yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/mrs/umn/admin_guide_000255.html
Yang, Tong 5914b67d13 MRS UMN Doc 20240802 version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2024-09-28 19:04:58 +00:00

34 lines
8.3 KiB
HTML
Raw Blame History

<a name="admin_guide_000255"></a><a name="admin_guide_000255"></a>
<h1 class="topictitle1">Changing the Passwords of the LDAP Administrator and the LDAP User (Including OMS LDAP)</h1>
<div id="body1529658735919"><div class="note" id="admin_guide_000255__note617723283414"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="admin_guide_000255__p91791632123410">This section applies only to MRS 3.1.0. For later versions, see <a href="admin_guide_000162.html">Modifying OMS Service Configuration Parameters</a>.</p>
</div></div>
<div class="section" id="admin_guide_000255__section32983569"><h4 class="sectiontitle">Scenario</h4><p id="admin_guide_000255__p5538237">It is recommended that the administrator periodically changes the passwords of LDAP administrator <strong id="admin_guide_000255__b1187853884910">cn=root,dc=hadoop,dc=com</strong> and LDAP user <strong id="admin_guide_000255__b38861438194917">cn=pg_search_dn,ou=Users,dc=hadoop,dc=com</strong> to improve the system O&amp;M security.</p>
<p id="admin_guide_000255__p49844138">If the passwords are changed, the password of the OMS LDAP administrator or user is changed as well.</p>
<div class="note" id="admin_guide_000255__note45944059"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="admin_guide_000255__p10843355">If the cluster is upgraded from an early version to a latest version, the LDAP administrator password will inherit the password policy of the old cluster. To ensure system security, you are advised to change the password after the cluster upgrade.</p>
</div></div>
</div>
<div class="section" id="admin_guide_000255__section28416672"><h4 class="sectiontitle">Impact on the System</h4><ul id="admin_guide_000255__ul19457959193614"><li id="admin_guide_000255__li13240171512309">Changing the user password of the LdapServer service is a high-risk operation and requires restarting the KrbServer and LdapServer services. If KrbServer is restarted, users may fail to be queried by running the <strong id="admin_guide_000255__b20648120183814">id</strong> command on nodes in the cluster temporarily. Therefore, exercise caution when restarting KrbServer.</li><li id="admin_guide_000255__li15653140163710">After the password of LDAP user <strong id="admin_guide_000255__b177412886910218">cn=pg_search_dn,ou=Users,dc=hadoop,dc=com</strong> is changed, the user may be locked in the LDAP component. Therefore, you are advised to unlock the user after changing the password. For details about how to unlock the user, see <a href="admin_guide_000245.html">Unlocking LDAP Users and Management Accounts</a>.</li></ul>
</div>
<div class="section" id="admin_guide_000255__section54423456"><h4 class="sectiontitle">Prerequisites</h4><div class="p" id="admin_guide_000255__p1738573519376">Before changing the password of LDAP user <strong id="admin_guide_000255__b933385615496">cn=pg_search_dn,ou=Users,dc=hadoop,dc=com</strong>, ensure that the user is not locked by running the following command on the active management node of the cluster:<div class="note" id="admin_guide_000255__note721059419244"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="admin_guide_000255__p6489535319244">To query the OLdap port number, perform the following steps:</p>
<ol id="admin_guide_000255__ol583252921939"><li id="admin_guide_000255__li244387051939">Log in to <span id="admin_guide_000255__text67509419010">MRS</span> Manager, choose <span class="menucascade" id="admin_guide_000255__menucascade23427395015"><b><span class="uicontrol" id="admin_guide_000255__uicontrol33363312508">System</span></b> &gt; <b><span class="uicontrol" id="admin_guide_000255__uicontrol1534113395019">OMS</span></b> &gt; <b><span class="uicontrol" id="admin_guide_000255__uicontrol33413385014">oldap</span></b> &gt; <b><span class="uicontrol" id="admin_guide_000255__uicontrol334163155014">Modify Configuration</span></b></span>:</li><li id="admin_guide_000255__li2996286319327">The value of <strong id="admin_guide_000255__b571548165013">LDAP Service Listening Port</strong> is the OLDAP port.</li></ol>
</div></div>
</div>
<p class="litext" id="admin_guide_000255__p43425119"><strong id="admin_guide_000255__b1168171055020">ldapsearch -H ldaps://</strong><em id="admin_guide_000255__i18681410115011">Floating IP address of OMS:OLDAP port</em><strong id="admin_guide_000255__b9681191075010">-LLL -x -D </strong><strong id="admin_guide_000255__b368171015502">cn=pg_search_dn,ou=Users,dc=hadoop,dc=com -W -b </strong><strong id="admin_guide_000255__b1968181015013">cn=pg_search_dn,ou=Users,dc=hadoop,dc=com -e ppolicy</strong></p>
<p class="litext" id="admin_guide_000255__p31858597">Enter the password of the LDAP user <strong id="admin_guide_000255__b724412136502">pg_search_dn</strong>. If the following information is displayed, the user is locked. In this case, unlock the user. For details, see <a href="admin_guide_000245.html">Unlocking LDAP Users and Management Accounts</a>.</p>
<div class="note" id="admin_guide_000255__note11458151710016"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="admin_guide_000255__p545920171909">The password of the LDAP user <strong id="admin_guide_000255__b19595017181819">pg_search_dn</strong> is randomly generated by the system. You can obtain the password from the <strong id="admin_guide_000255__b166343871820">/etc/sssd/sssd.conf or /etc/ldap.conf</strong> file on the active node.</p>
</div></div>
<pre class="screen" id="admin_guide_000255__screen30409547">ldap_bind: Invalid credentials (49); Account locked</pre>
</div>
<div class="section" id="admin_guide_000255__section36081314113519"><h4 class="sectiontitle">Procedure</h4><ol id="admin_guide_000255__ol2391358"><li id="admin_guide_000255__li21522228"><span>Log in to <span id="admin_guide_000255__text4172932192314">MRS</span> Manager, click <strong id="admin_guide_000255__b10652171955018">Cluster</strong>, click the name of the desired cluster, and choose <strong id="admin_guide_000255__b10652121935014">Service</strong> &gt; <strong id="admin_guide_000255__b665213195504">LdapServer</strong>.</span></li><li id="admin_guide_000255__li59482330"><span>Choose <strong id="admin_guide_000255__b9168427135020">More</strong> &gt; <strong id="admin_guide_000255__b1517317279508">Change Database Password</strong>. In the displayed dialog box, enter the password of the current login user and click <strong id="admin_guide_000255__b16173122711505">OK</strong>.</span></li><li id="admin_guide_000255__li65578930"><span>In the <strong id="admin_guide_000255__b840316298501">Change Password</strong> dialog box, select the user whose password to be modified in the <strong id="admin_guide_000255__b9403112925013">User Information</strong> drop-down box.</span></li><li id="admin_guide_000255__li25528928"><span>Enter the old password in the <strong id="admin_guide_000255__b115131431115017">Old Password</strong> text box, and enter the new password in the <strong id="admin_guide_000255__b1851317318509">New Password</strong> and <strong id="admin_guide_000255__b10513103145014">Confirm Password</strong> text boxes.</span><p><p id="admin_guide_000255__p28433766">The password must meet the following complexity requirements by default:</p>
<ul id="admin_guide_000255__ul54577306"><li id="admin_guide_000255__li21433709">The password contains 16 to 32 characters.</li><li id="admin_guide_000255__li58685656">The password contains at least three types of the following: uppercase letters, lowercase letters, digits, spaces, and special characters which can only be `~!@#$%^&amp;*()-_=+|[{}];,&lt;.&gt;/?.</li><li id="admin_guide_000255__li58408860">The password cannot be the same as the username or the username spelled backwards.</li><li id="admin_guide_000255__li55917699">The password cannot be the same as the current password.</li></ul>
</p></li><li id="admin_guide_000255__li33497244"><span>Select "I have read the information and understood the impact" and click <strong id="admin_guide_000255__b182398714910218">OK</strong> to confirm the modification and restart the service.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="admin_guide_000252.html">Changing the Password for a System Internal User</a></div>
</div>
</div>
View Git Blame Copy Permalink