[Freeipa-users] dirsrv password incorrect on replicas?
Rich Megginson
rmeggins at redhat.com
Thu Dec 18 19:16:44 UTC 2014
On 12/18/2014 11:59 AM, Janelle wrote:
> I am looking at the 2 entries in dse.ldif - and indeed they are
> different. If I replace the one in question with the one from the
> working system, it works again.
I'm assuming by "entry" you are referring to nsslapd-rootpw in cn=config.
>
> I did find - replica was created on Dec 11 at noon -- and the dse.ldif
> file CHANGED a day later?!?
The dse.ldif file changes all the time - unique id generator state, csn
generator state, replication state, etc. etc.
BUT - nsslapd-rootpw SHOULD NOT CHANGE
> Going to have OSSEC monitor the folders for changes in files to see
> what the heck is going on and WHAT changed it and if it happens again.
>
> thanks for the help
> ~J
>
>
> On 12/18/14 10:28 AM, Rich Megginson wrote:
>> On 12/18/2014 09:49 AM, Janelle wrote:
>>> Good morning/evening All,
>>>
>>> So, another strange thing I see with 4.1.2 running on FC21
>>> (server). On some replicas if I attempt to modify the 389-ds
>>> backend, I get credential errors. Even ldapsearch fails - which as
>>> me baffled. I am trying to tune the servers but this has me
>>> confused as to what might cause something like this and where to
>>> start looking for a solution?
>>>
>>> Here is the interesting part - when the server was intially
>>> replicated, I was able to make changes to 389-ds, but after a few
>>> days, credentials now show errors:
>>>
>>> ldapsearch -x -LLL -D "cn=directory manager" -b "cn=monitor"
>>> "(objectclass=*)" -W
>>> Enter LDAP Password:
>>> ldap_bind: Invalid credentials (49)
>>
>> This doesn't make any sense. Directory manager passwords are not
>> replicated, they are local to each machine. Directory manager
>> passwords do not expire, and the error message is definitely
>> "incorrect password" not "password expired". There are no internal
>> processes that touch directory manager or its password (unless there
>> is something in ipa but I doubt it). So I have no idea how "all of a
>> sudden" directory manager password stops working.
>>
>> You can't recover it, you can only reset it.
>> http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
>>
>>>
>>> Thoughts?
>>> ~J
>>>
>>
>
More information about the Freeipa-users
mailing list