[Freeipa-users] Freeipa replication issue

Stefan Uygur suygur at firstderivatives.com
Mon Aug 15 10:38:49 UTC 2016 

Hi Alexander,
Thanks for your reply and I do remember very well your feedback of course in relation to this issue.

The instructions are very simple, no discussion about that and I followed step by step ad exception of this step:
Configure all replicas to use the new password by editing /etc/pki-ca/password.conf for Dogtag 9 or /etc/pki/pki-tomcat/password.conf for Dogtag 10:

Which is not that clear to be honest as it is referring to replicas and not the master server itself.

I do not have any replica for this server, I am trying to set the first one in fact, so I don't think that step need to be re-produced in my case, unless I am really missing something in that paragraph.

Thanks again

-----Original Message-----
From: Alexander Bokovoy [mailto:abokovoy at redhat.com] 
Sent: 15 August 2016 11:28
To: Stefan Uygur
Cc: mreynolds at redhat.com; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Freeipa replication issue

On Mon, 15 Aug 2016, Stefan Uygur wrote:
>Hi Everyone,
>Sorry if I have to bring this topic back again but still no solution so far. I gave up for a while but I still need to solve this problem.
>
>I followed the link provided by Mark Reynold:
>https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/
>10/html/Administration_Guide/dirmnger-pwd.html#dirmnger-pwd-Resetting_P
>asswords
>
>I applied the instructions multiple times and also followed these instructions as well:
>http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
>
>With no joy.
>
>Mark suggested:
>The problem here is that "cn=directory manager" does not exist in a 
>database.  It only exists in the cn=config entry, so ldappasswd will 
>not work.  But I'm not sure if your problem is the directory manager 
>account though.  You need to look through the Directory Server access 
>log for "err=49" (/var/log/dirsrv/slapd-INSTANCE/access), and see which 
>BIND dn is failing.  It could be a different user/account.
>
>So I checked the logs as well and this is all I have from logs every time I attempt to prepare the replica:
>[15/Aug/2016:11:03:13 +0100] conn=10 op=13 RESULT err=0 tag=101 
>nentries=0 etime=0 notes=U
>[15/Aug/2016:11:03:15 +0100] conn=11 fd=70 slot=70 connection from 
>local to /var/run/slapd-INSTANCE-COM.socke t
>[15/Aug/2016:11:03:15 +0100] conn=11 op=0 BIND dn="cn=directory 
>manager" method=128 version=3
>[15/Aug/2016:11:03:15 +0100] conn=11 op=0 RESULT err=49 tag=97 
>nentries=0 etime=0
>[15/Aug/2016:11:03:15 +0100] conn=11 op=1 UNBIND
>[15/Aug/2016:11:03:15 +0100] conn=11 op=1 fd=70 closed - U1
>
>I don't think it is that difficult to manage/change Directory Manager 
>password but I cannot get away with it myself so I must be doing 
>something wrong or the solutions provided (instructions) are not 
>applicable to the version of IPA (ipa-server-3.0.0-47.el6_7.2.x86_64) I 
>have.
Please follow instructions in the FreeIPA's howto link above. Really, they tell you where and how you should change DM password. As I said before, you need to change more places which recorded the password at the time of install. You claim that the instruction does not work but it is very clear from the logs above that you haven't updated all places where DM password was recorded and as such, you get some code using older version of the DM password. This older version of DM password comes from one of the fails you actually did not change.

--
/ Alexander Bokovoy

More information about the Freeipa-users mailing list