Help Center/ MapReduce Service/ User Guide/ MRS Cluster O&M/ MRS Cluster Security Configuration/ Changing the Passwords for System Users of an MRS Cluster/ Changing the Password for a Regular LDAP User of an MRS Cluster
Updated on 2024-09-23 GMT+08:00
View PDF
Share

Changing the Password for a Regular LDAP User of an MRS Cluster

This section describes how to periodically change the passwords for LDAP administrators and users of an MRS cluster to improve system O&M security.

  • Usernames in MRS 3.1.0:
    • LDAP administrators: cn=root, dc=hadoop, dc=com
    • LDAP users: cn=pg_search_dn, ou=Users, dc=hadoop, dc=com
  • Usernames in MRS 2.x or earlier:
    • LDAP administrators: rootdn:cn=root, dc=hadoop, dc=com
    • LDAP users: pg_search_dn:cn=pg_search_dn, ou=Users, dc=hadoop, dc=com
  • This section only applies to MRS 2.x or earlier and MRS 3.1.0. For versions later than MRS 3.1.0, refer to Modifying the OMS Service Configuration.
  • For MRS 3.1.0 clusters:
    • Changing these user passwords will also update OMS LDAP administrator or user passwords.
    • If the cluster is upgraded from an earlier version, LDAP administrator passwords will inherit the password policy of the old cluster. To ensure system security, you are advised to change the passwords after the cluster upgrade.

Impact on the System

  • For MRS 2.x or earlier, all services need to be restarted after passwords are changed, during which the services are unavailable.
  • For MRS 3.1.0 clusters:
    • Changing the user password of the LdapServer service is a high-risk operation and requires restarting the KrbServer and LdapServer services. If KrbServer is restarted, users may fail to be queried by running the id command on nodes in the cluster temporarily. Therefore, exercise caution when restarting KrbServer.
    • After the passwords for LDAP users cn=pg_search_dn, ou=Users, dc=hadoop, and dc=com are changed, the users may be locked in the LDAP component. You are advised to unlock them after password change. For details, see Unlocking the LDAP Management Account of the MRS Cluster.

Prerequisites (MRS 3.1.0)

Before changing the passwords for LDAP users cn=pg_search_dn, ou=Users, dc=hadoop, and dc=com, ensure that the users are not locked by running the following command on the active management node of the cluster:

ldapsearch -H ldaps://Floating IP address of OMS:OLDAP port-LLL -x -D cn=pg_search_dn,ou=Users,dc=hadoop,dc=com -W -b cn=pg_search_dn,ou=Users,dc=hadoop,dc=com -e ppolicy

Enter the password for the LDAP user pg_search_dn. If the following information is displayed, the user is locked. In this case, unlock the user by referring to Unlocking the LDAP Management Account of the MRS Cluster.

ldap_bind: Invalid credentials (49); Account locked
  • To obtain the OLDAP port, log in to FusionInsight Manager, choose System > OMS > oldap > Modify Configuration, and view the value of LDAP Listening Port.
  • The password for the LDAP user pg_search_dn is randomly generated by the system, which can be from the /etc/sssd/sssd.conf or /etc/ldap.conf file on the active node.

Changing the Password for a Regular LDAP User of an MRS Cluster

For MRS 3.1.0:

  1. Log in to FusionInsight Manager and choose Cluster > Services > LdapServer.
  2. In the upper right corner of the Overview page, choose More > Change Database Password. In the displayed dialog box, enter the password of the current login user and click OK.
  3. In the Change Password dialog box, select the user whose password needs to be changed in the User Information drop-down list.
  4. Enter the old password in the Old Password text box, and enter the new password in the New Password and Confirm Password text boxes.

    The default password complexity requirements are as follows:

    • The password must contain 16 to 32 characters.
    • The password contains at least three types of the following: uppercase letters, lowercase letters, numbers, and special characters (`~!@#$%^&*()-_=+|[{}];,<.>/?).
    • The password cannot be the same as the username or the username spelled backwards.
    • The password cannot be the same as the current password.

  5. Select I have read the information and understood the impact and click OK to confirm the modification and restart the service.

For MRS 2.x or earlier:

  1. On MRS Manager, choose Services > LdapServer > More.
  2. Click Change Password. In the displayed dialog box, enter the old password and click OK.
  3. In the Change Password dialog box, select the user whose password needs to be modified in the User Information drop-down box.
  4. Enter the old password in the Old Password text box, and enter the new password in the New Password and Confirm Password text boxes.

    The default password complexity requirements are as follows:

    • The password contains 16 to 32 characters.
    • The password must contain at least three types of the following: uppercase letters, lowercase letters, digits, and special characters (`~!@#$%^&*()-_=+\|[{}];:",<.>/?).
    • The password cannot be the username or the reverse username.
    • The new password cannot be the same as the current password.

    The default password of the LDAP administrator rootdn:cn=root,dc=hadoop,dc=com is LdapChangeMe@123, and that of the LDAP user pg_search_dn:cn=pg_search_dn,ou=Users,dc=hadoop,dc=com is pg_search_dn@123. Periodically change the passwords and keep them secure.

  5. Select I have read the information and understand the impact, and click OK to confirm the modification and restart the service.