[Freeipa-users] Directory Manager Password Change | off topic

Mon Dec 5 17:09:49 UTC 2016

Ah, now SophiaB wants in on the action too.  Looks like my lucky day.

Seriously though, I think the community needs to anonymize participants out
of necessity.

On Mon, Dec 5, 2016 at 12:02 PM, Joseph Flynn <jjflynn22 at gmail.com> wrote:

> Me too.  Within minutes of my first posting, I have good old Kimmi
> offering me all kinds of favors.  All of our emails are exposed to the
> group which I'd like to trust but we obviously can't.  All it takes is for
> a spammer to join the group and they will eventually collect a group of
> active emails with a very targeted demographic.
>
> On Mon, Dec 5, 2016 at 11:45 AM, Stefan Uygur <suygur at firstderivatives.com
> > wrote:
>
>> Guys,
>>
>> Since I replied to the list I keep receiving spam emails, what is
>> happening?
>>
>>
>>
>> *From:* Stefan Uygur
>> *Sent:* 05 December 2016 16:40
>> *To:* 'Callum Guy'; Florence Blanc-Renaud; freeipa-users at redhat.com
>> *Subject:* RE: [Freeipa-users] Directory Manager Password Change
>>
>>
>>
>> Glad you solved your issue.
>>
>>
>>
>> I’ve been there myself so don’t worry about it at all.
>>
>>
>>
>> *From:* Callum Guy [mailto:callum.guy at x-on.co.uk <callum.guy at x-on.co.uk>]
>>
>> *Sent:* 05 December 2016 16:37
>> *To:* Stefan Uygur; Florence Blanc-Renaud; freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>>
>>
>>
>> Hi Stefan,
>>
>>
>>
>> Thanks for your input, I am able to clarify that I wasn't simply copying
>> and pasting in - the dollar sign was included in my password rather than
>> the example. But yes, no denying that my command line skills are to blame.
>>
>>
>>
>> Further to this problem I am happy to report that the issue is now
>> solved. My main issue was the dollar sign meaning that I had updated the DM
>> password incorrectly for FreeIPA. Secondly I appear to have caused an issue
>> with SSSD and it was a restart of this service which finally resolved the
>> issue for me. I doubt there is much to be learnt from my issue - definitely
>> user error.
>>
>>
>>
>> Thanks so much for your responses, very much appreciated. Apologies for
>> taking up your time.
>>
>>
>>
>> Callum
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Dec 5, 2016 at 2:48 PM Stefan Uygur <suygur at firstderivatives.com>
>> wrote:
>>
>> Hi,
>>
>> I think you are copying and pasting the exact same commands from the
>> article, which is of course a wrong approach. Never copy/paste from web to
>> execute on your server. That $ signs indicates you can give any name you’d
>> like.
>>
>>
>>
>> Follow this article here:
>>
>> https://access.redhat.com/solutions/308623
>>
>>
>>
>> Stefan
>>
>>
>>
>>
>>
>> *From:* freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces@
>> redhat.com] *On Behalf Of *Callum Guy
>> *Sent:* 05 December 2016 13:38
>> *To:* Florence Blanc-Renaud; freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>>
>>
>>
>> Hi Flo,
>>
>>
>>
>> I have indeed executed every step in order, including the one you have
>> indicated.
>>
>>
>>
>> The password I has used included a dollar sign and this meant that echo
>> -n $DM_PASSWORD > /root/dm_password didn't work as I had expected
>> meaning everything after the dollar was interpreted as a variable and was
>> missing in the file. I have corrected this and performed the full process
>> again, starting with the 389 reset however it is still not working
>> correctly.
>>
>>
>>
>> I remain in the same state as before where the admin password has not
>> been changed - this confuses me as my understanding is that admin only
>> exists as the FreeIPA web admin user whose password I can change
>> separately. Am i misunderstanding, is there another admin user within
>> FreeIPA which is directly linked to the directory manager?
>>
>>
>>
>> Having run out of ideas I have just executed ipa-server-upgrade however
>> this hasn't helped. My situation remains as follows:
>>
>>
>>
>> *Works:* ldapsearch -x -D "cn=directory manager" -w  *NEW_DM_PW  *-s
>> base -b "" "objectclass=*"
>>
>> *Fails:  *ldapsearch -h localhost -ZZ -p 389 -x -D
>> "uid=admin,ou=people,o=ipaca" -w *NEW_DM_PW *-b "" -s base
>>
>>
>>
>> Are you able to offer any other ideas?
>>
>>
>>
>> Other information:
>>
>> I can confirm that cacert.p12 has been updated by the actions performed.
>>
>> File /etc/pki/pki-tomcat/password.conf now contains a new line
>> internaldb=*NEW_DM_PW *(as per instruction 1 on FreeIPA link)
>>
>>
>>
>> Best Regards,
>>
>>
>>
>> Callum
>>
>>
>>
>>
>>
>> On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud <flo at redhat.com>
>> wrote:
>>
>> On 12/05/2016 01:05 PM, Callum Guy wrote:
>> > Hi All,
>> >
>> > I have been testing FreeIPA and now plan to migrate to production use -
>> > thanks for creating such a great application!
>> >
>> > During the test phase we have been using simple passwords for the admin
>> > and directory manager users however we need these changed before moving
>> > into production. I believe we can change the admin password using the
>> > web interface however as I understand it amending the directory manager
>> > password is not so straightforward.
>> >
>> > I have found this
>> > link https://www.freeipa.org/page/Howto/Change_Directory_Manager_
>> Password however
>> > I am unsure if this is the correct procedure for our installation -
>> > certainly i am having no luck so far.
>> >
>> > We have the following setup:
>> >
>> > FreeIPA 4.2.0 - single master server (no replicas), multiple clients
>> > CentOS 7.2
>> >
>> > I have tried the following steps in order:
>> >
>> > http://directory.fedoraproject.org/docs/389ds/howto/howto-re
>> setdirmgrpassword.html
>> > followed by
>> > https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
>> >
>> > After completing that I am no longer able to authenticate user logins.
>> > The below covers my current situation:
>> >
>> > This works:
>> > ldapsearch -x -D "cn=directory manager" -w NEWPASSWORD -s base -b ""
>> > "objectclass=*"
>> >
>> > This does not work:
>> > ldapsearch -x -D "cn=directory manager" -w OLDPASSWORD -s base -b ""
>> > "objectclass=*"
>> >
>> > This works:
>> > ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"
>> > -W -b "" -s base
>> > OLDPASSWORD
>> >
>> > This does not work:
>> > ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"
>> > -W -b "" -s base
>> > NEWPASSWORD
>> >
>> Hi,
>>
>> your commands show that the Directory Manager password was properly
>> modified, but not admin's password. Did you run the step 3 Updating PKI
>> admin password of the procedure [1]?
>> ldappasswd -h localhost -ZZ -p $CA_PORT -x -D "cn=Directory Manager" -W
>> -T /root/dm_password "uid=admin,ou=people,o=ipaca"
>>
>> Flo.
>>
>> [1]
>> https://www.freeipa.org/page/Howto/Change_Directory_Manager_
>> Password#3._Update_PKI_admin_password
>>
>> > So i'm i a mixed up state! Is anyone able to offer advise on resolving
>> > this issue?
>> >
>> > Thank you,
>> >
>> > Callum
>> >
>> >
>> >
>> >
>> >
>> > *^0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  _
>> > **_^<https://twitter.com/xonuk>
>> >  <http://www.linkedin.com/company/x-on/products>
>> >  <https://www.facebook.com/XonTel> *
>> > X-on is a trading name of Storacall Technology Ltd a limited company
>> > registered in England and Wales.
>> > Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>> > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>> > The information in this e-mail is confidential and for use by the
>> > addressee(s) only. If you are not the intended recipient, please notify
>> > X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
>> delete the
>> > message from your computer. If you are not a named addressee you must
>> > not use, disclose, disseminate, distribute, copy, print or reply to this
>> > email. Views or opinions expressed by an individual
>> > within this email may not necessarily reflect the views of X-on or its
>> > associated companies. Although X-on routinely screens for viruses,
>> > addressees should scan this email and any attachments
>> > for viruses. X-on makes no representation or warranty as to the absence
>> > of viruses in this email or any attachments.
>> >
>> >
>> >
>>
>>
>>
>> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  * *
>> <https://twitter.com/xonuk>
>> <http://www.linkedin.com/company/x-on/products>
>> <https://www.facebook.com/XonTel>*
>>
>> X-on is a trading name of Storacall Technology Ltd a limited company
>> registered in England and Wales.
>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>> The information in this e-mail is confidential and for use by the
>> addressee(s) only. If you are not the intended recipient, please notify
>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
>> delete the
>> message from your computer. If you are not a named addressee you must not
>> use, disclose, disseminate, distribute, copy, print or reply to this email.
>> Views or opinions expressed by an individual
>> within this email may not necessarily reflect the views of X-on or its
>> associated companies. Although X-on routinely screens for viruses,
>> addressees should scan this email and any attachments
>> for viruses. X-on makes no representation or warranty as to the absence
>> of viruses in this email or any attachments.
>>
>>
>>
>> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  * *
>> <https://twitter.com/xonuk>
>> <http://www.linkedin.com/company/x-on/products>
>> <https://www.facebook.com/XonTel>*
>> X-on is a trading name of Storacall Technology Ltd a limited company
>> registered in England and Wales.
>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>> The information in this e-mail is confidential and for use by the
>> addressee(s) only. If you are not the intended recipient, please notify
>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
>> delete the
>> message from your computer. If you are not a named addressee you must not
>> use, disclose, disseminate, distribute, copy, print or reply to this email.
>> Views or opinions expressed by an individual
>> within this email may not necessarily reflect the views of X-on or its
>> associated companies. Although X-on routinely screens for viruses,
>> addressees should scan this email and any attachments
>> for viruses. X-on makes no representation or warranty as to the absence
>> of viruses in this email or any attachments.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161205/f537600b/attachment.htm>