[Freeipa-users] Cannot add password policy SOLVED
Bob Hinton
bob at jackland.demon.co.uk
Thu Mar 10 15:18:27 UTC 2016
On 09/03/2016 22:14, Rob Crittenden wrote:
> Bob Hinton wrote:
>> Hi,
>>
>> I've been trying to add a password policy for an existing user group
>> called "services" in IPA version 4.2.0.
>>
>> ipa pwpolicy-add services
>> ipa: ERROR: entry with name "services" already exists
>>
>> ipa pwpolicy-show services
>> ipa: ERROR: services: password policy not found
>>
>> ipa pwpolicy-del services
>> ipa: ERROR: services: password policy not found
>>
>> ipa pwpolicy-mod services
>> ipa: ERROR: services: password policy not found
>>
>> ipa pwpolicy-find
>> doesn't list it.
>>
>> As an experiment I've tried to add additional pwpolicy entries. If these
>> fail due to insufficient privileges then I get the same symptoms, so
>> it's possible that this is what happened with the services pwpolicy.
>>
>> How do I correct this situation?
>>
>> Many thanks
> I'd use ldapsearch to narrow things down. A group-based password policy
> consists of two entries so I'd look in both:
>
> $ kinit admin
> $ ldapsearch -Y GSSAPI -b cn=costemplates,cn=accounts,dc=example,dc=com
> $ ldapsearch -Y GSSAPI -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
> '(objectclass=krbPwdPolicy)'
>
> There could, for example, be a replication conflict entry.
>
> rob
> .
>
Hi Rob,
The culprit turned-out to be a "cn=costemplates,cn=accounts,..." record.
Attempting to create a pwpolicy that failed with a permissions error
created a costemplates record, but not the corresponding
"cn=DOMAIN,cn=kerberos,..." record.
After removing the offending record with ldapdelete I could create the
pwpolicy entry.
Many thanks
Bob Hinton
More information about the Freeipa-users
mailing list