How to reset Delegated Administrator password

Hi Shane,

Thanks for your replying.

> > to create a new account, my admin password does

> > not work anymore and it says

>

> "does not work anymore" ... is this because you have

> forgotten the password?

I did not forget the password.

> Passwords don't just break - you need to find the

> underlying cause of this problem e.g. password

> expiration, somebody has modified the password

> without your knowledge etc.

I did not change it. Another colleague knows the password. He said he did not change it. Is there any log entries to show someone changed the password?

Maybe password expiration is the possible reason. How do I check whether or not it is expired? This server was built by previous administrator and I took ove it several months ago. I do not whether or not he set the expiration date.

I remembered I removed some accounts (people left) on Access Manager Console. Is it possible I accidently removed the admin account? I found the admin password did not work when I tried to use commadmin to purge the marked account after using AM console to remove the accounts. If it is the case, can I restore the marked accounts? The default grace time is 5 days (I think), does it mean that all marked account will be removed automatically after grace time?

> When you run the following command what do you get?

>

> ./commadmin -v search domain whatever

I got:

[Debug]: DBG:Object = search ; task = domain

[Debug]: default domain from Properties: xxx.xxx.edu

[Debug]: IShost from Properties: webmail.xxx.xxx.edu

[Debug]: ISPort from Properties: 80

Enter login ID:

What login ID should I use? If I use admin, I got

[Debug]: Contacting : http://webmail.xxx.xxx.edu:80/commcli/auth

[Debug]: To servlet: domain=xxx.xxx.edu&username=admin&password=xxxxxx&charsetenc=UTF-8

[Debug]: RECV: Authentication failed

Invalid value for login ID: admin

Invalid value for login password

Invalid value for login domain: xxx.xxx.edu

Enter login ID[admin]:

If I use cn=Directory Manager, I got

[Debug]: DBG:Object = search ; task = domain

[Debug]: default domain from Properties: xxx.xxx.edu

[Debug]: IShost from Properties: webmail.xxx.xxx.edu

[Debug]: ISPort from Properties: 80

Enter login ID: cn=Directory Manager

Enter login password: xxxxxxx

[Debug]: Contacting : http://webmail.xxx.xxx.edu:80/commcli/auth

[Debug]: To servlet: domain=xxx.xxx.edu&username=cn=Directory Manager&password=xxxxxxx&charsetenc=UTF-8

[Debug]: RECV: Authentication failed

Invalid value for login ID: cn=Directory Manager

Invalid value for login password

Invalid value for login domain: cmps.subr.edu

Enter login ID[cn=Directory Manager]:

> You should also see a matching bind/search in the

> LDAP access logs, what does the bind attempt return

> (is it err=49?)

You are right, the bind attempt returns err=49 when I use admin

[18/Jul/2007:08:16:00 -0500] conn=8 op=42 msgId=789 - SRCH base="o=xxx.xxx.edu,dc=xxx,dc=xxx,dc=edu" scope=2 filter="(uid=admin)" attrs="dn uid"

[18/Jul/2007:08:16:00 -0500] conn=8 op=42 msgId=789 - RESULT err=0 tag=101 nentries=1 etime=0

[18/Jul/2007:08:16:00 -0500] conn=8 op=43 msgId=790 - BIND dn="uid=admin, ou=People, o=xxx.xxx.edu,dc=xxx,dc=xxx,dc=edu" method=128 version=3

[18/Jul/2007:08:16:00 -0500] conn=8 op=43 msgId=790 - RESULT err=49 tag=97 nentries=0 etime=0

When I use cn=Directory Manager, I did not find BIND as cn=Directory Manger. But I do find several entries BIND as

[18/Jul/2007:08:16:56 -0500] conn=355 op=0 msgId=1 - BIND dn="uid=msg-admin-webmail.xxx.xxx.edu-20050422145523Z, ou=People, o=xxx.xxx.edu,dc=xxx,dc=xxx,dc=edu" method=128 version=3

[18/Jul/2007:08:16:56 -0500] conn=356 op=0 msgId=1 - BIND dn="cn=msg-config, cn=Sun ONE Messaging Suite, cn=Server Group, cn=webmail.xxx.xxx.edu, ou=xxx.xxx.edu, o=NetscapeRoot" method=128 version=2

[18/Jul/2007:08:22:06 -0500] conn=8 op=44 msgId=791 - BIND dn="cn=amldapuser,ou=DSAME Users,dc=xxx,dc=xxx,dc=edu" method=128 version=3

and all of them return

conn=361 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0

> > How can I reset DA admin password?

>

> ldapsearch to find the admin user and ldapmodify,

> binding as the directory manager to change the admin

> password.

>

> This may not help because the password may not be

> incorrect. The issue may be deeper.

When I use

ldapsearch -h webmail.xxx.xxx.edu -D "cn=Directory Manager" -w xxxxxx -b "ou=People, dc=xxx, dc=xxx, dc=edu" -L uid=admin

to search admin, there is no output. Also there is no error.

I tried to search my record, also got nothing. But my email account works on this server.

Do you think what is the problem?

The access logs are

[18/Jul/2007:09:33:03 -0500] conn=396 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from xxx.xxx.200.53 to xxx.xxx.200.53

[18/Jul/2007:09:33:03 -0500] conn=396 op=0 msgId=1 - BIND dn="cn=directory manager" method=128 version=3

[18/Jul/2007:09:33:03 -0500] conn=396 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"

[18/Jul/2007:09:33:03 -0500] conn=396 op=1 msgId=2 - SRCH base="ou=people,dc=xxx,dc=xxx,dc=edu" scope=2 filter="(uid=admin)" att

rs="-n xxx.xxx.edu"

[18/Jul/2007:09:33:03 -0500] conn=396 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0

[18/Jul/2007:09:33:03 -0500] conn=396 op=2 msgId=3 - UNBIND

[18/Jul/2007:09:33:03 -0500] conn=396 op=2 msgId=-1 - closing - U1

[18/Jul/2007:09:33:04 -0500] conn=396 op=-1 msgId=-1 - closed.

Except use commadmin or DA console to create an email account, is there any other ways to do it?

Best wishes,

Goodman

Goodmana at 2007-7-29 11:44:02 >

Hi Shane,

Thank you very much for your detail information.

> If you have audit logging on your directory server,

> then there will be a record in this log as to when

> the password (userpassword: attribute) was modified

> and by whom (the bind user).

>

> Refer to directory server manuals on how to enable

> audit logging (which I would recommend for any

> site).

I will do it.

> If the password is expired (as opposed to using the

> wrong password) you will see:

>

> ldap_simple_bind: Invalid credentials

> ldap_simple_bind: additional info: password expired!

I am happy to know I am not this case.

> ldapsearch -h webmail.xxx.xxx.edu -D "cn=Directory

> Manager" -w xxxxxx -b "ou=People, dc=xxx, dc=xxx,

> dc=edu" -L uid=admin

>

> You don't use "-L"

Suppose I should get my infomation when I set uid=myusename, but there is nothing output. Do you think what is wrong here?

> You can create them manually but I wouldn't recommend

> it. Better to get the tools working.

I would like to know this method to change the password manually if you do not mind.

> To change a users password you can do the following:

>

> 1. Create a file called /tmp/chgpwd containing the

> following (replacing newpassword with the new

> password for the admin user):

> > dn: uid=admin, ou=People,

> o=xxx.xxx.edu,dc=xxx,dc=xxx,dc=edu

> changetype: modify

> replace: userpassword

> userpassword: newpassword

>

> 2. Run ldapmodify to update the password

> > ./ldapmodify -h <directory server hostname> -D

> "cn=directory manager" -w <directory manager

> password> -f /tmp/chgpwd

>

The above command works. But I still get the same message:

invalid value for login ID: admin

Invalid value for login password

Invalid value for login domain:

Right now, I have another problem. All my users could not login to check their email yesterday afternoon. Scan the error

log I found the following error:

[18/Jul/2007:12:31:42 -0500] - ERROR<5897> - Schema - conn=-1 op=-1 msgId=-1 - User error: Entry "uid=msg-admin-webmail.xxx.xxx.edu-20050422145523Z,ou=People, o=xxx.xxx.edu,dc=xxx,dc=xxx,dc=edu", attribute "inetUserStatus" is not allowed

I login the amconsole and found the msg-admin user's status box is empty. When Itried to active it, I got:

User Profile

Error/s encountered

* inetuserstatus-Unable to set attribute(s)

I do not know what happened. Old problem did not solve yet, new problem appears again. I am nervous it.

I made a ldif backup two months ago using the console. At lease I can fix some problem if I can restore it. I tried to i

mport the old ldif from console. It looks like it does not change any entry. I think missed some steps. Could you please

tell me what are the correct restore steps?

Please save me!

Best wishes,

Goodman

Goodmana at 2007-7-29 11:44:02 >

Hi Shane,

> This has gone beyond what I can offer in the way of

> assistance via the forum.

>

> Log a Sun Support Case.

Do you know how to open a support case?

Thanks,

Goodman

Goodmana at 2007-7-29 11:44:03 >

Hi Shane

> You have to have a support contract for the software,

> then you can log a support case via the following

> link:

>

> http://www.sun.com/service/online/

>

> Click on the "Service Requests" tab the the "Submit"

> link and follow the prompts/steps.

Right now, I do not have a support contract with sun. I would like to restore the old ldif first. If the problem can not be solved, then I will contact SUN for support. Would you please tell me how to restore the ldif to replace the current one?

I appreciate for your kind help.

Goodman

Goodmana at 2007-7-29 11:44:03 >