Reset vCenter Appliance root password

To reset the root user password in the vCenter Boot the virtual appliance and navigate to the console for the virtual machine in the vSphere Client. Click in the console and press any key to display the GRUB menu. 

Note: The GRUB prompt remains on screen for few seconds before it starts the boot sequence. 

On the GRUB menu, select SUSE Linux Enterprise Server for VMware.

Type e to edit the line. A list of items in the GRUB configuration file appears.

Select the line that starts with kernel and type e to edit the line.

At the end of the line, press the spacebar and type init=/bin/sh.

Press Enter to exit edit mode.

On the GRUB screen, type b to boot into single-user mode. 

The virtual appliance boots in single-user mode.

To change the root user password, type passwd root and follow the on-screen prompts.

To restart the virtual appliance, type reboot and press Enter.

When the virtual appliance restarts, you can log in using the new password.

Installing & Configuring OpenLDAP Server CentOS 6.5

== Installation ==

1	yum install openldap-servers openldap-clients

== Configuration ==

Edit your ldap.conf file and enter the IP address or domain name of your server:

1 2 3

vi /etc/openldap/ldap.conf URI ldap://88.88.88.75 BASE dc=my-domain,dc=com

Copy the sample files from /usr/share/openldap to /etc/openldap and var/lib/ldap

1 2	cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Setup a new LDAP Admin password:

1 2 3 4

slappasswd New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Copy the encrypted password from STDOUT as it will need to be put in to configuration.

=== /etc/openldap/slapd.conf ===

Search and replace the “dc=my-domain” with “dc=my-domain”
replace the rootpw password with above encrypted password so it looks like

1	rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here is the config file in use

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181

# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include     /etc/openldap/schema/corba.schema include     /etc/openldap/schema/core.schema include     /etc/openldap/schema/cosine.schema include     /etc/openldap/schema/duaconf.schema include     /etc/openldap/schema/dyngroup.schema include     /etc/openldap/schema/inetorgperson.schema include     /etc/openldap/schema/java.schema include     /etc/openldap/schema/misc.schema include     /etc/openldap/schema/nis.schema include     /etc/openldap/schema/openldap.schema include     /etc/openldap/schema/ppolicy.schema include     /etc/openldap/schema/collective.schema # Allow LDAPv2 client connections.  This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral   ldap://root.openldap.org pidfile     /var/run/openldap/slapd.pid argsfile    /var/run/openldap/slapd.args loglevel    -1 # Load dynamic backend modules # - modulepath is architecture dependent value (32/64-bit system) # - back_sql.la overlay requires openldap-server-sql package # - dyngroup.la and dynlist.la cannot be used at the same time # modulepath /usr/lib/openldap modulepath /usr/lib64/openldap # moduleload accesslog.la # moduleload auditlog.la # moduleload back_sql.la # moduleload chain.la # moduleload collect.la # moduleload constraint.la # moduleload dds.la # moduleload deref.la # moduleload dyngroup.la # moduleload dynlist.la moduleload memberof.la # moduleload pbind.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload seqmod.la # moduleload smbk5pwd.la # moduleload sssvlv.la # moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by running # /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk # at self-signed certificates, however. TLSCACertificatePath /etc/openldap/certs #TLSCertificateFile "\"OpenLDAP Server\"" #TLSCertificateKeyFile /etc/openldap/certs/password TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions #   Require integrity protection (prevent hijacking) #   Require 112-bit (3DES or better) encryption for updates #   Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: #   Root DSE: allow anyone to read it #   Subschema (sub)entry DSE: allow anyone to read it #   Other DSEs: #       Allow self write access #       Allow authenticated users read access #       Allow anonymous users to authenticate #   Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * #   by self write #   by users read #   by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn.  (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # enable on-the-fly configuration (cn=config) database config rootdn      "cn=admin,cn=config" rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx access to *     by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage     by * none # enable server status monitoring (cn=monitor) database monitor access to *     by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read         by dn.exact="cn=Manager,dc=my-domain,dc=com" read         by * none ####################################################################### # database definitions ####################################################################### database    bdb suffix      "dc=my-domain,dc=com" rootdn      "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided.  See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #       secret #       {crypt}ijFYNcSNctBYg rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx access to dn.subtree="dc=my-domain,dc=com"     by self write     by set="[cn=Administrators,ou=groups,dc=my-domain,dc=com]/member* & user" write     by set="[cn=Operators,ou=groups,dc=my-domain,dc=com]/member* & user" read     by * break access to attrs=userPassword   by anonymous auth   by self =rwdx   by set="user & [cn=Administrators,ou=groups,dc=my-domain,dc=com]/member*" manage   by dn.children="ou=Special Accounts,dc=my-domain,dc=com" auth #access to attrs=uid,userPassword,mail #    by self write #    by set="[cn=Administrators,ou=group,dc=my-domain,dc=com]/member* & user" manage #    by set="[cn=Operators,ou=group,dc=my-domain,dc=com]/member* & user" read #    by * none #access to * #  by set="user & [cn=Administrators,ou=groups,dc=my-domain,dc=com]/member*" manage #  by * break #access to dn.children="ou=people,dc=my-domain,dc=com" #  attrs=givenName,sn,displayName,cn,telephoneNumber,fax,postalAddress,homePhone,homePostalAddress,mobile,pager,postalCode,postOfficeBox,preferredLanguage,streetAddress,l,st #  by self write #  by * break #access to dn.children="ou=people,dc=my-domain,dc=com" #  attrs=uid,uidNumber,gidNumber,mail,telephoneNumber,mobile,departmentNumber,manager,title,initials,givenName,sn,displayName,cn,fax,organizationName,organizationalUnitName,pager,postalAddress,l,st,c #  by * read # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory   /var/lib/ldap # Indices to maintain for this database index objectClass                       eq,pres index ou,cn,mail,surname,givenname      eq,pres,sub index uidNumber,gidNumber,loginShell    eq,pres index uid,memberUid                     eq,pres,sub index nisMapName,nisMapEntry            eq,pres,sub overlay memberof cachesize 10000 checkpoint  1024 15 # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical #     bindmethod=sasl saslmech=GSSAPI #     authcId=host/ldap-master.example.com@EXAMPLE.COM

create a new file root.ldif with following content

1 2 3 4 5 6 7 8 9 10 11 12 13

dn: dc=my-domain,dc=com objectClass: dcObject objectClass: organization dc: my-domain o: my-domain dn: ou=groups,dc=my-domain,dc=com ou: groups objectClass: organizationalUnit dn: ou=people,dc=my-domain,dc=com ou: people objectClass: organizationalUnit

Remove everything in slapd.d dir and tell the slapd for root.ldif file

1 2 3

rm -rf /etc/openldap/slapd.d/* slapadd -n 2 -l /root/root.ldif slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

Set the appropriate permissions:

1 2	chown -R ldap:ldap /var/lib/ldap chown -R ldap:ldap /etc/openldap/slapd.d

Make sure the service is active on the runlevel 3:

1 2	chkconfig --level 235 slapd on service slapd start

== LDAPS ==

1 2 3 4 5 6

cd /etc/pki/tls/certs rm slapd.pem make slapd.pem chmod 640 slapd.pem chown :ldap slapd.pem ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/cacerts/slapd.pem

1 2	vi /etc/sysconfig/ldap SLAPD_LDAPS=yes

1 2 3 4

vi /etc/openldap/slapd.conf TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

1 2 3

vi /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT never

== Test ==

Test if everything is up and working fine:

1 2 3 4 5 6 7

rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d service slapd restart ldapsearch -x -ZZ -h localhost #(TLS) ldapsearch -x -H ldaps://localhost #(SSL)

Thanks to:

http://rojanu.wordpress.com/2013/07/08/installing-openldap-server/
http://easylinuxtutorials.blogspot.co.il/2013/11/installing-configuring-openldap-server.html