On 12/05/2016 01:05 PM, Callum Guy wrote:
Hi All,

I have been testing FreeIPA and now plan to migrate to production use -
thanks for creating such a great application!

During the test phase we have been using simple passwords for the admin
and directory manager users however we need these changed before moving
into production. I believe we can change the admin password using the
web interface however as I understand it amending the directory manager
password is not so straightforward.

I have found this
link https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password 
however
I am unsure if this is the correct procedure for our installation -
certainly i am having no luck so far.

We have the following setup:

FreeIPA 4.2.0 - single master server (no replicas), multiple clients
CentOS 7.2

I have tried the following steps in order:

http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
followed by
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

After completing that I am no longer able to authenticate user logins.
The below covers my current situation:

This works:
ldapsearch -x -D "cn=directory manager" -w NEWPASSWORD -s base -b ""
"objectclass=*"

This does not work:
ldapsearch -x -D "cn=directory manager" -w OLDPASSWORD -s base -b ""
"objectclass=*"

This works:
ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"
-W -b "" -s base
OLDPASSWORD

This does not work:
ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"
-W -b "" -s base
NEWPASSWORD

Hi,

your commands show that the Directory Manager password was properly modified, but not admin's password. Did you run the step 3 Updating PKI admin password of the procedure [1]? ldappasswd -h localhost -ZZ -p $CA_PORT -x -D "cn=Directory Manager" -W -T /root/dm_password "uid=admin,ou=people,o=ipaca"

Flo.

[1] https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password#3._Update_PKI_admin_password

So i'm i a mixed up state! Is anyone able to offer advise on resolving
this issue?

Thank you,

Callum





*^0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  _
**_^<https://twitter.com/xonuk>
 <http://www.linkedin.com/company/x-on/products>
 <https://www.facebook.com/XonTel> *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must
not use, disclose, disseminate, distribute, copy, print or reply to this
email. Views or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence
of viruses in this email or any attachments.




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to