Changing the Passwords of the LDAP Administrator and the LDAP User (Including OMS LDAP)

Updated on 2022-12-08 GMT+08:00

View PDF

Scenario

Periodically change the passwords of LDAP administrator cn=root,dc=hadoop,dc=com and LDAP user cn=pg_search_dn,ou=Users,dc=hadoop,dc=com to improve the system O&M security.

If the passwords are changed, the password of the OMS LDAP administrator or user is changed as well.

NOTE:

If the cluster is upgraded from an early version to a latest version, the LDAP administrator password will inherit the password policy of the old cluster. To ensure system security, you are advised to change the password after the cluster upgrade.

Impact on the System

Changing the user password of the LdapServer service is a high-risk operation and requires restarting the KrbServer and LdapServer services. If KrbServer is restarted, users may fail to be queried by running the id command on nodes in the cluster temporarily. Therefore, exercise caution when restarting KrbServer.
After the password of LDAP user cn=pg_search_dn,ou=Users,dc=hadoop,dc=com is changed, the user may be locked in the LDAP component. Therefore, you are advised to unlock the user after changing the password. For details about how to unlock the user, see Unlocking LDAP Users and Management Accounts.

Prerequisites

Before changing the password of LDAP user cn=pg_search_dn,ou=Users,dc=hadoop,dc=com, ensure that the user is not locked by running the following command on the active management node of the cluster:

NOTE:

To query the OLDAP port number, perform the following steps:

Log in to FusionInsight Manager, choose System > OMS > oldap > Modify Configuration:
The value of LDAP Service Listening Port is the OLDAP port.

ldapsearch -H ldaps://Floating IP address of OMS:OLDAP port-LLL -x -D cn=pg_search_dn,ou=Users,dc=hadoop,dc=com -W -b cn=pg_search_dn,ou=Users,dc=hadoop,dc=com -e ppolicy

Enter the password of the LDAP user pg_search_dn. If the following information is displayed, the user is locked. In this case, unlock the user. For details, see Unlocking LDAP Users and Management Accounts.

ldap_bind: Invalid credentials (49); Account locked

Procedure

Log in to FusionInsight Manager and choose Cluster > Name of the desired cluster > Service > LdapServer.
Choose More > Change Database Password. In the displayed dialog box, enter the password of the current login user and click OK.
In the Change Password dialog box, select the user whose password to be modified in the User Information drop-down box.
Enter the old password in the Old Password text box, and enter the new password in the New Password and Confirm Password text boxes.

The password complexity requirements are as follows by default:
- The password must contain 16 to 32 characters.
- The password must contain at least three types of the following: uppercase letters, lowercase letters, digits, spaces, and special characters (`~!@#$%^&*()-_=+|[{}];,<.>/?).
- The password cannot be the same as the username or reverse username.
- The password cannot be the same as the current password.
Select I have read the information and understood the impact and click OK to confirm the modification and restart the service.