[Freeipa-users] DM Password Change & Password Storage
Martin Bašti
mbasti at redhat.com
Wed Apr 19 08:28:54 UTC 2017
On 12.04.2017 23:06, Jeremy Utley wrote:
> Hello all! We've got 2 replicated instances of FreeIPA 4.4.0 from the
> EPEL repository running on fully-updated CentOS 7 instances. We're
> going thru an audit right now, and I have to provide some proof of
> certain things related to IPA to our auditors. Unfortunately, the
> person who originally set these up evidently did not document the
> Directory Manager password in our docs, so I was forced to reset this
> password, using the process at:
>
> http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
>
> This was successful, and I can now bind to the DS with the new
> password. I'm now trying to follow the steps at:
>
> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
>
> A few things are rather confusing to me. I've tried Google searching
> without much luck either. So hopefully you guys can answer a few
> questions for me.
>
> 1) First off, the doc says:
>
> The following procedure is only applicable to FreeIPA 3.2.1 or older.
> Since FreeIPA 3.2.2 (and ticket #3594
> <https://fedorahosted.org/freeipa/ticket/3594>), the procedure is
> automated as a part of preparing a replica info file by using
> ipa-replica-prepare
>
> So do I even need to perform these steps at all, considering I'm well
> beyond 3.2.2. We don't have any intention of running
> ipa-replica-prepare for the forseeable future (we shouldn't ever need
> to add a third directory server here).
>
> 2) The first step (Update LDAP bind password) seems to indicate you're
> adding the new password in clear-text to the password.conf file - this
> seems like a major security issue. Am I misunderstanding what is being
> requested here? The old password is not in this file (All my current
> files have is lines for "internal" and "replicationdb"
>
> 3) The next step regenerates the cacert.p12 file, but seems to do
> nothing with it, just leaves it sitting in /root - what should be done
> with this file afterward?
>
> Thanks for any help you can give!
>
> Jeremy Utley
>
>
Hello,
you have to follow only this howto
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
The PKI parts are relevant only for old IPA servers, so with newer
versions there is no need to manually update pki servers.
Martin
--
Martin Bašti
Software Engineer
Red Hat Czech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170419/39406978/attachment.htm>
More information about the Freeipa-users
mailing list