<div dir="ltr">Hi Flo,<div><br></div><div>I have indeed executed every step in order, including the one you have indicated.</div><div><br></div><div>The password I has used included a dollar sign and this meant that <span style="background-color:rgb(245,245,245);color:rgb(51,51,51);font-family:monaco,menlo,consolas,"courier new",monospace;white-space:pre-wrap">echo -n $DM_PASSWORD > /root/dm_password </span>didn't work as I had expected meaning everything after the dollar was interpreted as a variable and was missing in the file. I have corrected this and performed the full process again, starting with the 389 reset however it is still not working correctly.</div><div><br></div><div>I remain in the same state as before where the admin password has not been changed - this confuses me as my understanding is that admin only exists as the FreeIPA web admin user whose password I can change separately. Am i misunderstanding, is there another admin user within FreeIPA which is directly linked to the directory manager?</div><div><br></div><div>Having run out of ideas I have just executed ipa-server-upgrade however this hasn't helped. My situation remains as follows:</div><div><br></div><div><b>Works:</b> ldapsearch -x -D "cn=directory manager" -w <b>NEW_DM_PW </b>-s base -b "" "objectclass=*"<br></div><div><b>Fails: </b>ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca" -w <b>NEW_DM_PW </b>-b "" -s base</div><div><br></div><div>Are you able to offer any other ideas? </div><div><br></div><div>Other information:</div><div>I can confirm that cacert.p12 has been updated by the actions performed.</div><div>File /etc/pki/pki-tomcat/password.conf now contains a new line internaldb=<b>NEW_DM_PW </b>(as per instruction 1 on FreeIPA link) </div><div><br></div><div>Best Regards,</div><div><br></div><div>Callum</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud <<a href="mailto:flo@redhat.com">flo@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 12/05/2016 01:05 PM, Callum Guy wrote:<br class="gmail_msg"> > Hi All,<br class="gmail_msg"> ><br class="gmail_msg"> > I have been testing FreeIPA and now plan to migrate to production use -<br class="gmail_msg"> > thanks for creating such a great application!<br class="gmail_msg"> ><br class="gmail_msg"> > During the test phase we have been using simple passwords for the admin<br class="gmail_msg"> > and directory manager users however we need these changed before moving<br class="gmail_msg"> > into production. I believe we can change the admin password using the<br class="gmail_msg"> > web interface however as I understand it amending the directory manager<br class="gmail_msg"> > password is not so straightforward.<br class="gmail_msg"> ><br class="gmail_msg"> > I have found this<br class="gmail_msg"> > link <a href="https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password" rel="noreferrer" class="gmail_msg" target="_blank">https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password</a> however<br class="gmail_msg"> > I am unsure if this is the correct procedure for our installation -<br class="gmail_msg"> > certainly i am having no luck so far.<br class="gmail_msg"> ><br class="gmail_msg"> > We have the following setup:<br class="gmail_msg"> ><br class="gmail_msg"> > FreeIPA 4.2.0 - single master server (no replicas), multiple clients<br class="gmail_msg"> > CentOS 7.2<br class="gmail_msg"> ><br class="gmail_msg"> > I have tried the following steps in order:<br class="gmail_msg"> ><br class="gmail_msg"> > <a href="http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html" rel="noreferrer" class="gmail_msg" target="_blank">http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html</a><br class="gmail_msg"> > followed by<br class="gmail_msg"> > <a href="https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password" rel="noreferrer" class="gmail_msg" target="_blank">https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password</a><br class="gmail_msg"> ><br class="gmail_msg"> > After completing that I am no longer able to authenticate user logins.<br class="gmail_msg"> > The below covers my current situation:<br class="gmail_msg"> ><br class="gmail_msg"> > This works:<br class="gmail_msg"> > ldapsearch -x -D "cn=directory manager" -w NEWPASSWORD -s base -b ""<br class="gmail_msg"> > "objectclass=*"<br class="gmail_msg"> ><br class="gmail_msg"> > This does not work:<br class="gmail_msg"> > ldapsearch -x -D "cn=directory manager" -w OLDPASSWORD -s base -b ""<br class="gmail_msg"> > "objectclass=*"<br class="gmail_msg"> ><br class="gmail_msg"> > This works:<br class="gmail_msg"> > ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"<br class="gmail_msg"> > -W -b "" -s base<br class="gmail_msg"> > OLDPASSWORD<br class="gmail_msg"> ><br class="gmail_msg"> > This does not work:<br class="gmail_msg"> > ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"<br class="gmail_msg"> > -W -b "" -s base<br class="gmail_msg"> > NEWPASSWORD<br class="gmail_msg"> ><br class="gmail_msg"> Hi,<br class="gmail_msg"> <br class="gmail_msg"> your commands show that the Directory Manager password was properly<br class="gmail_msg"> modified, but not admin's password. Did you run the step 3 Updating PKI<br class="gmail_msg"> admin password of the procedure [1]?<br class="gmail_msg"> ldappasswd -h localhost -ZZ -p $CA_PORT -x -D "cn=Directory Manager" -W<br class="gmail_msg"> -T /root/dm_password "uid=admin,ou=people,o=ipaca"<br class="gmail_msg"> <br class="gmail_msg"> Flo.<br class="gmail_msg"> <br class="gmail_msg"> [1]<br class="gmail_msg"> <a href="https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password#3._Update_PKI_admin_password" rel="noreferrer" class="gmail_msg" target="_blank">https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password#3._Update_PKI_admin_password</a><br class="gmail_msg"> <br class="gmail_msg"> > So i'm i a mixed up state! Is anyone able to offer advise on resolving<br class="gmail_msg"> > this issue?<br class="gmail_msg"> ><br class="gmail_msg"> > Thank you,<br class="gmail_msg"> ><br class="gmail_msg"> > Callum<br class="gmail_msg"> ><br class="gmail_msg"> ><br class="gmail_msg"> ><br class="gmail_msg"> ><br class="gmail_msg"> ><br class="gmail_msg"> > *^0333 332 0000 | <a href="http://www.x-on.co.uk" rel="noreferrer" class="gmail_msg" target="_blank">www.x-on.co.uk</a> <<a href="http://www.x-on.co.uk" rel="noreferrer" class="gmail_msg" target="_blank">http://www.x-on.co.uk</a>> | _<br class="gmail_msg"> > **_^<<a href="https://twitter.com/xonuk" rel="noreferrer" class="gmail_msg" target="_blank">https://twitter.com/xonuk</a>><br class="gmail_msg"> > <<a href="http://www.linkedin.com/company/x-on/products" rel="noreferrer" class="gmail_msg" target="_blank">http://www.linkedin.com/company/x-on/products</a>><br class="gmail_msg"> > <<a href="https://www.facebook.com/XonTel" rel="noreferrer" class="gmail_msg" target="_blank">https://www.facebook.com/XonTel</a>> *<br class="gmail_msg"> > X-on is a trading name of Storacall Technology Ltd a limited company<br class="gmail_msg"> > registered in England and Wales.<br class="gmail_msg"> > Registered Office : Avaland House, 110 London Road, Apsley, Hemel<br class="gmail_msg"> > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.<br class="gmail_msg"> > The information in this e-mail is confidential and for use by the<br class="gmail_msg"> > addressee(s) only. If you are not the intended recipient, please notify<br class="gmail_msg"> > X-on immediately on <a href="tel:+44%20333%20332%200000" value="+443333320000" class="gmail_msg" target="_blank">+44(0)333 332 0000</a> and delete the<br class="gmail_msg"> > message from your computer. If you are not a named addressee you must<br class="gmail_msg"> > not use, disclose, disseminate, distribute, copy, print or reply to this<br class="gmail_msg"> > email. Views or opinions expressed by an individual<br class="gmail_msg"> > within this email may not necessarily reflect the views of X-on or its<br class="gmail_msg"> > associated companies. Although X-on routinely screens for viruses,<br class="gmail_msg"> > addressees should scan this email and any attachments<br class="gmail_msg"> > for viruses. X-on makes no representation or warranty as to the absence<br class="gmail_msg"> > of viruses in this email or any attachments.<br class="gmail_msg"> ><br class="gmail_msg"> ><br class="gmail_msg"> ><br class="gmail_msg"> <br class="gmail_msg"> </blockquote></div> <br> <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><font size="3" face="Verdana"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span></font></p><img src="http://www.x-on.co.uk/email/footer/banner-x-on.jpg"><br><p><font size="4"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span><b><sup><font face="Verdana">0333 332 0000 | <a href="http://www.x-on.co.uk" target="_blank">www.x-on.co.uk</a> | <sub> </sub></font></sup></b></font><font size="4"><b><sub><sup><font face="Verdana"><a href="https://twitter.com/xonuk" target="_blank"><img src="http://www.x-on.co.uk//images/icon/linkedin.png" width="24" height="24"></a> <a href="http://www.linkedin.com/company/x-on/products" target="_blank"><img src="http://www.x-on.co.uk//images/icon/facebook.png" width="24" height="24"></a> <a href="https://www.facebook.com/XonTel" target="_blank"><img src="http://www.x-on.co.uk//images/icon/twitter.png" width="24" height="24"></a></font></sup></sub> </b></font> <span style="font-size:6.0pt;font-family:Verdana;color:black"><br>X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales.<br> Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.<br> The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on <span>+44(0)333 332 0000</span> and delete the<br>message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. </span><span style="font-size:6.0pt;font-family:Verdana;color:black">Views or opinions expressed by an individual<br>within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments<br>for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.</span></p> <p><span style="font-size:6.0pt;font-family:Verdana;color:black"></span><font size="2"><span style="font-size:6.0pt;font-family:Verdana;color:black"></span></font></p>