Debian Edu, that is skolelinux, aims to make the life of admins comfortable. Users, attached computers and more (stored by openldap) can be administrated by included gosa gui.
But trying to update the main server from debian jessie to debian stretch (at last 2017-08) broke gosa: Error while connecting to LDAP: Could not bind to cn=gosa-admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no (while operating on LDAP server ldaps://ldap.intern)
Because this system has been updated multiple times, the auto generated gosa ldap password was not available. And the existing hashes of the password did not work with debian stretch.
Installing updates one year later (2018-07) did not solve the access error. So it was time to dive into ldap authentication of gosa and skolelinux.
Step 1: The program slapcat allows to export the whole ldap database to a ldif file and does not require a password: export.ldif
Step 2: Edit export.ldif and replace the gosa-admin password:
- As ldap novice I had to learn that this password has to be encrypted with slappasswd and gets stored in base64 format:
echo “$(slappasswd)” |openssl base64
(just enter the new password, eg. toptopsecret, twice, when asked) - Search for gosa-admin in export.ldif and replace the text after userPassword:: by the output generated by the command described above
- Stop slapd (systemctl stop slapd), move /var/lib/ldap to /var/lib/ldap.orig, create /var/lib/ldap and copy DB_CONFIG from ldap.orig to ldap
- Import the edited export.ldif file and fix ownership:
slapadd -l export.ldif
chown openldap:openldap /var/lib/ldap - Start slapd:
systemctl start slapd
and in case of errors
systemctl status slapd
journalctl -f -u slapd (maybe, set loglevel in /etc/ldap/slapd.conf from none to 65535)
Note: Step 2 might be used to migrate a skolelinux configuration from one server to another
Step 3: Add the new password as cleartext to gosa.conf (in /etc/gosa/):
- Create backup copies of gosa.conf and gosa.secrets
- Edit gosa.secrets so that it is an empty file
- Edit gosa.conf and search for adminPassword and set the clear text password
(twice: at snapshotAdminPassword and at adminPassword) - Restart webserver (because /etc/gosa/gosa.secrets gets included into apache config)
apache2ctl graceful - Try login at https://yourip/gosa
- If login is successful create again backup copies of gosa.conf and gosa.secrets
Step 4: Encrypt passwords in gosa.conf with gosa-encrypt-passwords tool:
- Remove /etc/gosa/gosa.secrets (after having made backups of gosa.secrets and gosa.conf)
- Run gosa-encrypt-passwords
- If successful restart webserver
apache2ctl graceful - Try login at https://yourip/gosa
Done!