[Freeipa-users] Re: ipa-ca-install fails on directory manager password

Mon, 10 Feb 2020 23:59:44 -0800 

On ma, 10 helmi 2020, Nicholas DeMarco wrote:

I'm not having success with that truncated instance string, either:
$ dsconf -D "cn=Directory Manager" IDENTITY-DEMARCOHOME-COM
directory_manager password_change
Error: Could not find configuration for instance: IDENTITY-DEMARCOHOME-COM

The instance is present. I can also see it on Cockpit's 389DS add in.
$ ls /etc/dirsrv
config  ds.keytab  schema  slapd-IDENTITY-DEMARCOHOME-COM  ssca


weird. Do you have /etc/dirsrv/slapd-IDENTITY-DEMARCOHOME-COM/dse.ldif?
If not, at least any other files named dse.ldif.*?

It works for me:

# dsconf EXAMPLE-COM config get nsslapd-rootdn
nsslapd-rootdn: cn=Directory Manager

# dsconf EXAMPLE-COM config get nsslapd-rootpw
nsslapd-rootpw: {PBKDF2_SHA256}some-long-base64-encoded-data

# dsconf EXAMPLE-COM directory_manager password_change
Enter new directory manager password : ^C

Exiting...



What is a simple way to verify I do have the correct password for directory
manager?

just try to bind with it.

ldapsearch -D 'cn=Directory Manager' -W -h `hostname` -b 
dc=identity,dc=demarcohome,dc=com -s base




On Mon, Feb 10, 2020 at 2:24 AM Alexander Bokovoy <aboko...@redhat.com>
wrote:


On su, 09 helmi 2020, Nicholas DeMarco via FreeIPA-users wrote:
>After successfully promoting an IPA server to a replica, ipa-ca-install
>fails with "Directory Manager password is invalid"
>
>This noob would appreciate a command and example to verify I have the
>correct directory manager password. I've looked through this page:
>
https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
>
>
>but haven't been successful in getting dsconf or ldapmodify to work.
>
>server: ipa1.identity.demarcohome.com.
>instance: slapd-IDENTITY-DEMARCOHOME-COM
>
># dsconf -D "cn=Directory Manager" slapd-IDENTITY-DEMARCOHOME-COM
>directory_manager password_change
>
>Error: Could not find configuration for instance:
>slapd-IDENTITY-DEMARCOHOME-COM

dsconf expects instance name, not the whole 'slapd-...' part. Your
instance name would be IDENTITY-DEMARCOHOME-COME.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland





--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to