From 568864d6fc5ba81c4c23afb6389853cfa4f72576 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Fri, 15 Jun 2012 06:57:30 +0000
Subject: [PATCH] Fix for OPENDJ-523: Troubleshooting doc should cover reset of administrative passwords
---
opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml | 117 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 116 insertions(+), 1 deletions(-)
diff --git a/opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml b/opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml
index 61dca52..547e390 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml
@@ -75,7 +75,7 @@
<section xml:id="troubleshoot-installation">
<title>Troubleshooting Installation & Upgrade</title>
-
+
<para>Installation and upgrade procedures result in a log file tracing
the operation. The log location differs by operating system, but look for
lines in the command output of the following form.</para>
@@ -83,6 +83,121 @@
<literallayout class="monospaced">See /var/....log for a detailed log of this operation.</literallayout>
</section>
+ <section xml:id="troubleshoot-reset-admin-passwords">
+ <title>Resetting Administrator Passwords</title>
+
+ <para>This section describes what to do if you forgot the password for
+ Directory Manager or for the global (replication) administrator.</para>
+
+ <procedure xml:id="reset-directory-manager-password">
+ <title>Resetting the Directory Manager's Password</title>
+ <indexterm>
+ <primary>Resetting passwords</primary>
+ <secondary>cn=Directory Manager</secondary>
+ </indexterm>
+
+ <para>OpenDJ directory server stores the entry for Directory Manager in
+ the LDIF representation of its configuration. You must be able to edit
+ directory server files in order to reset Directory Manager's password.</para>
+
+ <step>
+ <para>Generate the encoded version of the new password using the OpenDJ
+ <command>encode-password</command> command.</para>
+ <screen>$ cd /path/to/OpenDJ/bin/
+$ ./encode-password --storageScheme SSHA512 --clearPassword password
+Encoded Password: "{SSHA512}yWqHnYV4a5llPvE7WHLe5jzK27oZQWLIlVcs9gySu4TyZJMg
+ NQNRtnR/Xx2xces1wu1dVLI9jVVtl1W4BVsmOKjyjr0rWrHt"</screen>
+ </step>
+
+ <step>
+ <para>Stop OpenDJ directory server while you edit the configuration.</para>
+ <screen>$ ./stop-ds</screen>
+ </step>
+
+ <step>
+ <para>Find Directory Manager's entry, which has DN <literal>cn=Directory
+ Manager,cn=Root DNs,cn=config</literal>, in
+ <filename>/path/to/OpenDJ/config/config.ldif</filename>, and carefully
+ replace the <literal>userpassword</literal> attribute value with the
+ encoded version of the new password, taking care not to leave any
+ whitespace at the end of the line.</para>
+ <programlisting language="ldif"
+ >dn: cn=Directory Manager,cn=Root DNs,cn=config
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ds-cfg-root-dn-user
+objectClass: top
+userpassword: {SSHA512}yWqHnYV4a5llPvE7WHLe5jzK27oZQWLIlVcs9gySu4TyZJMg
+ NQNRtnR/Xx2xces1wu1dVLI9jVVtl1W4BVsmOKjyjr0rWrHt
+givenName: Directory
+cn: Directory Manager
+ds-cfg-alternate-bind-dn: cn=Directory Manager
+sn: Manager
+ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies
+ ,cn=config
+ds-rlim-time-limit: 0
+ds-rlim-lookthrough-limit: 0
+ds-rlim-idle-time-limit: 0
+ds-rlim-size-limit: 0</programlisting>
+ </step>
+
+ <step>
+ <para>Start OpenDJ directory server again.</para>
+ <screen>$ ./start-ds</screen>
+ </step>
+
+ <step>
+ <para>Verify that you can administer the server as Directory Manager using
+ the new password.</para>
+ <screen>$ ./dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password
+
+
+>>>> OpenDJ configuration console main menu
+
+What do you want to configure?
+
+...
+
+Enter choice: q</screen>
+ </step>
+ </procedure>
+
+ <procedure xml:id="reset-repl-admin-password">
+ <title>To Reset the Global Administrator's Password</title>
+ <indexterm>
+ <primary>Resetting passwords</primary>
+ <secondary>Global (replication) administrator</secondary>
+ </indexterm>
+
+ <para>When you enable replication, part of the process involves creating a
+ global administrator and setting that user's password. This user is present
+ on all replicas. If you chose default values, this user has DN
+ <literal>cn=admin,cn=Administrators,cn=admin data</literal>. You reset the
+ password as you would for any other user, though you do so as Directory
+ Manager.</para>
+
+ <step>
+ <para>Use the <command>ldappasswordmodify</command> command to reset the
+ global administrator's password</para>
+ <screen>$ cd /path/to/OpenDJ/bin/
+$ ./ldappasswordmodify
+ --useStartTLS
+ --port 1389
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --authzID "cn=admin,cn=Administrators,cn=admin data"
+ --newPassword password
+The LDAP password modify operation was successful</screen>
+ </step>
+
+ <step>
+ <para>Let replication copy the password change to other replicas.</para>
+ </step>
+ </procedure>
+ </section>
+
<section xml:id="troubleshoot-use-lockdown-mode">
<title>Preventing Access While You Fix Issues</title>
<indexterm><primary>Lockdown mode</primary></indexterm>
--
Gitblit v1.10.0