[Freeipa-users] Directory Manager password is correct but IPA-replica-prepare command fails with Invalid Credentials
Shiela Spaleta
shiela at securitycompass.com
Sat Mar 25 22:45:05 UTC 2017
Thanks for your quick reply. What I mean is I am supplying the DM password
when prompted following ipa-replica-prepare. I only mentioned the admin
user password change to prove that the DM password I have is correct/valid.
Otherwise I could not have run this command (and other ldapsearch commands)
successfully -> ldappasswd -D 'cn=directory manager' -W -S
uid=admin,cn=users,cn=accounts,dc=example,dc=com. I just wanted to show
that I've tested the DM password by binding with it (ldapsearch or
ldappasswd), and it works, but using it with ipa-replica-prepare fails.
Sorry, I should have picked better examples to explain my problem more
clearly.
Sincerely,
*Shiela Spaleta*
*Senior System Administrator*
*Security Compass*
*p: *+1 (888) 777-2211 x171
*m:* +1 (647) 539-6366
On Fri, Mar 24, 2017 at 6:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Shiela Spaleta wrote:
> > I can successfully bind as the Directory Manager, but when I use the
> > same password to create a replica prep file I get an "Invalid
> > Credentials" error. How is this possible?
> >
> > I'm running FreeIPA v3.0 on Centos 6 and created replica's successfully
> > in the past.
> >
> > I tested the Directory Manager password by using it change the admin
> > user's password:
> >
> > ldappasswd -D 'cn=directory manager' -W -S
> > uid=admin,cn=users,cn=accounts,dc=domain,dc=com
> >
> > and that was successful (tested by getting a ticket as admin user with
> > new pwd).
> >
> > But when I try to create a replica file:
> >
> > # ipa-replica-prepare ipa2.shiela.com <http://ipa2.shiela.com/>
> >
> >
> > Preparing replica for ipa2.shiela.com
> > <http://ipa2.shiela.com/> from ipa1.shiela.com <http://ipa1.shiela.com/>
> > preparation of replica failed: Insufficient access: Invalid credentials
> > Insufficient access: Invalid credentials
> > File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
> > main()
> >
> > File "/usr/sbin/ipa-replica-prepare", line 391, in main
> > update_pki_admin_password(dirman_password)
> >
> > File "/usr/sbin/ipa-replica-prepare", line 247, in
> > update_pki_admin_password
> > bind_pw=dirman_password
> >
> > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
> > connect
> > conn = self.create_connection(*args, **kw)
> >
> > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> > line 846, in create_connection
> > self.handle_errors(e)
> >
> > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
> > line 712, in handle_errors
> > raise errors.ACIError(info="%s %s" % (info, desc))
> >
> > If anyone can shed light on this I would be grateful. I've checked
> > /var/log/dirsrv/PKI-IPA but it has not been any more helpful.
> >
>
> admin != Directory Manager.
>
> Try running kdestroy, then ipa-replica-prepare. You'll be prompted for
> the DM password, that should work.
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170325/f2f9211e/attachment.htm>
More information about the Freeipa-users
mailing list