[Freeipa-users] Freeipa replication issue

Stefan Uygur suygur at firstderivatives.com
Mon Aug 15 10:13:30 UTC 2016 

Hi Everyone,
Sorry if I have to bring this topic back again but still no solution so far. I gave up for a while but I still need to solve this problem.

I followed the link provided by Mark Reynold:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/dirmnger-pwd.html#dirmnger-pwd-Resetting_Passwords

I applied the instructions multiple times and also followed these instructions as well:
http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

With no joy.

Mark suggested:
The problem here is that "cn=directory manager" does not exist in a database.  It only exists in the cn=config entry, so ldappasswd will not work.  
But I'm not sure if your problem is the directory manager account though.  You need to look through the Directory Server access log for "err=49" (/var/log/dirsrv/slapd-INSTANCE/access), and see which BIND dn is failing.  It could be a different user/account.

So I checked the logs as well and this is all I have from logs every time I attempt to prepare the replica:
[15/Aug/2016:11:03:13 +0100] conn=10 op=13 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[15/Aug/2016:11:03:15 +0100] conn=11 fd=70 slot=70 connection from local to /var/run/slapd-INSTANCE-COM.socke
t
[15/Aug/2016:11:03:15 +0100] conn=11 op=0 BIND dn="cn=directory manager" method=128 version=3
[15/Aug/2016:11:03:15 +0100] conn=11 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[15/Aug/2016:11:03:15 +0100] conn=11 op=1 UNBIND
[15/Aug/2016:11:03:15 +0100] conn=11 op=1 fd=70 closed - U1

I don't think it is that difficult to manage/change Directory Manager password but I cannot get away with it myself so I must be doing something wrong or the solutions provided (instructions) are not applicable to the version of IPA (ipa-server-3.0.0-47.el6_7.2.x86_64) I have.

Any help would be greatly appreciated.

Stefan

-----Original Message-----
From: Mark Reynolds [mailto:mareynol at redhat.com] 
Sent: 14 July 2016 15:27
To: Stefan Uygur; Alexander Bokovoy
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Freeipa replication issue



On 07/14/2016 10:10 AM, Stefan Uygur wrote:
> Hi Alexander,
> Thanks for a quick reply first of all and to be honest actually I have tried that link too, it didn't work either.
>
> This is my ipa version: ipa-server-3.0.0-47.el6_7.2.x86_64 and the 
> system is RHEL 6
>
> When I reproduce the last step of the instructions you provided:
>
> ldappasswd -h localhost -ZZ -p 389 -x -D "cn=Directory Manager" -W -T 
> dm_password Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>
> Or trying this one (because I am not sure if I have dogtag 10):
>
> ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -T 
> dm_password Enter LDAP Password:
> Result: No such object (32)
> Additional info: No such Entry exists.
The problem here is that "cn=directory manager" does not exist in a database.  It only exists in the cn=config entry, so ldappasswd will not work.  You must follow this process:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/dirmnger-pwd.html#dirmnger-pwd-Resetting_Passwords

But I'm not sure if your problem is the directory manager account though.  You need to look through the Directory Server access log for "err=49" (/var/log/dirsrv/slapd-INSTANCE/access), and see which BIND dn is failing.  It could be a different user/account.

Mark
>
> I couldn't figure out clearly, your help much appreciated wherever you can.
>
> Many thanks
>
>
> -----Original Message-----
> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
> Sent: 14 July 2016 14:39
> To: Stefan Uygur
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa replication issue
>
> On Thu, 14 Jul 2016, Stefan Uygur wrote:
>> Hi All,
>> Sorry if this would appear to be an obvious issue and maybe someone 
>> has already discussed about it but I couldn't get anywhere 
>> information about how to resolve this issue that I am experiencing.
>>
>> Basically I have an IPA master server where the admin password was 
>> originally the same as Directory Manager password, within months the 
>> admin password was changed and DM left as it was.
>>
>> But I have followed the instructions given in below link to reset DM
>> password:
>>
>> https://www.centos.org/docs/5/html/CDS/install/8.0/Installation_Guide
>> -C
>> ommon_Usage-Resetting_Passwords.html
> This is incorrect document as it is not relevant to IPA.
>
> Use 
> http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
>
>> Which I have tested after the reset using ldapsearch and it seems to 
>> be working perfectly.
>>
>> But when I try to prepare the replica it keep telling me that is 
>> wrong password as per below:
>>
>> ipa-replica-prepare ipa2.example.com --ip-address 10.0.0.3 Directory 
>> Manager (existing master) password:
>> The password provided is incorrect for LDAP server ipa1.example.com
>>
>>
>> Usint the following to test the DM password:
>>
>> ldapsearch -x -D "cn=directory manager" -w DM_PASSWD base -b "" "objectclass=*"
>>
>> Which gives me the correct result, long output.....but again, when I 
>> try to prepare replica still getting wrong password.
> There are more places where DM password is used for replica. You changed it only 389-ds but didn't change other places. Use instructions above.
>
>
> --
> / Alexander Bokovoy
>

More information about the Freeipa-users mailing list