[Freeipa-users] Directory Manager Password Change | off topic

Callum Guy callum.guy at x-on.co.uk
Mon Dec 5 17:43:07 UTC 2016 

Ah yes, I hadn't even noticed as Google cleans that up automatically but I
can confirm (explicit) contact from Kimmi and co.




On Mon, Dec 5, 2016 at 5:24 PM Joseph Flynn <jjflynn22 at gmail.com> wrote:

Ah, now SophiaB wants in on the action too.  Looks like my lucky day.

Seriously though, I think the community needs to anonymize participants out
of necessity.

On Mon, Dec 5, 2016 at 12:02 PM, Joseph Flynn <jjflynn22 at gmail.com> wrote:

Me too.  Within minutes of my first posting, I have good old Kimmi offering
me all kinds of favors.  All of our emails are exposed to the group which
I'd like to trust but we obviously can't.  All it takes is for a spammer to
join the group and they will eventually collect a group of active emails
with a very targeted demographic.

On Mon, Dec 5, 2016 at 11:45 AM, Stefan Uygur <suygur at firstderivatives.com>
wrote:

Guys,

Since I replied to the list I keep receiving spam emails, what is happening?



*From:* Stefan Uygur
*Sent:* 05 December 2016 16:40
*To:* 'Callum Guy'; Florence Blanc-Renaud; freeipa-users at redhat.com
*Subject:* RE: [Freeipa-users] Directory Manager Password Change



Glad you solved your issue.



I’ve been there myself so don’t worry about it at all.



*From:* Callum Guy [mailto:callum.guy at x-on.co.uk <callum.guy at x-on.co.uk>]
*Sent:* 05 December 2016 16:37
*To:* Stefan Uygur; Florence Blanc-Renaud; freeipa-users at redhat.com
*Subject:* Re: [Freeipa-users] Directory Manager Password Change



Hi Stefan,



Thanks for your input, I am able to clarify that I wasn't simply copying
and pasting in - the dollar sign was included in my password rather than
the example. But yes, no denying that my command line skills are to blame.



Further to this problem I am happy to report that the issue is now solved.
My main issue was the dollar sign meaning that I had updated the DM
password incorrectly for FreeIPA. Secondly I appear to have caused an issue
with SSSD and it was a restart of this service which finally resolved the
issue for me. I doubt there is much to be learnt from my issue - definitely
user error.



Thanks so much for your responses, very much appreciated. Apologies for
taking up your time.



Callum







On Mon, Dec 5, 2016 at 2:48 PM Stefan Uygur <suygur at firstderivatives.com>
wrote:

Hi,

I think you are copying and pasting the exact same commands from the
article, which is of course a wrong approach. Never copy/paste from web to
execute on your server. That $ signs indicates you can give any name you’d
like.



Follow this article here:

https://access.redhat.com/solutions/308623



Stefan





*From:* freeipa-users-bounces at redhat.com [mailto:
freeipa-users-bounces at redhat.com] *On Behalf Of *Callum Guy
*Sent:* 05 December 2016 13:38
*To:* Florence Blanc-Renaud; freeipa-users at redhat.com
*Subject:* Re: [Freeipa-users] Directory Manager Password Change



Hi Flo,



I have indeed executed every step in order, including the one you have
indicated.



The password I has used included a dollar sign and this meant that echo -n
$DM_PASSWORD > /root/dm_password didn't work as I had expected meaning
everything after the dollar was interpreted as a variable and was missing
in the file. I have corrected this and performed the full process again,
starting with the 389 reset however it is still not working correctly.



I remain in the same state as before where the admin password has not been
changed - this confuses me as my understanding is that admin only exists as
the FreeIPA web admin user whose password I can change separately. Am i
misunderstanding, is there another admin user within FreeIPA which is
directly linked to the directory manager?



Having run out of ideas I have just executed ipa-server-upgrade however
this hasn't helped. My situation remains as follows:



*Works:* ldapsearch -x -D "cn=directory manager" -w  *NEW_DM_PW  *-s base
-b "" "objectclass=*"

*Fails:  *ldapsearch -h localhost -ZZ -p 389 -x -D
"uid=admin,ou=people,o=ipaca" -w *NEW_DM_PW *-b "" -s base



Are you able to offer any other ideas?



Other information:

I can confirm that cacert.p12 has been updated by the actions performed.

File /etc/pki/pki-tomcat/password.conf now contains a new line internaldb=
*NEW_DM_PW *(as per instruction 1 on FreeIPA link)



Best Regards,



Callum





On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud <flo at redhat.com> wrote:

On 12/05/2016 01:05 PM, Callum Guy wrote:
> Hi All,
>
> I have been testing FreeIPA and now plan to migrate to production use -
> thanks for creating such a great application!
>
> During the test phase we have been using simple passwords for the admin
> and directory manager users however we need these changed before moving
> into production. I believe we can change the admin password using the
> web interface however as I understand it amending the directory manager
> password is not so straightforward.
>
> I have found this
> link https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
however
> I am unsure if this is the correct procedure for our installation -
> certainly i am having no luck so far.
>
> We have the following setup:
>
> FreeIPA 4.2.0 - single master server (no replicas), multiple clients
> CentOS 7.2
>
> I have tried the following steps in order:
>
>
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
> followed by
> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
>
> After completing that I am no longer able to authenticate user logins.
> The below covers my current situation:
>
> This works:
> ldapsearch -x -D "cn=directory manager" -w NEWPASSWORD -s base -b ""
> "objectclass=*"
>
> This does not work:
> ldapsearch -x -D "cn=directory manager" -w OLDPASSWORD -s base -b ""
> "objectclass=*"
>
> This works:
> ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"
> -W -b "" -s base
> OLDPASSWORD
>
> This does not work:
> ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"
> -W -b "" -s base
> NEWPASSWORD
>
Hi,

your commands show that the Directory Manager password was properly
modified, but not admin's password. Did you run the step 3 Updating PKI
admin password of the procedure [1]?
ldappasswd -h localhost -ZZ -p $CA_PORT -x -D "cn=Directory Manager" -W
-T /root/dm_password "uid=admin,ou=people,o=ipaca"

Flo.

[1]
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password#3._Update_PKI_admin_password

> So i'm i a mixed up state! Is anyone able to offer advise on resolving
> this issue?
>
> Thank you,
>
> Callum
>
>
>
>
>
> *^0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  _
> **_^<https://twitter.com/xonuk>
>  <http://www.linkedin.com/company/x-on/products>
>  <https://www.facebook.com/XonTel> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
delete the
> message from your computer. If you are not a named addressee you must
> not use, disclose, disseminate, distribute, copy, print or reply to this
> email. Views or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence
> of viruses in this email or any attachments.
>
>
>



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  * *
<https://twitter.com/xonuk>
<http://www.linkedin.com/company/x-on/products>
<https://www.facebook.com/XonTel>*

X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and delete
the
message from your computer. If you are not a named addressee you must not
use, disclose, disseminate, distribute, copy, print or reply to this email.
Views or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  * *
<https://twitter.com/xonuk>
<http://www.linkedin.com/company/x-on/products>
<https://www.facebook.com/XonTel>*
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and delete
the
message from your computer. If you are not a named addressee you must not
use, disclose, disseminate, distribute, copy, print or reply to this email.
Views or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://twitter.com/xonuk>   
<http://www.linkedin.com/company/x-on/products>   
<https://www.facebook.com/XonTel> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161205/bb501f5a/attachment.htm>

More information about the Freeipa-users mailing list