Changing the Kolab Service account password can be cumbersome business, since most services are configured to use the account to bind to LDAP and be able to read the entries. Examples of such services include Postfix, the Kolab SASL Authentication Daemon, the Kolab Synchronization Daemon, Cyrus IMAP, Roundcube, Chwala, Wallace, iRony, the Kolab Web Administration Panel and Syncroton.
Changing the Cyrus Administrator password can be equally cumbersome, albeit it is used in fewer locations — these services are still critical.
This article provides a step by step guide to a smooth transition between the old password and the new password.
Password changes can not be applied instantly — the moment you change the password in LDAP, all services using the account will start failing. The passwords will therefore need to be changed in three stages;
- Supply an additional password to the account,
- Change configuration and restart or reload services where needed,
- Remove the old password to the account.
This guide uses the
kolab-service account to demonstrate the procedure, and you should repeat it for the
Please also note that if you had chosen to use separate service, administrator and proxy accounts, you should have maintained an inventory of such accounts, and change additional account passwords using the same procedure. If you have no such inventory, perhaps the contents of
ou=Special Users,dc=example,dc=com can help you get started.
Supply an Additional Password for the Account
This walk through uses the
kolab-service account, and you should repeat it for the
- Generate a password however you like. One such method could be:
$ head -c 200 /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c15
- Add the password to the
$ ldapmodify -x -h localhost -D "cn=Directory Manager" -W Password: dn: uid=kolab-service,ou=Special Users,dc=example,dc=com changetype: modify add: userPassword userPassword: NEW_PASSWORD modifying entry "uid=kolab-service,ou=Special Users,dc=example,dc=com"
- Verify the authentication for the kolab-service account with the new password:
$ testsaslauthd -u kolab-service -p NEW_PASSWORD 0: OK "Success."
- Verify the authentication for the kolab-service account with the old password:
$ testsaslauthd -u kolab-service -p OLD_PASSWORD 0: OK "Success."
If you were in the process of changing the
cyrus-admin account password, continue here.
Change the Configuration for the Kolab Service Account
For each of the following configuration files, the service account bind password will need to be updated;
Update the value for
ldap_password, and reload the Cyrus IMAP service:
$ systemctl reload cyrus-imapd
Update the value for key
service_bind_pw in the
[ldap] section, and restart the following services:
$ systemctl restart kolab-saslauthd $ systemctl restart kolabd wallace
Update the value for the
bind_pw keys in each section.
Probably achieved fastest with a single sed command:
$ sed -r -i -e 's;OLD_PASSWORD;NEW_PASSWORD;g' /etc/postfix/ldap/*.cf
Restart the postfix service:
$ systemctl restart postfix
Update the kolab-service bind password in these Roundcube configuration files as well.
Change the Configuration for the Cyrus Administrator Account
proxy_password and optionally also the
Reload the Cyrus IMAP service:
$ systemctl reload cyrus-imapd
admin_password setting in the
[cyrus-imap] section, and restart the kolabd and wallace services:
$ systemctl restart kolabd wallace
Removing the Old Password for the Account
Remove the old password from the account. The easiest way is to replace it again.
$ ldapmodify -x -h localhost -D "Directory Manager" -W Password: dn: uid=kolab-service,ou=Special Users,dc=example,dc=com changetype: modify replace: userPassword userPassword: NEW_PASSWORD modifying entry "uid=kolab-service,ou=Special Users,dc=example,dc=com"