Updated on 2022-02-22 GMT+08:00

Changing the Password for the LDAP Administrator

Scenario

Periodically change the passwords of LDAP administrator accounts cn=krbkdc,ou=Users,dc=hadoop,dc=com and cn=krbadmin,ou=Users,dc=hadoop,dc=com to improve the system O&M security.If the user password is changed, the OMS LDAP administrator password is changed as well.

Impact on the System

  1. You need to restart the KrbServer service after changing the password.
  2. After the password is changed, check whether the LDAP management accounts cn=krbkdc,ou=Users,dc=hadoop,dc=com and cn=krbkdc,ou=Users,dc=hadoop,dc=com are locked. Run the following command on the active OMS node to check whether krbkdc is locked (similar method for krbadmin):

    oldap port number obtaining method:

    1. Log in to the FusionInsight Manager, select System > OMS > oldap > Modify Configuration.
    2. The LDAP Listening Port parameter value is oldap port.

    ldapsearch -H ldaps://OMS_FLOAT_ IP address:OLdap port -LLL -x -D

    cn=krbkdc,ou=Users,dc=hadoop,dc=com -W -b cn=

    krbkdc,ou=Users,dc=hadoop,dc=com -e ppolicy

    Enter the password for the LDAP management account krbkdc. If the following message is displayed, the account is locked. For details on how to unlock the account, see Unlocking LDAP Users and Management Accounts.

    ldap_bind: Invalid credentials (49); Account locked

Prerequisites

You have obtained the active management node IP address.

Procedure

  1. Log in to the management node using the active management IP address as user omm.
  2. Run the following command to go to the related directory:

    cd ${BIGDATA_HOME}/om-server/om/meta-0.0.1-SNAPSHOT/kerberos/scripts

  3. Run the following command to change the password of the LDAP administrator accounts.

    ./okerberos_modpwd.sh

    Enter the old password and enter a new password twice.

    The password complexity requirements are as follows:

    • The password ranges from 16 to 32 characters.
    • The password must contain at least three types of the following: lowercase letters, uppercase letters, digits, and special characters which can only be `~!@#$%^&*()-_=+|[{}];,<.>/?.
    • The password cannot be the same as the previous password.

    If the following information is displayed, the password is changed successfully.

    Modify kerberos server password successfully.

  4. Log in to FusionInsight Manager and choose Cluster > Name of the desired cluster > Services > KrbServer > More > Restart Service. Enter the password and do not select Restart upper-layer services. Click OK to restart the KrbServer service.