Help Center/ MapReduce Service/ User Guide/ MRS Cluster O&M/ MRS Cluster Security Configuration/ Changing the Passwords for System Users of an MRS Cluster/ Changing the LDAP Administrator Password for an MRS Cluster
Updated on 2025-03-17 GMT+08:00
View PDF

Changing the LDAP Administrator Password for an MRS Cluster

It is recommended that the administrator periodically changes the passwords of LDAP administrator accounts cn=krbkdc,ou=Users,dc=hadoop,dc=com and cn=krbadmin,ou=Users,dc=hadoop,dc=com to improve the system O&M security.

This section applies only to MRS 3.1.0. For versions later than MRS 3.1.0, see Modifying the OMS Service Configuration.

Impact on the System

  • You need to restart the KrbServer service after changing the password.
  • After the password is changed, check whether the LDAP administrator accounts cn=krbkdc,ou=Users,dc=hadoop,dc=com and cn=krbadmin,ou=Users,dc=hadoop,dc=com are locked, run the following command on the active management node of the cluster to check whether krbkdc is locked (the method for user krbadmin is similar):

    OLdap port number obtaining method:

    1. Log in to FusionInsight Manager, choose System > OMS > oldap > Modify Configuration:
    2. The LDAP Listening Port parameter value is oldap port.

    ldapsearch -H ldaps://OMS_FLOAT_ IP address:OLdap port -LLL -x -D cn=krbkdc,ou=Users,dc=hadoop,dc=com -W -b cn=krbkdc,ou=Users,dc=hadoop,dc=com -e ppolicy

    Enter the password of the LDAP administrator account krbkdc. The default password is LdapChangeMe@123. If the following message is displayed, the account is locked. For details about how to unlock the account, see Unlocking the LDAP Management Account of the MRS Cluster.

    ldap_bind: Invalid credentials (49); Account locked

Prerequisites

You have obtained the management node IP address.

Changing the Password of the LDAP Administrator

  1. Log in to the active management node as user omm with the IP address of the active management node.
  2. Run the following command to go to the related directory:

    cd ${BIGDATA_HOME}/om-server/om/meta-0.0.1-SNAPSHOT/kerberos/scripts

  3. Run the following command to change the password of the LDAP administrator account:

    ./okerberos_modpwd.sh

    Enter the old password and then enter a new password twice.

    The password must meet the following complexity requirements:

    • Contains 16 to 32 characters.
    • Contains at least three types of the following: uppercase letters, lowercase letters, numbers, spaces, and special characters (`~!@#$%^&*()-_=+|[{}];,<.>/?).
    • Cannot be the same as the current password.

    If the following information is displayed, the password is changed.

    Modify kerberos server password successfully.

  4. Log in to FusionInsight Manager, click Cluster, click the name of the desired cluster, and choose Services > KrbServer. On the displayed page, choose More > Restart Service.

    Enter the password and do not select Restart upper-layer services. Click OK to restart the KrbServer service.