[Freeipa-users] Freeipa replication issue

Mark Reynolds mareynol at redhat.com
Thu Jul 14 14:26:30 UTC 2016 


On 07/14/2016 10:10 AM, Stefan Uygur wrote:
> Hi Alexander,
> Thanks for a quick reply first of all and to be honest actually I have tried that link too, it didn't work either.
>
> This is my ipa version: ipa-server-3.0.0-47.el6_7.2.x86_64 and the system is RHEL 6
>
> When I reproduce the last step of the instructions you provided:
>
> ldappasswd -h localhost -ZZ -p 389 -x -D "cn=Directory Manager" -W -T dm_password
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>
> Or trying this one (because I am not sure if I have dogtag 10):
>
> ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -T dm_password
> Enter LDAP Password:
> Result: No such object (32)
> Additional info: No such Entry exists.
The problem here is that "cn=directory manager" does not exist in a
database.  It only exists in the cn=config entry, so ldappasswd will not
work.  You must follow this process:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/dirmnger-pwd.html#dirmnger-pwd-Resetting_Passwords

But I'm not sure if your problem is the directory manager account
though.  You need to look through the Directory Server access log for
"err=49" (/var/log/dirsrv/slapd-INSTANCE/access), and see which BIND dn
is failing.  It could be a different user/account.

Mark
>
> I couldn't figure out clearly, your help much appreciated wherever you can.
>
> Many thanks
>
>
> -----Original Message-----
> From: Alexander Bokovoy [mailto:abokovoy at redhat.com] 
> Sent: 14 July 2016 14:39
> To: Stefan Uygur
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa replication issue
>
> On Thu, 14 Jul 2016, Stefan Uygur wrote:
>> Hi All,
>> Sorry if this would appear to be an obvious issue and maybe someone has 
>> already discussed about it but I couldn't get anywhere information 
>> about how to resolve this issue that I am experiencing.
>>
>> Basically I have an IPA master server where the admin password was 
>> originally the same as Directory Manager password, within months the 
>> admin password was changed and DM left as it was.
>>
>> But I have followed the instructions given in below link to reset DM
>> password:
>>
>> https://www.centos.org/docs/5/html/CDS/install/8.0/Installation_Guide-C
>> ommon_Usage-Resetting_Passwords.html
> This is incorrect document as it is not relevant to IPA.
>
> Use http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
>
>> Which I have tested after the reset using ldapsearch and it seems to be 
>> working perfectly.
>>
>> But when I try to prepare the replica it keep telling me that is wrong 
>> password as per below:
>>
>> ipa-replica-prepare ipa2.example.com --ip-address 10.0.0.3 Directory 
>> Manager (existing master) password:
>> The password provided is incorrect for LDAP server ipa1.example.com
>>
>>
>> Usint the following to test the DM password:
>>
>> ldapsearch -x -D "cn=directory manager" -w DM_PASSWD base -b "" "objectclass=*"
>>
>> Which gives me the correct result, long output.....but again, when I 
>> try to prepare replica still getting wrong password.
> There are more places where DM password is used for replica. You changed it only 389-ds but didn't change other places. Use instructions above.
>
>
> --
> / Alexander Bokovoy
>

More information about the Freeipa-users mailing list