting passwords</primary>


    <secondary>Global (replication) administrator</secondary>


   </indexterm>




   <para>When you enable replication, part of the process involves creating a


   global administrator and setting that user's password. This user is present


   on all replicas. If you chose default values, this user has DN


   <literal>cn=admin,cn=Administrators,cn=admin data</literal>. You reset the


   password as you would for any other user, though you do so as Directory


   Manager.</para>




   <step>


    <para>Use the <command>ldappasswordmodify</command> command to reset the


    global administrator's password</para>


    <screen>$ cd /path/to/OpenDJ/bin/


$ ./ldappasswordmodify


 --useStartTLS


 --port 1389


 --hostname opendj.example.com


 --bindDN "cn=Directory Manager"


 --bindPassword password


 --authzID "cn=admin,cn=Administrators,cn=admin data"


 --newPassword password


The LDAP password modify operation was successful</screen>


   </step>




   <step>


    <para>Let replication copy the password change to other replicas.</para>


   </step>


  </procedure>


 </section>




 <section xml:id="troubleshoot-use-lockdown-mode">


  <title>Preventing Access While You Fix Issues</title>


  <indexterm><primary>Lockdown mode</primary></indexterm>