Thanks for your quick reply. What I mean is I am supplying the DM password when prompted following ipa-replica-prepare. I only mentioned the admin user password change to prove that the DM password I have is correct/valid. Otherwise I could not have run this command (and other ldapsearch commands) successfully -> ldappasswd -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=example,dc=com. I just wanted to show that I've tested the DM password by binding with it (ldapsearch or ldappasswd), and it works, but using it with ipa-replica-prepare fails. Sorry, I should have picked better examples to explain my problem more clearly.
Sincerely, *Shiela Spaleta* *Senior System Administrator* *Security Compass* *p: *+1 (888) 777-2211 x171 *m:* +1 (647) 539-6366 On Fri, Mar 24, 2017 at 6:21 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Shiela Spaleta wrote: > > I can successfully bind as the Directory Manager, but when I use the > > same password to create a replica prep file I get an "Invalid > > Credentials" error. How is this possible? > > > > I'm running FreeIPA v3.0 on Centos 6 and created replica's successfully > > in the past. > > > > I tested the Directory Manager password by using it change the admin > > user's password: > > > > ldappasswd -D 'cn=directory manager' -W -S > > uid=admin,cn=users,cn=accounts,dc=domain,dc=com > > > > and that was successful (tested by getting a ticket as admin user with > > new pwd). > > > > But when I try to create a replica file: > > > > # ipa-replica-prepare ipa2.shiela.com <http://ipa2.shiela.com/> > > > > > > Preparing replica for ipa2.shiela.com > > <http://ipa2.shiela.com/> from ipa1.shiela.com <http://ipa1.shiela.com/> > > preparation of replica failed: Insufficient access: Invalid credentials > > Insufficient access: Invalid credentials > > File "/usr/sbin/ipa-replica-prepare", line 529, in <module> > > main() > > > > File "/usr/sbin/ipa-replica-prepare", line 391, in main > > update_pki_admin_password(dirman_password) > > > > File "/usr/sbin/ipa-replica-prepare", line 247, in > > update_pki_admin_password > > bind_pw=dirman_password > > > > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > > connect > > conn = self.create_connection(*args, **kw) > > > > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", > > line 846, in create_connection > > self.handle_errors(e) > > > > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", > > line 712, in handle_errors > > raise errors.ACIError(info="%s %s" % (info, desc)) > > > > If anyone can shed light on this I would be grateful. I've checked > > /var/log/dirsrv/PKI-IPA but it has not been any more helpful. > > > > admin != Directory Manager. > > Try running kdestroy, then ipa-replica-prepare. You'll be prompted for > the DM password, that should work. > > rob > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project