Hi Flo,

I have indeed executed every step in order, including the one you have
indicated.

The password I has used included a dollar sign and this meant that echo -n
$DM_PASSWORD > /root/dm_password didn't work as I had expected meaning
everything after the dollar was interpreted as a variable and was missing
in the file. I have corrected this and performed the full process again,
starting with the 389 reset however it is still not working correctly.

I remain in the same state as before where the admin password has not been
changed - this confuses me as my understanding is that admin only exists as
the FreeIPA web admin user whose password I can change separately. Am i
misunderstanding, is there another admin user within FreeIPA which is
directly linked to the directory manager?

Having run out of ideas I have just executed ipa-server-upgrade however
this hasn't helped. My situation remains as follows:

*Works:* ldapsearch -x -D "cn=directory manager" -w  *NEW_DM_PW  *-s base
-b "" "objectclass=*"
*Fails:  *ldapsearch -h localhost -ZZ -p 389 -x -D
"uid=admin,ou=people,o=ipaca" -w *NEW_DM_PW *-b "" -s base

Are you able to offer any other ideas?

Other information:
I can confirm that cacert.p12 has been updated by the actions performed.
File /etc/pki/pki-tomcat/password.conf now contains a new line internaldb=
*NEW_DM_PW *(as per instruction 1 on FreeIPA link)

Best Regards,

Callum


On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud <f...@redhat.com> wrote:

> On 12/05/2016 01:05 PM, Callum Guy wrote:
> > Hi All,
> >
> > I have been testing FreeIPA and now plan to migrate to production use -
> > thanks for creating such a great application!
> >
> > During the test phase we have been using simple passwords for the admin
> > and directory manager users however we need these changed before moving
> > into production. I believe we can change the admin password using the
> > web interface however as I understand it amending the directory manager
> > password is not so straightforward.
> >
> > I have found this
> > link
> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
> however
> > I am unsure if this is the correct procedure for our installation -
> > certainly i am having no luck so far.
> >
> > We have the following setup:
> >
> > FreeIPA 4.2.0 - single master server (no replicas), multiple clients
> > CentOS 7.2
> >
> > I have tried the following steps in order:
> >
> >
> http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
> > followed by
> > https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
> >
> > After completing that I am no longer able to authenticate user logins.
> > The below covers my current situation:
> >
> > This works:
> > ldapsearch -x -D "cn=directory manager" -w NEWPASSWORD -s base -b ""
> > "objectclass=*"
> >
> > This does not work:
> > ldapsearch -x -D "cn=directory manager" -w OLDPASSWORD -s base -b ""
> > "objectclass=*"
> >
> > This works:
> > ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"
> > -W -b "" -s base
> > OLDPASSWORD
> >
> > This does not work:
> > ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"
> > -W -b "" -s base
> > NEWPASSWORD
> >
> Hi,
>
> your commands show that the Directory Manager password was properly
> modified, but not admin's password. Did you run the step 3 Updating PKI
> admin password of the procedure [1]?
> ldappasswd -h localhost -ZZ -p $CA_PORT -x -D "cn=Directory Manager" -W
> -T /root/dm_password "uid=admin,ou=people,o=ipaca"
>
> Flo.
>
> [1]
>
> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password#3._Update_PKI_admin_password
>
> > So i'm i a mixed up state! Is anyone able to offer advise on resolving
> > this issue?
> >
> > Thank you,
> >
> > Callum
> >
> >
> >
> >
> >
> > *^0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  _
> > **_^<https://twitter.com/xonuk>
> >  <http://www.linkedin.com/company/x-on/products>
> >  <https://www.facebook.com/XonTel> *
> > X-on is a trading name of Storacall Technology Ltd a limited company
> > registered in England and Wales.
> > Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> > The information in this e-mail is confidential and for use by the
> > addressee(s) only. If you are not the intended recipient, please notify
> > X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
> delete the
> > message from your computer. If you are not a named addressee you must
> > not use, disclose, disseminate, distribute, copy, print or reply to this
> > email. Views or opinions expressed by an individual
> > within this email may not necessarily reflect the views of X-on or its
> > associated companies. Although X-on routinely screens for viruses,
> > addressees should scan this email and any attachments
> > for viruses. X-on makes no representation or warranty as to the absence
> > of viruses in this email or any attachments.
> >
> >
> >
>
>

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://twitter.com/xonuk>   
<http://www.linkedin.com/company/x-on/products>   
<https://www.facebook.com/XonTel> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to