The reason I am using old version is not my choice, this is what RHEL 6 has in 
its repos. I have 8 instances of IPA servers and they are all RHEL 6 because we 
have our prod RHEL 6 and not yet ready to move to RHEL 7.

As for me it is still fully supported by RedHat, otherwise why they still have 
this version for RHEL 6.

We have support with RH but most likely I will experience the same trouble with 
them when I log the case. But I will try anyway.

Thank for your help, appreciate.


-----Original Message-----
From: Alexander Bokovoy [] 
Sent: 15 August 2016 12:48
To: Stefan Uygur
Subject: Re: [Freeipa-users] Freeipa replication issue

On Mon, 15 Aug 2016, Stefan Uygur wrote:
>I did update the cacert but can't generate the replica file. That is 
>where I am failing, it keep saying invalid ldap credential. The strange 
>thing is trying to test/verify ldap password was working in my previous 
>attempts (following steps) which now not working either.
>I know you guys might be familiar with this process but I am not, and 
>to be honest it is a bit frustrating because, what is the point of 
>creating a full web UI for IPA and not having DM password change on the 
>Why everything has to be so complicated I mean, it is better to go back 
>to ldap though.
I can understand your frustration. However, for us it is already an old story 
because the problem you are facing was solved several years ago.
Given that you chose to run old version and cannot use fixes we've done (since 
3.2.2, July 2013), I'm not sure what we can help other than pointing to the 
documentation. As you can see, the fixes actually are the same as documentation:

As for the why 'not having DM password change on the UI', this would not help 
you anyway as you stuck with older version. I'm not going into details why none 
of the operations that require DM password is possible in the UI, though. It is 
not just a password change.

>-----Original Message-----
>From: Alexander Bokovoy []
>Sent: 15 August 2016 12:06
>To: Stefan Uygur
>Subject: Re: [Freeipa-users] Freeipa replication issue
>On Mon, 15 Aug 2016, Stefan Uygur wrote:
>>Hi Alexander,
>>Thanks for your reply and I do remember very well your feedback of 
>>course in relation to this issue.
>>The instructions are very simple, no discussion about that and I 
>>followed step by step ad exception of this step: Configure all 
>>replicas to use the new password by editing /etc/pki-ca/password.conf 
>>for Dogtag
>>9 or /etc/pki/pki-tomcat/password.conf for Dogtag 10:
>>Which is not that clear to be honest as it is referring to replicas 
>>and not the master server itself.
>In IPA the term 'replica' applies to all IPA masters. All of them are replicas 
>of each other on the base level. They may have additional services running but 
>at the very least they have LDAP, Kerberos KDC, and HTTPd.
>>I do not have any replica for this server, I am trying to set the 
>>first one in fact, so I don't think that step need to be re-produced 
>>in my case, unless I am really missing something in that paragraph.
>These steps have to be done on all existing IPA masters, whether you call them 
>replicas or not.
>Did you update /root/cacert.p12? If so, did you re-generate the replica file 
>afterwards? Point is, inside replica file there is a CA certificate with a 
>private key in PKCS#12 format which is encrypted using DM password. If you 
>have replica file generated before cacert.p12 was updated with new DM 
>password, then cacert.p12 inside the replica file cannot be decrypted using 
>new DM password, thus replica installation will fail.
>>Thanks again
>>-----Original Message-----
>>From: Alexander Bokovoy []
>>Sent: 15 August 2016 11:28
>>To: Stefan Uygur
>>Subject: Re: [Freeipa-users] Freeipa replication issue
>>On Mon, 15 Aug 2016, Stefan Uygur wrote:
>>>Hi Everyone,
>>>Sorry if I have to bring this topic back again but still no solution so far. 
>>>I gave up for a while but I still need to solve this problem.
>>>I followed the link provided by Mark Reynold:
>>>I applied the instructions multiple times and also followed these 
>>>instructions as well:
>>>With no joy.
>>>Mark suggested:
>>>The problem here is that "cn=directory manager" does not exist in a 
>>>database.  It only exists in the cn=config entry, so ldappasswd will 
>>>not work.  But I'm not sure if your problem is the directory manager 
>>>account though.  You need to look through the Directory Server access 
>>>log for "err=49" (/var/log/dirsrv/slapd-INSTANCE/access), and see 
>>>which BIND dn is failing.  It could be a different user/account.
>>>So I checked the logs as well and this is all I have from logs every time I 
>>>attempt to prepare the replica:
>>>[15/Aug/2016:11:03:13 +0100] conn=10 op=13 RESULT err=0 tag=101
>>>nentries=0 etime=0 notes=U
>>>[15/Aug/2016:11:03:15 +0100] conn=11 fd=70 slot=70 connection from 
>>>local to /var/run/slapd-INSTANCE-COM.socke t
>>>[15/Aug/2016:11:03:15 +0100] conn=11 op=0 BIND dn="cn=directory 
>>>manager" method=128 version=3
>>>[15/Aug/2016:11:03:15 +0100] conn=11 op=0 RESULT err=49 tag=97
>>>nentries=0 etime=0
>>>[15/Aug/2016:11:03:15 +0100] conn=11 op=1 UNBIND
>>>[15/Aug/2016:11:03:15 +0100] conn=11 op=1 fd=70 closed - U1
>>>I don't think it is that difficult to manage/change Directory Manager 
>>>password but I cannot get away with it myself so I must be doing 
>>>something wrong or the solutions provided (instructions) are not 
>>>applicable to the version of IPA (ipa-server-3.0.0-47.el6_7.2.x86_64)
>>>I have.
>>Please follow instructions in the FreeIPA's howto link above. Really, they 
>>tell you where and how you should change DM password. As I said before, you 
>>need to change more places which recorded the password at the time of 
>>install. You claim that the instruction does not work but it is very clear 
>>from the logs above that you haven't updated all places where DM password was 
>>recorded and as such, you get some code using older version of the DM 
>>password. This older version of DM password comes from one of the fails you 
>>actually did not change.
>>/ Alexander Bokovoy
>/ Alexander Bokovoy
>Manage your subscription for the Freeipa-users mailing list:
>Go to for more info on the project

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to