Updated on 2022-11-23 GMT+08:00

Changing the Passwords of the LDAP Administrator and the LDAP User (Including OMS LDAP)

This section applies only to MRS 3.1.0. For later versions, see Modifying OMS Service Configuration Parameters.

Scenario

It is recommended that the administrator periodically changes the passwords of LDAP administrator cn=root,dc=hadoop,dc=com and LDAP user cn=pg_search_dn,ou=Users,dc=hadoop,dc=com to improve the system O&M security.

If the passwords are changed, the password of the OMS LDAP administrator or user is changed as well.

If the cluster is upgraded from an early version to a latest version, the LDAP administrator password will inherit the password policy of the old cluster. To ensure system security, you are advised to change the password after the cluster upgrade.

Impact on the System

  • Changing the user password of the LdapServer service is a high-risk operation and requires restarting the KrbServer and LdapServer services. If KrbServer is restarted, users may fail to be queried by running the id command on nodes in the cluster temporarily. Therefore, exercise caution when restarting KrbServer.
  • After the password of LDAP user cn=pg_search_dn,ou=Users,dc=hadoop,dc=com is changed, the user may be locked in the LDAP component. Therefore, you are advised to unlock the user after changing the password. For details about how to unlock the user, see Unlocking LDAP Users and Management Accounts.

Prerequisites

Before changing the password of LDAP user cn=pg_search_dn,ou=Users,dc=hadoop,dc=com, ensure that the user is not locked by running the following command on the active management node of the cluster:

To query the OLdap port number, perform the following steps:

  1. Log in to FusionInsight Manager, choose System > OMS > oldap > Modify Configuration:
  2. The value of LDAP Service Listening Port is the OLDAP port.

ldapsearch -H ldaps://Floating IP address of OMS:OLDAP port-LLL -x -D cn=pg_search_dn,ou=Users,dc=hadoop,dc=com -W -b cn=pg_search_dn,ou=Users,dc=hadoop,dc=com -e ppolicy

Enter the password of the LDAP user pg_search_dn. If the following information is displayed, the user is locked. In this case, unlock the user. For details, see Unlocking LDAP Users and Management Accounts.

The password of the LDAP user pg_search_dn is randomly generated by the system. You can obtain the password from the /etc/sssd/sssd.conf or /etc/ldap.conf file on the active node.

ldap_bind: Invalid credentials (49); Account locked

Procedure

  1. Log in to FusionInsight Manager, click Cluster, click the name of the desired cluster, and choose Service > LdapServer.
  2. Choose More > Change Database Password. In the displayed dialog box, enter the password of the current login user and click OK.
  3. In the Change Password dialog box, select the user whose password to be modified in the User Information drop-down box.
  4. Enter the old password in the Old Password text box, and enter the new password in the New Password and Confirm Password text boxes.

    The password must meet the following complexity requirements:

    • Contains 16 to 32 characters.
    • Contains at least three types of the following: uppercase letters, lowercase letters, numbers, spaces, and special characters (`~!@#$%^&*()-_=+|[{}];,<.>/?).
    • Cannot be the same as the username or the username spelled backwards.
    • Cannot be the same as the current password.

  5. Select I have read the information and understood the impact and click OK to confirm the modification and restart the service.